This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Use cases - ESA Rules

Use cases - ESA Rules

IshtiyaqShah
Employee IshtiyaqShah
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2016-03-23 01:39 PM

Here in this space an attempt is being made to list some Use cases, custom as well as Out of box (Live) for their effectiveness and usage in Threat monitoring within an enterprise.

 

pastedImage_5.png

    

  1. S.No

Use case

RSA OOB Rule

Description

Event Sources

1

DNS Amplification

esa000013

Detects when a UDP destination port is 53 and the total size of the network session packets is more than 4000 bytes.
Both port and packet size are configurable.

Network Sessions
Log Events

2

DNS Lookups From the Same Host

esa000048

Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and the number of lookups are configurable.

Network Sessions
Or 

Log Events

3

Non DNS Traffic on UDP Port 53 containing Exécutable

esa000054

Detects non-DNS traffic over TCP or UDP destination port 53 containing an executable. You can configure the list of executable file extensions and ports for DNS traffic.

Network Sessions

4

Rogue DHCP Server Detected

esa000150

Detects traffic sourced on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is configurable.
Prerequisites for logs are: Meta-keyprotocol must be indexed in table-map.xml andindex-concentrator-custom.xml.

List configuration
Network Sessions
Log Events
Threat Intelligence
Feeds

5

Client Using Multiple DHCP Servers

esa000152

Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68, within 10 minutes. The time period is configurable.
Prerequisites for logs are: Meta-key 'protocol' must be indexed in table-map.xml and index-concentrator-custom.xml.

Network Sessions
Log Events
Threat Intelligence
Feeds

6

Direct Login by a Guest Account

esa000002

Detects a successful interactive logon or a successful remote interactive logon to a guest account on a Microsoft Windows host.

Active Directory Log Events
User Activity logs

    

7

Direct Login to an Administrative Account

esa000028

Detects a successful interactive logon or a successful remote interactive logon to an administrative account on a Microsoft Windows host.


Active Directory Log Events

Whitelist

Data Enrichment feeds

8

NTDSXTRACT Tool Download

esa000142

Detects an internal network session download of NTDSXTRACT, a tool framework for extracting data from the active directory database file NTDS.DIT.
At least one network parser that supports the meta keys 'action' and 'filename' is required. Parsers include HTTP, FTP, IRC and NFS.

Network Sessions
Active Directory Logs
Out of box Parsers

Threat Intelligence Feed

9

WebSploit Tool Download

esa000108

Detects WebSploit tool download from sourceforge.net.
You must enable an HTTP parser and its dependencies onto the Decoder.
HTTP_lua is recommended.

Network Sessions

Out of box Parsers

Threat Intelligence Feed

10

Aggressive Internal Web Portal Scan

esa000102

Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443.
Source & Destination IPs must be internal addresses according to the RFC-1918 specification.
The list of ports, time window, and target host count are configurable.

Network Sessions
Log Events
Threat Intelligence
Feeds

    

11

BYOD Mobile Web Agent Detected

esa000117

Detects a web-browsing agent for a mobile device.
To configure the rule, specify the list of unauthorized browser agents and remove any mobile agents that are authorized from the list.
The rule is triggered when an employee uses an unauthorized device on the network.
"In addition to the list of unauthorized browser agents, the following parameters are also configurable:
The number of connections allowed per source before the alert is triggered. Default is 1.
The time window within which the unauthorized use takes place. The default is 600 seconds. "


Web proxy/Server Log Events

Whitelist User Agents

Enable extended web logs on Web server

Data Enrichment feeds

Network Session

Event Log data

12

Aggressive Internal Database Scan

esa000104

Detects a single host making connection attempts to 100 or more unique IP addresses within 1 minute over any combination of the following ports:

TCP/1433
UDP/1434
TCP/3306
TCP/5432
TCP/3351
TCP/1521
Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.

Network Sessions
DN Audit Logs
Out of box Parsers

Threat Intelligence Feed

list Known DB servers

    

13

Insider Threat Mass Audit Clearing

esa000116​

Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame.


Web proxy/Server Log Events

Whitelist User Agents

Enable extended web logs on Web server

Data Enrichment feeds

Network Session

Event Log data

14

Internal Data Posting to 3rd party sites

esa000089

Detects when:
an internal IP address A receives an amount of data greater than 5 MB from internal IP address B,
and then, within the specified time interval, IP A posts data to external 3rd party sites
.

Network Flow
Network Session

User activity Logs

FTP parsers

Threat intelligence

White and black list approved FTP domains

15

Low Orbit on Cannon DoS Tool Download

esa000107

Detects Low Orbit Ion Cannon DoS tool download from sourceforge.net.
You must enable an HTTP parser and its dependencies onto the Decoder.
HTTP_lua is recommended.

Network Session
Event Logs

16

Stealth Email Use with Large Session

esa000128

Detects a session larger than 1 MB to the following stealth mail services:

Stealth Email - https://stealth-email.com/
Hush Mail - https://www.hushmail.com/
Neomailbox - https://www.neomailbox.com
Cryptoheaven - https://www.cryptoheaven.com
S-mail - https://mail.s-mail.com/
The minimum session size, number of connections, and time window are configurable.

Network Sessions
Mail Server Audit Logs
Out of box Parsers

Threat Intelligence Feed

List approved mail server domains

  • adaptive security
  • custom correlation
  • Live Content
  • NetWitness
  • NW
  • NWP
  • out of box
  • RSA Live
  • RSA NetWitness
  • RSA NetWitness Platform
  • Rules
  • rules and correlations
  • sa_use_case
  • sec_ops_workflow
  • use_cases
3 Likes
Share
5 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.