Here in this space an attempt is being made to list some Use cases, custom as well as Out of box (Live) for their effectiveness and usage in Threat monitoring within an enterprise.
| Use case | RSA OOB Rule | Description | Event Sources |
1 | DNS Amplification | esa000013 | Detects when a UDP destination port is 53 and the total size of the network session packets is more than 4000 bytes. | Network Sessions |
2 | DNS Lookups From the Same Host | esa000048 | Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and the number of lookups are configurable. | Network Sessions Log Events |
3 | Non DNS Traffic on UDP Port 53 containing Exécutable | esa000054 | Detects non-DNS traffic over TCP or UDP destination port 53 containing an executable. You can configure the list of executable file extensions and ports for DNS traffic. | Network Sessions |
4 | Rogue DHCP Server Detected | esa000150 | Detects traffic sourced on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is configurable. | List configuration |
5 | Client Using Multiple DHCP Servers | esa000152 | Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68, within 10 minutes. The time period is configurable. | Network Sessions |
6 | Direct Login by a Guest Account | esa000002 | Detects a successful interactive logon or a successful remote interactive logon to a guest account on a Microsoft Windows host. | Active Directory Log Events |
7 | Direct Login to an Administrative Account | esa000028 | Detects a successful interactive logon or a successful remote interactive logon to an administrative account on a Microsoft Windows host. |
Whitelist Data Enrichment feeds |
8 | NTDSXTRACT Tool Download | esa000142 | Detects an internal network session download of NTDSXTRACT, a tool framework for extracting data from the active directory database file NTDS.DIT. | Network Sessions Threat Intelligence Feed |
9 | WebSploit Tool Download | esa000108 | Detects WebSploit tool download from sourceforge.net. | Network Sessions Out of box Parsers Threat Intelligence Feed |
10 | Aggressive Internal Web Portal Scan | esa000102 | Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443. | Network Sessions |
11 | BYOD Mobile Web Agent Detected | esa000117 | Detects a web-browsing agent for a mobile device. |
Whitelist User Agents Enable extended web logs on Web server Data Enrichment feeds Network Session Event Log data |
12 | Aggressive Internal Database Scan | esa000104 | Detects a single host making connection attempts to 100 or more unique IP addresses within 1 minute over any combination of the following ports: | Network Sessions Threat Intelligence Feed list Known DB servers |
13 | Insider Threat Mass Audit Clearing | esa000116 | Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame. |
Whitelist User Agents Enable extended web logs on Web server Data Enrichment feeds Network Session Event Log data |
14 | Internal Data Posting to 3rd party sites | esa000089 | Detects when: | Network Flow User activity Logs FTP parsers Threat intelligence White and black list approved FTP domains |
15 | Low Orbit on Cannon DoS Tool Download | esa000107 | Detects Low Orbit Ion Cannon DoS tool download from sourceforge.net. | Network Session |
16 | Stealth Email Use with Large Session | esa000128 | Detects a session larger than 1 MB to the following stealth mail services: | Network Sessions Threat Intelligence Feed List approved mail server domains |
5 Comments
