Dear Valued RSA Customer,
RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.
The categories of new and updated content is as follows:
Event Stream Analysis Rules
Log Collector Content
Seeking Customer Developed Parsers, Rules, and Reports
Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.
1. Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:
Your emails will go directly to the content management team and we are looking forward to working with you to help evolve our content offering.
2. Do you want to request support for a new log source or protocol?
For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx
For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx
3. Do you want to request use cases for Event Stream Analysis Rules?
Please use our request form: https://emcinformation.com/204401/REG/.ashx
4. The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:
The Latest Research From RSA
We have a new blog that depicts what appears to be a war between two botmasters. All the relevant meta data to detect this active has been added to our RSA Live feeds. Read all about it here:
RSA’s FirstWatch team has posted another blog that describes some tactical changes we’ve initiated around how we handle third party research and IOCs. This is described in our blog entitled “Third Party Publicized IOCs Feed and the Kaspersky Careto Paper”. You can find that blog here:
We’d like to remind you that if you haven’t already registered to RSA’s SecurCare Online support site, please do so. Being a member allows you to subscribe to notifications and announcements for the entire suite of RSA security products. From new release announcements to end of support notifications, SecurCare Online keeps you informed about what’s happening with your RSA product.
We look forward to presenting you new content updates next month!
The RSA Security Analytics Content Team
New ESA Rules
Title: Mulitple Failed logins to single host from multiple hosts
Desc: Alert when log events contain multiple failed logins to a single host from multiple different sources in 3600 seconds.User information is not correlated among events.Both the time window and number of failed logins are configurable.
Title: Multi-Service Connection Attempts with Auth Failures
Desc: Multiple failed login attempts from same source to the same destination on different destination ports have been detected within a time window of 5 minutes.Time window and list of destination ports to be monitored, number of connection attempts is configurable.
Title: Adapter going into promiscuous mode_PACKET
Desc: Packet meta containing source country(!=home country) for any protocol to a destination system is followed by an event log where destination system sends "interface X has entered promiscuous mode".
Title: Malicious Account Creation Followed by Failed Authorization to Neighboring Devices
Desc: Trigger when a new account is created on a system and 3 authentication failures occur from that system with the new account name (i.e. pop a box, create a user account, then attempt to log into other boxes from the compromised system in the hopes the system is considered trusted).
Title: No logs traffic from device in given time frame
Desc: No traffic from a device in given time frame. Log traffic is identified via device IP and device type. Rule looks for time lag after it receives event. Alert is fired when time lag exceeds preset time.
Title: Head Requests Flood
Desc: 30+ head requests from the
same source in 1 minute.In order for the this module to fire an alert, we need to upload or enable either of the "HTTP flex" or "HTTP lua" parsers and their dependencies on the Decoder.
Title: RDP traffic from Same source to Multiple different destinations
Desc: RDP traffic from same source to multiple different destinations. The time window and the the number of connections (i.e. the number of destinations) is configurable. The default is same source IP to 3 different destination IPs in 3 minutes.
Title: RDP traffic from non RFC 1918 sources
Desc: Identify RDP traffic from non RFC 1918 sources. In order for the this module to fire an alert,we need to upload or enable "RDP_lua" parsers and their dependencies on the Decoder.
Title: Inbound Packet Followed by Recipient Outbound Encrypted Connection
Desc: An inbound packet is detected to a recipient followed by the recipient creating an outbound encrypted connection within 5 minutes. The inbound packet must be a private IP address according to RFC-1918 and the outbound must be a non-RFC-1918 address. The TLS LUA-based packet parser is required for detection of the encrypted connection.
Title: No Packet traffic detected from source IP address in given timeframe
Desc: No traffic from a packet source in given time frame. Packet traffic is identified via source IP. Rule looks for time lag after it receives event Alert is fired when time lag exceeds preset time.
Updated ESA Rules
Title: Multi Service Connection Attempts Log
Desc: Multiple failed connection attempts from a single source to multiple common service ports within 5 minutes. The list of destination ports and time window are configurable. This rule uses non-standard meta key host.src and so it must be made available to the Log Decoder and Concentrator by updating index-concentrator-custom.xml and/or table-map.xml.
New Feed Content
Title: Third Party IOC IPs
Desc: Contains IPs published as malicious from third party research and publications.
New Log Collector Content
Title: Cisco Wireless LAN Controller Log Collector Configuration
Desc: Log Collector configuration content for event source ciscowlc
Title: iSeries Log Collector Configuration
Desc: Log Collector configuration content for event source iseries
Updated Log Parser Content
Note: Device Parsers will now be listed individually in Live along with our enVision Content File. This gives users flexibility with the parsers they wish to update.
Aruba Networks Mobility Controller
Blue Coat ProxySG SGOS version 126.96.36.199
Check Point Security Suite, IPS-1
Cisco Adaptive Security Appliance
Cisco Secure Access Control Server
Cisco Secure IDS or IPS
Cisco Wireless Control System and Cisco Prime Infrastructure
Citrix Access Gateway version 5.0
Citrix XenMobile MDM (formerly Zenprise MDM) version 8.6
McAfee ePolicy Orchestrator version 5.1
Microsoft Exchange Server 2007, 2010, and 2013 SMTP Protocol Logs
Microsoft Windows Server 2012 R2
VMware ESX/ESXi version 5.5
VMWare vCenter Server version 5.5
VMware View version 5.2VMware vSphere version 5.5
Updated Lua Parsers
Desc: Registers the host portion from each URL found within an email.
Updated Flex Parsers
Desc: Identifies webserver type by parsing the "server" header entry in HTTP requests.
Updated Application Rules
Our entire App Rule library has been syntactically changed to function properly with the latest versions of Security Analytics.