RSA Admin

RSA Live March 2014 Content Announcement

Blog Post created by RSA Admin Employee on Mar 10, 2014

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.


The categories of new and updated content is as follows:

Event Stream Analysis Rules

Feed Content

Log Collector Content

Log Parsers

LUA Parsers

Flex Parsers


Seeking Customer Developed Parsers, Rules, and Reports

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.


1. Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it!  Reach out to us at:



Your emails will go directly to the content management team and we are looking forward    to working with you to help evolve our content offering.


2. Do you want to request support for a new log source or protocol?


  For Log Parser Requests go here:

  For Protocol Parser Requests go here:


3. Do you want to request use cases for Event Stream Analysis Rules?


  Please use our request form:


4. The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:




The Latest Research From RSA

We have a new blog that depicts what appears to be a war between two botmasters. All the relevant meta data to detect this active has been added to our RSA Live feeds. Read all about it here:


RSA’s FirstWatch team has posted another blog that describes some tactical changes we’ve initiated around how we handle third party research and IOCs.  This is described in our blog entitled “Third Party Publicized IOCs Feed and the Kaspersky Careto Paper”. You can find that blog here:



We’d like to remind you that if you haven’t already registered to RSA’s SecurCare Online support site, please do so. Being a member allows you to subscribe to notifications and announcements for the entire suite of RSA security products. From new release announcements to end of support notifications, SecurCare Online keeps you informed about what’s happening with your RSA product.


We look forward to presenting you new content updates next month!


The RSA Security Analytics Content Team


Content Updates


New ESA Rules


Title: Mulitple Failed logins to single host from multiple hosts

Desc: Alert when log events contain multiple failed logins to a single host from multiple different sources in 3600 seconds.User information is not correlated among events.Both the time window and number of failed logins are configurable.


Title: Multi-Service Connection Attempts with Auth Failures

Desc: Multiple failed login attempts from same source to the same destination on different destination ports have been detected within a time window of 5 minutes.Time window and list of destination ports to be monitored, number of connection attempts is configurable.


Title: Adapter going into promiscuous mode_PACKET

Desc: Packet meta containing source country(!=home country) for any protocol to a destination system is followed by an event log where destination system sends "interface X has entered promiscuous mode".


Title: Malicious Account Creation Followed by Failed Authorization to Neighboring Devices

Desc: Trigger when a new account is created on a system and 3 authentication failures occur from that system with the new account name (i.e. pop a box, create a user account, then attempt to log into other boxes from the compromised system in the hopes the system is considered trusted).


Title: No logs traffic from device in given time frame

Desc: No traffic from a device in given time frame. Log traffic is identified via device IP and device type. Rule looks for time lag after it receives event. Alert is fired when time lag exceeds preset time.


Title: Head Requests Flood

Desc: 30+ head requests from the

same source in 1 minute.In order for the this module to fire an alert, we need to upload or enable either of the "HTTP flex" or "HTTP lua" parsers and their dependencies on the Decoder.


Title: RDP traffic from Same source to Multiple different destinations

Desc: RDP traffic from same source to multiple different destinations. The time window and the the number of connections (i.e. the number of destinations) is configurable. The default is same source IP to 3 different destination IPs in 3 minutes.


Title: RDP traffic from non RFC 1918 sources

Desc: Identify RDP traffic from non RFC 1918 sources. In order for the this module to fire an alert,we need to upload or enable "RDP_lua" parsers and their dependencies on the Decoder.

Title: Inbound Packet Followed by Recipient Outbound Encrypted Connection

Desc: An inbound packet is detected to a recipient followed by the recipient creating an outbound encrypted connection within 5 minutes. The inbound packet must be a private IP address according to RFC-1918 and the outbound must be a non-RFC-1918 address. The TLS LUA-based packet parser is required for detection of the encrypted connection.


Title: No Packet traffic detected from source IP address in given timeframe

Desc: No traffic from a packet source in given time frame. Packet traffic is identified via source IP. Rule looks for time lag after it receives event Alert is fired when time lag exceeds preset time.



Updated ESA Rules


Title: Multi Service Connection Attempts Log

Desc: Multiple failed connection attempts from a single source to multiple common service ports within 5 minutes. The list of destination ports and time window are configurable. This rule uses non-standard meta key host.src and so it must be made available to the Log Decoder and Concentrator by updating index-concentrator-custom.xml and/or table-map.xml.



New Feed Content


Title: Third Party IOC IPs

Desc: Contains IPs published as malicious from third party research and publications.



New Log Collector Content


Title: Cisco Wireless LAN Controller Log Collector Configuration

Desc: Log Collector configuration content for event source ciscowlc


Title: iSeries Log Collector Configuration

Desc: Log Collector configuration content for event source iseries



Updated Log Parser Content

Note: Device Parsers will now be listed individually in Live along with our enVision Content File. This gives users flexibility with the parsers they wish to update

Aruba Networks Mobility Controller

Blue Coat ProxySG SGOS version

Check Point Security Suite, IPS-1

Cisco Adaptive Security Appliance

Cisco Secure Access Control Server

Cisco Secure IDS or IPS

Cisco Wireless Control System and Cisco Prime Infrastructure

Citrix Access Gateway version 5.0

Citrix XenMobile MDM (formerly Zenprise MDM) version 8.6

McAfee ePolicy Orchestrator version 5.1

Microsoft Exchange Server 2007, 2010, and 2013 SMTP Protocol Logs

Microsoft Windows Server 2012 R2

VMware ESX/ESXi version 5.5

VMWare vCenter Server version 5.5

VMware View version 5.2VMware vSphere version 5.5


Updated Lua Parsers


Title: phishing_lua

Desc: Registers the host portion from each URL found within an email.



Updated  Flex Parsers


Title: Servers

Desc: Identifies webserver type by parsing the "server" header entry in HTTP requests.


Updated Application Rules


Our entire App Rule library has been syntactically changed to function properly with the latest versions of Security Analytics.