Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2015 > April

The RSA Content team is pleased to announce the addition of new and updated content to the RSA Live Content Library! As always the Content team has been heads down reviewing our existing Event Stream Analysis (ESA) rule library. This massive effort is focused on ensuring accuracy and organization around our current correlative capabilities. We are going above and beyond validating the logic of the rules, and we are leveraging our team of subject matter experts to eliminate false positives and ensure an extremely targeted rule set.


Let’s take a look at what we have released to RSA Live during the month of April:


  • 18 Updates to Event Streaming Analysis (ESA) rules
    • This will limit noise in customer ESA environments and ensure the most targeted intelligence in our rule library


  • 25 Lua parser updates
    • This effort enhances parser performance, relieves memory issues, and ensures no duplication of generated meta


  • 11 Application Rule updates
    • Addresses an issue where the “filter” app rules were not set to “filter”


  • 2 New Log parsers
    • Microsoft URL Scan  - MS URL Scan is a tool that identifies the different types of HTTP requests that are sent to an IIS, giving SA visibility into blocked/rejected URLs
    • UnboundID Identity Store access log events are supported


  • 26 Log parser updates
    • Improves parsing accuracy and supports newer versions of event sources


For a full breakdown of new/updated content released to RSA Live, go here:


April Announcements


Also, you can view our holistic content library and content request portals here:


RSA Live Content

Content Request Portals



The next few months will be an exciting time for the Content Team! We will be finishing up our ESA rule library project and also focusing on rules and reports to enable alerting for critical activity with AWS environments. We are also planning on releasing some cool content for ShadowIT detection!


We look forward to sharing some great updates with you next month!




The ASOC Content Team

Last week, Symantec blogged about a new reconnaissance tool used in attacks that target the energy sector with a focus on the Middle East. Laziok, as called by Symantec, is an information stealer that collects configuration data about the compromised machines to help the attackers tailor their attacks against the victims. The collected data include:

  • Computer name
  • Installed software
  • RAM size
  • Hard disk size
  • GPU details
  • CPU details
  • Antivirus software


According to the Symantec blog post, the campaign started in January which is about the same time that RSA FirstWatch Malware Analysis systems started processing some of those binaries.The screenshot below shows Laziok activity in our systems between mid-January and late-March:


Digging deeper into the traffic between the infected machines and the C2 domains, there are some observations to make:


The User-Agent string is pretty unique but it is not present in all of the HTTP sessions so it can’t be used to detect all the HTTP GET requests to the C2 domains. However, the directory name and file extensions are unique and seem to be present in all of the related sessions.

Reconstructing one of the sessions using RSA Security Analytics clearly shows the kind of information collected from the infected machine and sent to the C2 domain in the query string:


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

action = 'get' && directory = '/panel/includes/' && extension = 'php'

You can find VirusTotal scan results for one Laziok sample here.

All of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.

Filter Blog

By date: By tag: