Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2015 > July

The RSA Content Team is pleased to announce the addition of new and updated content to the RSA Live Content Library! 


Let’s take a look at what we have released to RSA Live during the month of June and July:


  • 1 New Event Steaming Analysis (ESA) rules
    • This addition to our ESA rule library will help analysts detect potential APT service installation

  • 7 Updates to Event Streaming (ESA) rules
    • This will limit noise in customer ESA environments and ensure the most targeted intelligence in our rule library

  • 3 New Application rules
    • These additions to our Application rule set allows analysts to detect potential ShadowIT within their environment. We also released a rule to detect rogue DHCP servers

  • 1 Update to RSA Security Analytics List
    • This made changes to our User Watchlist by IP list


  • 11 New RSA Security Analytics Rules
    • These rules are focused on ShadowIT detection and Security Analytics Administration reports


  • 2 New RSA Security Analytics Reports
    • These reports are focused on ShadowIT detection and Security Analytics Administration reports

  • 3 New Log parsers
    • RSA Via Access
    • Evidian
    • IBM Mainframe (Top Secret)

  • 60 Updates to Log parsers
    • Improves parsing accuracy and supports newer versions of event sources



For a full breakdown of new/updated content released to RSA Live, go here:


Content Announcement


Also, you can view our holistic content library and content request portals here:


RSA Live Content

Content Request Portals



The next few months will be busy on the content front! We have realigned our team to be much more agile with content releases, so turn around on content defects will increase tremendously. We also are in the final stages of releasing a meta dictionary output which will allow you to see what parser generates what meta. Last but not least, we are working on categorizing content in Live to give you the ability to pinpoint the content that is most important for your enterprise!


We look forward to sharing some great updates with you next month!





The ASOC Content Team

Elise is a backdoor malware family used in operation Lotus Blossom, the cyber espionage campaign identified by Palo Alto unit 42 last month. Elise variants communicate with their C2 servers using HTTP or HTTPS. In this blog post, we will discuss how to detect Elise network activity using RSA Security Analytics.

In case of communication over HTTP, a variant sends the following GET request:


Directory names differ from one variant to another as Elise uses the last four octets of the infected machine MAC address to derive its value. That means the length of the directory field is fixed. In addition, Elise uses the current time of the system as a seed to generate a random value for the second part of the filename. However, the first part of the filename value is the same for all variants as seen in the screenshot below:


Assuming the appropriate meta keys are enabled, the following query can be used to detect Elise HTTP behavior:

          directory length 10 && filename begins 'page_' && extension = 'html'

As for HTTPS communication, the subjects and CAs of the self-signed certificates used in those sessions simply stand out:



Scan results for an Elise variant can be viewed here.

Finally, all of the IOCs from those sessions were added to RSA FirstWatch Live feeds.

Filter Blog

By date: By tag: