Ishtiyaq Shah

Use cases - ESA Rules

Blog Post created by Ishtiyaq Shah Employee on Mar 23, 2016

Here in this space an attempt is being made to list some Use cases, custom as well as Out of box (Live) for their effectiveness and usage in Threat monitoring within an enterprise.

 

    

  1. S.No

Use case

RSA OOB Rule

Description

Event Sources

1

DNS Amplification

esa000013

Detects when a UDP destination port is 53 and the total size of the network session packets is more than 4000 bytes.
Both port and packet size are configurable.

Network Sessions
Log Events

2

DNS Lookups From the Same Host

esa000048

Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and the number of lookups are configurable.

Network Sessions
Or 

Log Events

3

Non DNS Traffic on UDP Port 53 containing Exécutable

esa000054

Detects non-DNS traffic over TCP or UDP destination port 53 containing an executable. You can configure the list of executable file extensions and ports for DNS traffic.

Network Sessions

4

Rogue DHCP Server Detected

esa000150

Detects traffic sourced on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is configurable.
Prerequisites for logs are: Meta-keyprotocol must be indexed in table-map.xml andindex-concentrator-custom.xml.

List configuration
Network Sessions
Log Events
Threat Intelligence
Feeds

5

Client Using Multiple DHCP Servers

esa000152

Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68, within 10 minutes. The time period is configurable.
Prerequisites for logs are: Meta-key 'protocol' must be indexed in table-map.xml and index-concentrator-custom.xml.

Network Sessions
Log Events
Threat Intelligence
Feeds

6

Direct Login by a Guest Account

esa000002

Detects a successful interactive logon or a successful remote interactive logon to a guest account on a Microsoft Windows host.

Active Directory Log Events
User Activity logs

    

7

Direct Login to an Administrative Account

esa000028

Detects a successful interactive logon or a successful remote interactive logon to an administrative account on a Microsoft Windows host.


Active Directory Log Events

Whitelist

Data Enrichment feeds

8

NTDSXTRACT Tool Download

esa000142

Detects an internal network session download of NTDSXTRACT, a tool framework for extracting data from the active directory database file NTDS.DIT.
At least one network parser that supports the meta keys 'action' and 'filename' is required. Parsers include HTTP, FTP, IRC and NFS.

Network Sessions
Active Directory Logs
Out of box Parsers

Threat Intelligence Feed

9

WebSploit Tool Download

esa000108

Detects WebSploit tool download from sourceforge.net.
You must enable an HTTP parser and its dependencies onto the Decoder.
HTTP_lua is recommended.

Network Sessions

Out of box Parsers

Threat Intelligence Feed

10

Aggressive Internal Web Portal Scan

esa000102

Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443.
Source & Destination IPs must be internal addresses according to the RFC-1918 specification.
The list of ports, time window, and target host count are configurable.

Network Sessions
Log Events
Threat Intelligence
Feeds

    

11

BYOD Mobile Web Agent Detected

esa000117

Detects a web-browsing agent for a mobile device.
To configure the rule, specify the list of unauthorized browser agents and remove any mobile agents that are authorized from the list.
The rule is triggered when an employee uses an unauthorized device on the network.
"In addition to the list of unauthorized browser agents, the following parameters are also configurable:
The number of connections allowed per source before the alert is triggered. Default is 1.
The time window within which the unauthorized use takes place. The default is 600 seconds. "


Web proxy/Server Log Events

Whitelist User Agents

Enable extended web logs on Web server

Data Enrichment feeds

Network Session

Event Log data

12

Aggressive Internal Database Scan

esa000104

Detects a single host making connection attempts to 100 or more unique IP addresses within 1 minute over any combination of the following ports:

TCP/1433
UDP/1434
TCP/3306
TCP/5432
TCP/3351
TCP/1521
Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.

Network Sessions
DN Audit Logs
Out of box Parsers

Threat Intelligence Feed

list Known DB servers

    

13

Insider Threat Mass Audit Clearing

esa000116

Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame.


Web proxy/Server Log Events

Whitelist User Agents

Enable extended web logs on Web server

Data Enrichment feeds

Network Session

Event Log data

14

Internal Data Posting to 3rd party sites

esa000089

Detects when:
an internal IP address A receives an amount of data greater than 5 MB from internal IP address B,
and then, within the specified time interval, IP A posts data to external 3rd party sites
.

Network Flow
Network Session

User activity Logs

FTP parsers

Threat intelligence

White and black list approved FTP domains

15

Low Orbit on Cannon DoS Tool Download

esa000107

Detects Low Orbit Ion Cannon DoS tool download from sourceforge.net.
You must enable an HTTP parser and its dependencies onto the Decoder.
HTTP_lua is recommended.

Network Session
Event Logs

16

Stealth Email Use with Large Session

esa000128

Detects a session larger than 1 MB to the following stealth mail services:

Stealth Email - https://stealth-email.com/
Hush Mail - https://www.hushmail.com/
Neomailbox - https://www.neomailbox.com
Cryptoheaven - https://www.cryptoheaven.com
S-mail - https://mail.s-mail.com/
The minimum session size, number of connections, and time window are configurable.

Network Sessions
Mail Server Audit Logs
Out of box Parsers

Threat Intelligence Feed

List approved mail server domains

Outcomes