The RSA Content team is pleased to announce the addition of the following new features along with new and updated content to the RSA Live Content Library.
Live Content Search Tags
A new set of Advanced Security Operations Center (ASOC) tags have been introduced in Live to provide an easier way to search for relevant content. These tags are used to organize Live content and to deliver an accurate path to information security incident response. The tags are found in the Tags field in the Live Search Criteria view. The objective of a tag is to catalog existing content for deployment according to an incident response approach. RSA LINK.
Traffic Flow- Directionality
Decoders can now derive the directionality of traffic using the source and destination hosts referenced within a session. This information provides the context of whether a session was initiated from an internal host to an external host (outbound), from an external host to an internal host (inbound), or was between two internal hosts (lateral). RSA LINK.
Ransomware Indicators in Feeds
Ransomware continues to be a significant threat to our customers, so this is a very timely addition. Abuse.ch has added a ransomware tracker which tracks the following families of ransomware:
We’ve added these indicators to the following feeds in LIVE:
1. Third Party IOC Domains
2. Third Party IOC IPs
Here is the link to the Blog Post.
10.6.1 Related Updates
Enhanced Log Parsing functionality
An enhancement has been made to the transfer of logs from the Log Collector to the Log Decoder which can minimize the chances of incorrect parsing. As part of the Log Collector configuration of certain types of event sources, such as File or ODBC, the Administrator can now specify the event source type, such as Apache or Oracle. The Log Collector now passes this information to the Log Decoder so that the Log Decoder can directly use the specified parser. No configuration changes are necessary, but new Log Collector content will need to be applied from Live in order to benefit from this enhancement.
Enhanced Content Deprecation
All the content on Live has been reviewed to see if there is any that is outdated and can be discontinued. Individual services can be scanned for discontinued content. The discontinued resources are displayed in red on the UI. Refer to the Live Services Management guide for more details.
Here is a list of all Discontinued Content on Live. RSA LINK.
Out of the Box Content Updates
RSA Security Analytics Content team has updated the following parsers and analytical content based on feedback from our customers and partners:
For a full breakdown please go to RSA LINK.
1 New Rules has been added.
1 Rule has been updated.
4 Feeds have been updated.
Security Analytics Rules
4 New Rules have been added.
2 Rules have been updated.
Security Analytics Reports
1 New Report has been added.
3 New Parsers have been added.
15 Parsers have been updated.
45 parsers have been updated
The entire content library can be viewed here:
Content requests can be made here:
The ASOC Content Team ( ASOC.Content@rsa.com )