The RSA NetWitness Malware Activity report enables customers to identify malware activity across packets and logs in their infrastructure. This report uses new investigation meta to identify malicious activity and represent it in consolidated and informative tabular structure which makes overall investigation experience more targeted and efficient.
The Malware Activity report displays traffic that has been communicating with a known malicious IP address or hostname. With consolidated information about all malware related network activity, it’s easier to identify infected host(s) on the network. It is based on meta generated using RSA feeds like investigation category, investigation context etc.
This report is divided in three categories based on traffic:
- Malware Activity Web for malware related web-based packet and log traffic.
- Malware Activity DNS for DNS packet traffic that is going to a known malicious IP address or hostname
- Malware Activity Unidentified for all malware related packet and log traffic other than DNS and Web that has been known malicious
Once the report is deployed and scheduled, analysts can keep track of hosts connecting to outside servers which are known malicious or suspicious. Looking at source and destination IPs with the information of service type and amount of data flown, analyst can detect potential compromise and data leak from a particular host. Using this report, analysts now have visibility to network packet and log related activity for a compromised host that is showing indicators of malware activity.
Thanks to Angela Stranahan, Mike Sconzo, Tery Berardinelli and Jim Ward for their contributions.
RSA Security Analytics Reports is documented at https://community.rsa.com/docs/DOC-43406
RSA Security Analytics Rules are documented here https://community.rsa.com/docs/DOC-43419