Summary:
Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.
Detailed configuration procedures for getting RSA NetWitness Platform setup - Content Quick Start Guide
Additions:
RSA NetWitness Lua Parsers:
- WireGuard – New Lua parser has been introduced to identify WireGuard VPN sessions. WireGuard open-source is a security-focused virtual private network (VPN) known for its simplicity and ease of use.
Read more about Identifying WireGuard (VPN) Traffic Using RSA NetWitness Network
- Oracle_T3 – New parser is now available for identification the Oracle T3 protocol usage. This will help in analyzing WebLogic CVE-2019-2729 in Oracle WebLogic Server. Read more about Oracle Security Alert Advisory - CVE-2019-2729
More information about Packet Parsers
RSA NetWitness Application Rules:
More information about NetWitness 11.4 New Features andAlerting: ESA Rule Types
Changes:
RSA NetWitness Lua Parsers:
- SMB_lua – This parser is updated for significant detection improvements with named pipe parsing capabilities. Detection is expanded to track parent-child relationships to recognize operations performed on child named pipes.
Read more about SMB_lua in action -
Detecting Lateral Movement in RSA NetWitness: Winexe
Around the Fire With Old Friends (CVE-2019–0604, and CVE-2017-0144)
Keeping an eye on your Hounds...
- DCERPC – This parser is updated for similar detection improvements with named pipe parsing capabilities.
Read more about Using the RSA NetWitness Platform to Detect Lateral Movement: SCShell (DCE/RPC)
- TLS_lua - New detections are added in TLS parser to detect suspicious cipher suites for both client and server. This will give analysts added insight into what TLS connections based on suspicious client/server setup which will help detect and analyze malicious activity.
Read more about SSL and NetWitness
- rtmp_lua – rtmp parser is updated for accuracy and efficiency.
- HTTP_lua – This parser has been updated with added detection and better accuracy
Discontinued:
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.