Skip navigation
Log in to follow, share, and participate in this community.

Recent Activity

RSA Information Design and Development
    Use CasesRSA NetWitness Packet Hunting Guide RSA UEBA Essentials Hunting Guide  Content DeploymentNetWitness 11.x Live Services Guide Live Content Search Tags Investigation Model Endpoint Content 11.3  Content Development GuidesContent Quick Start Guide A Treatise on Writing Packet Parsers for the RSA NetWitness Platform NetWitness Log…
RSA Information Design and Development
  Overview This topic provides details about configuring Windows collection so that NetWitness can collect logs from Microsoft Windows machines. In this document, the word "Collector" refers to either the NetWitness Log Collector or the NetWitness Virtual Log Collector. The word “Channel” refers to a Windows Event Log, for example, a Security…
RSA Information Design and Development
Click to view content  What is Data Exfiltration? One of the most common goals of malicious actors is to steal data. Data exfiltration refers to the successful sending of information out of an environment to an environment controlled by an attacker. Data exfiltration takes many different forms and is an objective of many different types of specific attacks. What is…
RSA Information Design and Development
Click to view content  What are Web Shells? Definition of web shells, from the United States Computer Emergency Readiness Team (TA15-314A): A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot…
RSA Product Team
Click to view contentThe following table lists the RSA Application Rules for NetWitness Endpoint. Display Name File Name Description Accesses Administrative Share Using Command Shell accesses_administrative_share_using_command_shell Accessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation by…
RSA Product Team
Click to view contentThe following table lists all of the delivered RSA Application Rules. For syntax and examples for application rules, see Application Rules Cheat Sheet. Note: For content that has been discontinued, see Discontinued Content. If you want to view only Endpoint application rules, click here: RSA Application Rules for Endpoint. following tableDisplay…
RSA Product Team
Click to view contentThis table lists all of the delivered RSA NetWitness Investigation meta. Meta Key Details analysis.file: autorun Registered by: autorun.nwr analysis.file: autorun file path not part of rpm Registered by: autorun_file_path_not_part_of_rpm.nwr analysis.file: autorun rpm mismatch Registered by: autorun_rpm_mismatch.nwr…
RSA Information Design and Development
    The following table illustrates how the current RSA Event Stream Analysis Rules are displayed in the ESA Define view after you download them from Live. The Module Name is the internal identification code for the rule. Note: For content that has been discontinued, see Discontinued Content.…
RSA Information Design and Development
    Application Rules Cheat Sheet Application rules compare fields to values or to other fields. This is an example of a simple expression with a meta key on the left side of the operator and a value on the right side: ip.dst=192.168.1.1 This is an example of a simple expression with a meta key on the left side of the operator and a meta key…
RSA Information Design and Development
    The following table lists the RSA NetWitness Lists, used by the rules and reports in RSA NetWitness Platform.                                         Name Description Administrative Users Lists the names of the administrative users. Ad Servers List of popular Ad sites. Ad services consume a lot of disk space. If the…
Load more items