Threat Detection Content Update - April 2019

Document created by RSA Product Team Employee on May 9, 2019Last modified by RSA Product Team Employee on May 9, 2019
Version 2Show Document
  • View in full screen mode

Summary:

Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.

 

Additions:

RSA NetWitness Endpoint 11.3

 

For RSA NetWitness Platform 11.3, a new content pack was delivered, the Endpoint Content bundle. Additionally, new Endpoint content is being delivered out-of-the-box with 11.3:

  • Endpoint Content bundle:
    • Approximately 400 application rules
    • File Category Lua parser
    • Investigation feed
    • Endpoint Reports
  • OOTB Content delivered with NetWitness 11.3:
    • ESA Endpoint Risk Scoring Rule bundle
    • Risk Score Configuration
    • Incident Rule
    • Reputation Service

In Live, select the drop-down menu for Medium, and select endpoint to search for Endpoint specific content. You can also deploy the Endpoint bundle to get all of the Endpoint content at once. For more information on the content and deployment, please see the topic for Endpoint Content.

 

RSA NetWitness Lua Parsers:

  • fingerprint_deb - Detects Debian package files. Meta will be output as filetype = ‘deb’.
  • eicar - Detects the EICAR test string (useful for proving visibility). Meta will be output as analysis.session = ‘eicar test string’.

 

RSA NetWitness Log-Based Application Rules:

Application rules were developed to detect credential dumping and pass the hash Mitre ATT&CK techniques. All rules will populate the Indicators of Compromise meta key as named below.

  • Pass the Hash - Indicates a possible pass-the-hash attack on a Windows system configured to use the NTLM authentication protocol. The rule reduces false positives by excluding anonymous logons, domain controller and machine logons and those that are not local accounts. It is recommended to exclude the domain for which the domain controller is responsible within the rule logic, since an attacker would typically not have this information and it could increase rule accuracy.
  • Remote Thread into LSASS – Detects when a process creates remote thread into target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.
  • LSASS Access - Detects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping.
  • Named Pipe into LSASS - Detects when a suspicious Named Pipe is created or connected to target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.

 

 

Changes:

  • TLS_lua parser – Now identifies TLS 1.3. Certificate meta accuracy was increased. Certificate validation is now extracted (in many cases), e.g. extended validation, domain validation.
  • xor_executable_lua - Hex encoded executables are now detected .
  • phishing_lua - Updated for accuracy and efficiency.
  • http_sql_injection – Updated for accuracy and efficiency.
  • HTTP_lua – Increased accuracy for username and password extraction. Identifies increased number of sessions.
  • SMB_lua - Identifies increased number of sessions.
  • Ghost lua – Updated for ZEGOST detection
  • Archive Extension Mismatch app rule – Extended compressed file types and modified to reduce false positives to Office file types
  • ESA rules: These ESA rules were updated due to changes in 11.3 or mutli-valued meta. See ESA Alerting Guide for more information.
    • RIG Exploit Kit
    • AWS Critical VM Modified
    • Multiple Successful Logins from Multiple Diff Src to Same Dest
    • Multiple Successful Logins from Multiple Diff Src to Diff Dest
    • Multiple Failed Logins from Multiple Diff Sources to Same Dest
    • Multiple Failed Logins from Multiple Users to Same Destination
    • User Login Baseline

 

Discontinued:

ESA Rules – Did not provide customer value due to number of alerts or implementation.

  • Suspicious HTTP POST Commands
  • Suspicious Communication Channel Sender
  • Suspicious Communication Channel Receiver
  • Detection of Syn Flood Attack using Netflow

 

For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes