RSA LIVE January and February Content Announcement

Document created by RSA Link Team Employee on May 2, 2016
Version 1Show Document
  • View in full screen mode


The RSA Content team is pleased to announce the addition of new and updated content to the RSA Live Content Library. 



Threat Detection Content


Novetta Research identified IOC IPs and Domains

Novetta recently released a research paper detailing background and specifics around the Sony Hack in November of last year, and identified a new and very active Threat Actor Group that they are calling “Lazarus Group”.   Reference the website below for more details:



This research identified 45 distinct malware families, many Command and Control (C2) points and more. 


RSA FirstWatch leveraging the Novetta research has incorporated the C2 indicators in RSA Live under the Third Party Indicator Feeds:


         1.  Third Party IOC IPs – Contains IPs published as malicious from third party research and publications

         2.  Third Party IOC Domain – Contains domains published as malicious from third party research and publications


Customers should subscribe to the above feeds.  Once deployed, the following pivot can be used in Security Analytics to locate suspect traffic:



            ·  threat.category = novetta


RSA FirstWatch will continue working on updating content to catch different attack vectors discussed in the Novetta Research paper.  This content will be made available to customers through RSA Live when complete. 



RSA Live Content Update to Detect Lateral Movement


Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This link describes a package of content that contains a set of rules to monitor Windows systems for lateral movement. RSA Link.



RSA Live Content Update to Detect Vulnerabilities


Content has been updated to detect the following vulnerabilities using Security Analytics:


            · Cisco recently found vulnerabilities in the IKE (v1) and IKE (v2) code of Cisco ASA Software which could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. RSA Security Analytics Content Team has updated the relevant content to detect this vulnerability. Additional details on detecting this vulnerability using Security Analytics is provided on RSA Link.


           ·  Juniper recently found multiple security issues with ScreenOS, an Event Stream Analytics (ESA) rule “Juniper ScreenOS Administrative Access (CVE-2015-7755)” has been developed detect the security issues.



Out of the Box Content Updates


RSA Security Analytics Content team has updated the following parsers and analytical content based on feedback from our customers and partners:


For a full breakdown please go to RSA LINK.


Parser Content


Packet Parsers

4 New Parsers have been added.

9 Parsers have been updated.


Log Parsers

29 parsers have been updated


Analytical Content



6 New Lists have been added

7 Lists have been updated.


Application Rules

1 New Rule has been added.

1 Rule has been updated.


Correlation Rules

1 New Rule has been added.


ESA Rules

1 New Rule has been added.

1 Rule has been updated.


RE Rules

31 Rules have been updated.



1 New Report has been added.




Additional Information


The entire content library can be viewed here:


Content requests can be made here:



The ASOC Content Team (



For additional documentation, downloads, and more, visit the RSA NetWitness Platform on RSA Link


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details.
Product Version Life Cycle