RSA ESA Rules

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Nov 15, 2018
Version 186Show Document
  • View in full screen mode
 

The following table illustrates how the current RSA Event Stream Analysis Rules are displayed in the ESA Define view after you download them from Live. The Module Name is the internal identification code for the rule.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
Display NameFile NameDescriptionMediumTag
Account Added to Administrators Group and Removedesa000090Detects log events when a user is added to an administrative group and then removed from the group within 15 minutes. Both the list of administrator groups and event time window are configurable.

BUNDLES
* UEBA Essentials
logauthorization, identity
Account Removals From Protected Groups on Domain Controlleresa000133Detects account removal from a protected group on a domain controller. There are five parameters: device hostnames to monitor, device IP addresses to monitor, protected groups to monitor, number of times an account was removed before the alert triggers and number of seconds in which events must occur.logassurance, audit, authorization, compliance, identity
Aggressive Internal Database Scanesa000104Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of the following ports: TCP/1433, UDP/1434, TCP/3306, TCP/5432, TCP/3351, TCP/1521. Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.packetaction on objectives, attack phase, threat
Aggressive Internal NetBIOS scanesa000103Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of the following ports: UDP/137, UDP/138, TCP139. Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.packetaction on objectives, attack phase, threat
Aggressive internal web portal scanesa000102Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443. Source & Destination IPs must be internal addresses according to the RFC-1918 specification. The list of ports, time window, and target host count are configurable.packetaction on objectives, attack phase, threat
AWS Critical VM Modifiedesa00013410.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value "critical_vm". The AWS CloudTrail log parser is a required dependency.logassurance, audit, compliance
AWS Permissions Modified Followed By Instance State Changeesa00015510.5 and higher. Detects when an Amazon Web Services (AWS) permission is modified followed by an instance state change. By default, the creation of a new user followed by a run of a new instance or termination of an existing instance within 5 minutes trigger the rule. The list of permission modifications, instance state changes and time window are configurable. The CEF log parser is a required dependency.logassurance, audit, authorization, compliance, identity
Backdoor Activity Detectedesa000061The rule will detect backdoor activity using logs. By default, the rule will trigger when there is a variation of the keyword backdoor found in either policy.name or event.category.name. This rule may also be customized with a list of backdoor names and will look for these names in either policy.name or event.category.name.logattack phase, installation, malware, remote access trojans, threat
BYOD Mobile Web Agent Detectedesa000117Detects a web-browsing agent for a mobile device. To configure the rule, specify the list of unauthorized browser agents and remove any mobile agents that are authorized from the list. The rule is triggered when an employee uses an unauthorized device on the network. In addition to the list of unauthorized browser agents, the following parameters are also configurable: the number of connections allowed per source before the alert is triggered and the time window within which the unauthorized use takes place.packetapplication analysis, assurance, compliance, corporate, event analysis, operations
Cerber Ransomwareesa000158For Cerber4 to Cerber6, the rule looks for a spray of outbound suspected command and control (C2) traffic via UDP port 6892 and 6893 from a single source IP to multiple destination IPs. The time window, list of UDP port numbers and amount of UDP traffic are configurable.

Prior to Cerber4, the detection relies on a pattern of Cerber ransomware in which a geolocation check of an IP is performed in order to bypass hosts in Eastern European countries directly followed by a one-way command and control (C2) via UDP port 6892. The time window, list of UDP port numbers and IP geolocation check sites are configurable.

The Lua parsers, traffic_flow and DNS_verbose_lua, are required.

Reference these RSA Link blog posts from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/09/27/the-evolution-of-cerber
https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410
https://community.rsa.com/community/products/netwitness/blog/2017/06/19/ransomware-cerber-v6x-delivery-and-detection
packetcrimeware, featured, malware, threat
Client Using Multiple DHCP Serversesa000152Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68 within 10 minutes. The time period is configurable.log, packetassurance, organizational hazard, risk
Detection of Encrypted Traffic to Countriesesa000065Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries. Note: You must deploy and enable the TLS_lua parser,the SSH_lua parser and their dependencies on the Decoder.packetoperations, situation awareness
Detection of Syn Flood Attack using Netflowesa00007710.4 or higher Log Collector required for Netflow collection. Alert generated after detecting the Denial of Service Syn flood attack using Netflow. In order for this ESA Rule to fire, ensure that device parser RSAFlow for 10.3 Log Decoder or CEF for 10.4 Log Decoder and the TCP Flags Seen feed are enabled. Also, for this alert to fire, ensure the following: meta key "direction" is indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file and meta key TCP Flags Seen (tcp_flags_seen) is indexed by the Concentrator within the index-concentrator-custom.xml file.logaction on objectives, attack phase, denial of service, event analysis, operations, protocol analysis, threat
Detects Router Configuration Attemptsesa000069Detects when a change in router configuration is attempted. This rule triggers when Event Classification Tag (ECT) of ec.activity is equal to "Modify", and ec.theme is equal to "Configuration", or event.cat.name is equal to "Config.Changes" along with device.class equal to "Router".logassurance, audit, compliance
Direct Login By A Watchlist Accountesa000169A successful interactive or remote interactive logon to a user accounts on a Windows host. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Name of the Context Hub (CH) list for user blacklist. By default, the CH list is named User_Blacklist. You have to add users to the default User_Blacklist CH list or replace the default CH list with the name of a custom CH user blacklist. For a list of out of the box CH lists and how to create and update them, refer to https://community.rsa.com/docs/DOC-85972

DEPENDENCIES
* User_Blacklist CH list
* Windows events log Parser

BUNDLES
* UEBA Essentials
logauthentication, identity
DNS Amplificationesa000013Detects when UDP destination port is 53 and the total size of the network session packets is more than 4000 bytes. Both port and size are configurable.packetevent analysis, operations, protocol analysis
ESA Event Source Monitoresa000159This rule monitors logs that have an event time one hour or more before the time ESA processes them. This could indicate a lag in processing time that should be investigated dependent upon your system configuration. The time window is configurable. This rule requires at least one configured event source.logfeatured, assurance, compliance, corporate
Excessive Denied Inbound Traffic Followed By Permit By Source IPesa000020Ten or more consecutive inbound network communication denies are followed by a permit from the same source IP within 5 minutes. The time window and a whitelist of source IPs are configurable. This rule uses the non-standard meta key of "direction" so it must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.logevent analysis, flow analysis, operations
Excessive Web Server Errors From Same IPesa000003Five or more error code responses from a web server that begin with the number 4 or 5 for the same source IP within 1 minute. Both the number of errors and time window are configurable.logattack phase, exploit, threat
Failed logins Followed By Successful Login and a Password Changeesa000175Five or more failed logins for a user followed by a successful login and a password change within 5 minutes.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon/Modify, ec_outcome = Success/Failure and user_dst is not null.

BUNDLES
* UEBA Essentials
logauthentication, authorization, identity
Failed Logins Outside Business Hoursesa000166This rule is triggered when a user logs into a system after business hours with following conditions:

* At least 2 failed logins, described by ec_activity = Logon and ec_outcome=failure
* The failed logins are within a 3600 second (60 minute) timeframe
* The failed logins are outside of business hours: by default, this means after 5 pm and before 9 am the following day in UTC time format
* Device is not in the whitelist (device classes exempt from failed login alert)
* Device is in the blacklist (device classes NOT exempt from failed login alert)

This rule suppresses "extra" failed logins. For example, using the default conditions, if within 60 minutes, sometime between 5 pm and 9 am the following day, user xyz tries to log on 5 times and fails each time, this rule triggers an alert only for the first 2 failed logins and will suppress the next 3 events (login failures).

CONFIGURATION
Rule Parameters:
* Start of non-working hours time window for generating alerts is configurable. By default, 17 (UTC Format)
* End of non-working hours time window for generating alerts is configurable. By default, 9 (UTC Format)
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame.
* Alerts suppressed events time window is configurable, which allows flexibility to select alert suppression time frame. By default, 3600 seconds time frame.
* Blacklist device class is configurable to trigger alert. By default, 29 device classes listed as blacklist.
* Whitelist device class is configurable to exempt from alert. By default, content management systems device class listed as whitelist.
* Username is configurable, so that you can specify a list of usernames to be excluded from generating alerts. By default, service accounts are listed.

DEPENDENCIES
Log Parsers:
* Existence of at least one log parser enabled at log decoder which populates ec_activity = Logon and ec_outcome=failure and user_dst.

BUNDLES
* UEBA Essentials
logauthentication, identity
Head Requests Floodesa000057Detects multiple Head requests from the same source within the given time period. Default values: 30 Head requests, 60 seconds time period. This rule requires either the HTTP-flex or HTTP-lua parser (and their dependencies) to be enabled on the Network Decoder.packetaction on objectives, attack phase, denial of service, threat
Horizontal Port Scanesa000167Alert when log events and network sessions contain 200 unique IP destinations with the same source IP and destination port within 60 seconds indicating a horizontal port scan.

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 60 seconds time frame.
* Blacklist device class is configurable to trigger alert. By default,Firewall device class listed as blacklist.
* Whitelist source IP is configurable to exempt from alert. By default, 1.1.1.1 source IP listed as whitelist.
* Whitelist destination IP is configurable to exempt from alert. By default, 1.1.1.2 destination IP listed as whitelist.
* Whitelist for destination port is configurable (such as ip destination port for logs , tcp and udp destination port for packets in this scenario) to exempt from alert. By default, 0 destination port number listed as whitelist.
* Destination port range is configurable to fire alert. By default, 1 as low range and 1024 as a high range destination port number listed.

DEPENDENCIES
Lua Parsers:
* traffic_flow
log, packetattack phase, reconnaissance, threat
HTTP GET Floodesa000021Detects when successful HTTP connections send GET requests, which result in at least 1000 packets to the same destination IP within 60 seconds. Both the time window and number of packets are configurable.packetaction on objectives, attack phase, denial of service, threat
HTTP Outbound Traffic to Multiple Destinations From Single Sourceesa000056HTTP outbound traffic to 50 unique destination IPs from a single source IP within 60 seconds. Outbound traffic is defined as that which does not have a private reserved address. Source IP must be within the RFC 1918 specification. The time window,number of unique destination IPs and source IP whitelist are all configurable. All events are grouped by ip.src and 50 must occur within 60 seconds.packetevent analysis, operations, protocol analysis
ICMP Reconnaissance Scanesa000022Alert when log events contain 20 messages indicating a reconnaissance event using ICMP protocol within 300 seconds from the same source IP. These events may indicate a sweep of a network to discover the range of hosts present and alive. Both the time window and number of messages are configurable. This rule uses the non-standard meta key of "protocol" so it must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.logattack phase, reconnaissance, threat
IDS or IPS Generating Same Events in Network from a Sourceesa000042Detects similar IDS/IPS events from same source and multiple destination ip. Count of unique destination and time are configurable.logaction on objectives, attack phase, threat
Inbound Packet Followed by Recipient Outbound Encrypted Connectionesa000062An inbound packet is detected to a recipient followed by the recipient creating an outbound encrypted connection within 5 minutes.The inbound packet must be a private IP address according to RFC-1918 and the outbound must be a non-RFC-1918 address.The TLS LUA-based packet parser is required for detection of the encrypted connection.log and packet, packetaction on objectives, attack phase, data exfiltration, threat
Insider Threat Mass Audit Clearingesa000197Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 600 seconds time frame
* Number of systems whose Event Log was cleared. By default, it's 5
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Windows Events log parser

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authentication, data sabotage, identity, threat
Internal Data Posting to 3rd party sitesesa000089Detects when an internal IP address A receives an amount of data greater than configured size from internal IP address B, and then within the specified time interval, IP A posts data to external 3rd party sites.

VERSIONS SUPPORTED
* 10.6.0 and higher

CONFIGURATION
Rule Parameters:
* Minimum session size to trigger in bytes. By default it's 5 MB i.e. 5242880 Bytes
* List of IPs allowed to post data outbound
* List of allowed 3rd party hosts to post data

DEPENDENCIES
Lua Parsers
* traffic_flow
packetaction on objectives, attack phase, data exfiltration, threat
Juniper ScreenOS Administrative Access (CVE-2015-7755)esa00015610.4 or higher. Administrative Access (CVE-2015-7755) allows unauthorized remote administrative access to the device. Exploitation of this vulnerability can lead to complete compromise of the affected device. This issue only affects ScreenOS 6.3.0r17 through 6.3.0r20. No other Juniper products or versions of ScreenOS are affected by this issue. Upon exploitation of this vulnerability, the log file would contain an entry that "system" had logged on followed by password authentication for a username.logattack phase, authorization, exploit, identity, threat
krbtgt Account Modified on Domain Controlleresa000186Detects modification to the krbtgt account on domain controller. There are four parameters: device hostnames to monitor, device IP addresses to monitor, number of events required to trigger the alert and number of seconds in which events must occur.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 60 seconds time frame
* Number of krbtgt modifications to trigger events. By default, it's 1
* Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist.
* Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* Host_Blacklist CH list
* IP_Blacklist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logassurance, audit, authorization, compliance, identity
Lateral Movement Suspected Windowsesa000195Detects within a Windows environment a sequence of events in which an executable is copied to a file share, the executable is used to create a new service and the service is started within 5 minutes. The time window is configurable. All events must be logged for the same event computer. The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system. Detailed file audit logging must be enabled for the file copy event to be recorded. A Microsoft Windows log parser must be enabled. This rule uses non-standard meta keys of "event.computer", "service.name" and "disposition" and so they must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* Host_Whitelist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder.

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, featured, lateral movement, threat
Logins across multiple serversesa000168Detects logins from the same user across multiple separate servers or hosts.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Number of unique destinations. By default, it's 3
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon

BUNDLES
* UEBA Essentials
logauthentication, identity
Malicious Account Creation Followed by Failed Authorization to Neighboring Devicesesa000060Detects when a new account is created on a system and three authentication failures occur from that system with the new account name (i.e. someone gains access to a system, creates a user account, and attempts to log into other appliances from the compromised system hoping that the system is considered trusted).

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authentication, authorization, identity, lateral movement, threat
Malware Dropperesa000154This rule triggers upon download of pdf, java, rtf, or Microsoft Office file, followed by download of EXE file within 5 minutes. This is indicative of a two-stage malware dropper, where scripting code in a container file (such as pdf, java, rtf, or Microsoft Office in this scenario), results in a request for a download of malware.

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame.
* Malware dropper filetype is configurable, so that you can specify a list of malware dropper filetype to trigger alerts. By default, rtf, pdf, java and Microsoft Office files are listed.
* Malware dropped filetype is configurable, so that you can specify a list of malware dropped filetype to trigger alerts. By default, windows executable files are listed.

DEPENDENCIES
Lua Parsers:
* fingerprint_pdf_lua
* fingerprint_java
* fingerprint_rtf
* fingerprint_office
* windows_executable

BUNDLES
* UEBA Essentials
packetattack phase, delivery, exploit, malware, threat
Multiple Account Lockouts From Same or Different Usersesa000170Multiple account lockouts reported for a single or multiple users within a time window of 10 minutes. The time window is configurable.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 600 seconds time frame
* Number of account lockouts before this module alerts. By default, value is 10
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one Windows Events log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logauthorization, identity
Multiple Failed logins Followed By Successful Loginesa000174Multiple failed logons followed by a successful logon by the same user within 5 minutes. The time window and number of failed logins are configurable.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Number of Failed logins before looking for Successful login. By default, value is 3
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon, ec_outcome = Success/Failure and user_dst is not null.

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Failed Logins from Multiple Diff Sources to Same Destesa000182Alert when log events contain multiple failed logins from a single user from multiple different sources to same destination.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame
* Number of failured logons to trigger events. By default, it's 3
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist.
* Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist.
* Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Host_Whitelist CH list
* IP_Whitelist CH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Failed Logins from Multiple Users to Same Destinationesa000192Alert when log events contain multiple failed logins from multiple different users from same source to same destination in configured time.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame
* Number of failured logons to trigger events. By default, it's 3
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist.
* Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist.
* Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Host_Whitelist CH list
* IP_Whitelist CH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Failed Logins from Same User Originating from Different Countriesesa000193Multiple failed logins from the same user, originating from multiple different countries. IP addresses are used to indicate that the attempted logins originated from different countries.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame.
* Number of unique countries from where failed logins originated to trigger events. By default, it's 2.
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure
* Requires the built-in GeoIP parser to be enabled.

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Failed Logins to Single Host from Multiple Hostsesa000045Alert when log events contain multiple failed logins to a single host from multiple different sources in 300 seconds. User info is not correlated among events. Both the time window and number of failed logins are configurable.logauthentication, identity
Multiple Failed Privilege Escalations by Same Useresa000196Triggers after a user account fails privilege escalation multiple times within configured period of time.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Number of failed privilege escalation attempts. By default, it's 3
* Name of the CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* Admin_Accounts CH list
* Existence of at least one Windows Event log parser or Unix log parsers like 'aix', 'hpux' or 'solaris' enabled on the log decoder

BUNDLES
* UEBA Essentials
logauthorization, identity
Multiple Intrusion Scan Events from Same Username to Unique Destinationsesa000068Detects scan events from intrusion devices to unique destinations from the same user. All events leading to alert will have same username and different destination address. This rule triggers when the detected events have the ECT (Event Classification Tag) for ec.activity equals "Scan".logaction on objectives, attack phase, threat
Multiple Login Failures by Administrators to Domain Controlleresa000198This rule is triggered when a user enters Administrator credentials to log in to a domain controller and fails multiple times within a certain number of minutes.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame
* Number of failured logons to trigger events. By default, it's 3
* Name of a custom CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts.
* Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist.
* Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* Admin_Accounts CH list
* Host_Blacklist CH list
* IP_Blacklist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Login Failures by Guest to Domain Controlleresa000199This rule is triggered when a user enters Guest credentials to log in to a domain controller and fails multiple times within a certain number of minutes.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame
* Number of failured logons to trigger events. By default, it's 3
* Name of a custom CH list with guest user accounts. By default, the CH list is named Guest_Accounts. You have to add users to the default Guest_Accounts CH list or replace the default CH list with the name of a custom CH list with guest user accounts.
* Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist.
* Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* Guest_Accounts CH list
* Host_Blacklist CH list
* IP_Blacklist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Login Failures Due to Username That Does Not Existesa000038Alerts when log events contain multiple login failures due to a username that does not exist from same source in 180 seconds. In this scenario, the username being logged into does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.logauthentication, identity
Multiple Login Failures from Same Source IP with Unique Usernamesesa000067Detects when log events that contain multiple failed login events from the same source IP address with unique usernames occur within the specified time period. You can configure the time period (default is 180 seconds) and number of failed logins (default is three).

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Logs from a MsgID Set with Same SourceIP and DestinationIPesa000071Detects when multiple log events from the specified list of message IDs with Same Source IP and Destination IP take place in the specified time period. You can configure the number of log events (default value is three), the list of message IDs, and the time period (default is 300 seconds).logoperations, situation awareness
Multiple Service Connections with Authorization Failuresesa000051Detects 4 failed login attempts from the same source to the same destination on different destination ports, within a 5 minute period. You can configure the time period, list of destination ports to be monitored, and the number of connection attempts.logauthentication, identity
Multiple Successful Logins from Multiple Diff Src to Diff Destesa000183Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame
* Number of successful logons to trigger events. By default, it's 3
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist.
* Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist.
* Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Host_Whitelist CH list
* IP_Whitelist CH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple Successful Logins from Multiple Diff Src to Same Destesa000191Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in configured time.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame
* Number of success logins to trigger events. By default, its 3
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist.
* Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist.
* Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist.
For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Host_WhitelistCH list
* IP_WhitelistCH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success

BUNDLES
* UEBA Essentials
logauthentication, identity
Multiple SYN packets from Same Sourceesa000070Detects when the specified number of SYN packets from the same source occur in the specified time period. You can configure the time period (default is 60 seconds) and the SYN count (default is 100 packets).packetaction on objectives, attack phase, event analysis, operations, protocol analysis, threat
Netflow - Spam Detectionesa00014710.4 or higher. Detects spam based on a specified number of connection attempts from one host within one minute over specified ports. For example, this criteria would trigger the rule: Host 1.1.1.1 reaches out to 1000 other hosts within one minute over ports 25, 110, or 143. The following parameters are configurable: source IP addresses to exclude, number of connection attempts, IP destination ports to include. Prerequisites are: device parser must be enabled. Use RSAFlow for 10.3 Log Decoder or CEF for 10.4 Log Decoder. Meta key "direction" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.logattack phase, delivery, threat
Netflow - Web DoS detectionesa00013910.4 or higher. Lists RFC 1918 IP addresses that generate more than a specified number of network flows to a single Internet routable host, via TCP 80 or 443, within a specified number of minutes. These parameters are configurable: number of flows, number of minutes and IP source addresses to exclude from the rule. Dummy proxies are 10.1.1.1 and 10.2.2.2. Prerequisites are: device parser must be enabled, RSAFlow for 10.3 Log Decoder or CEF for 10.4 Log Decoder, and meta key "direction" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.logaction on objectives, attack phase, denial of service, threat
Netflow - Windows Worm Propagationesa00014810.4 or higher. Detects worm propagation based on a specified number of connection attempts from one host within one minute over specified ports. For example, this criteria would trigger the rule: Host 1.1.1.1 reaches out to 500 other hosts in one minute over ports 135, 137, 139, or 445. The following parameters are configurable: source IP addresses to exclude, number of connection attempts, TCP destination ports to include. Prerequisites are: device parser must be enabled. Use RSAFlow for 10.3 Log Decoder or CEF for 10.4 Log Decoder. Meta key "direction" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.logattack phase, crimeware, installation, malware, threat
No logs traffic from device in given time frameesa000059Detects when there is no traffic from a device for a specified time period. The rule identifies log traffic through: device.ip and device.type, or device.host and device.type, or a combination of both. The rule looks for time lag after it receives an event and fires the alert when the time lag exceeds preset time.logoperations, situation awareness
No Packet traffic detected from source IP address in given timeframeesa000058No traffic from a packet source in given time frame. Packet traffic is identified via source IP. Rule looks for time lag after it receives event. Alert is fired when time lag exceeds preset time.packetoperations, situation awareness
NTDSXTRACT Tool Downloadesa000142Detects an internal network session download of NTDSXTRACT, a tool framework for extracting data from the active directory database file NTDS.DIT. At least one network parser that supports the meta keys "action" and "filename" is required. Parsers include HTTP, FTP, IRC and NFS.packetaction on objectives, application analysis, attack phase, event analysis, operations, threat
P2P software as detected by an Intrusion detection deviceesa000027P2P software as detected by an intrusion detection device (IDS),intrusion prevention device (IPS), firewall or vulnerability scanner.logapplication analysis, assurance, compliance, corporate, event analysis, operations
Port Scan Vertical Logesa000036Alert when log events contain 200 unique destination ports with the same source and destination IP within 60 seconds indicating a vertical port scan. Both the time window and number of unique destination ports are configurable.logattack phase, reconnaissance, threat
Port Scan Vertical Packetesa000034Alert when network sessions contain 40 unique destination ports with the same source and destination IP within 180 seconds, indicating a vertical port scan. The time window, destination port range and number of unique destination ports are configurable.packetattack phase, reconnaissance, threat
Potential APT Service Installesa00015310.4 or higher. Detects a host making a connection to an internet, routable IP address on port 80 or 443, and then subsequently generating a Windows "service installed" message.log and packetattack phase, installation, threat
Potential HTTP Slow Post DoSesa000096Triggers when a single host executes an HTTP POST to a single destination with less than or equal to 1 byte of data every 50 seconds. Both the time window and number of bytes are configurable. Note: You must upload and enable the HTTP_lua parser and its dependencies onto the Decoder.packetaction on objectives, attack phase, denial of service, threat
Privilege Escalation Detectedesa000172Scan for escalation in privileges for a Windows user or group. Uses a Context Hub (CH) list to track the lists of administrative user accounts. This list of administrative groups is also configurable.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Name of a custom CH list with administrative accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with administrative accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972).
* Group Name. Specify the user group-names for administrator accounts. Default values are 'Administrators, Domain Admins, Schema Admins'.

DEPENDENCIES
* Admin_Accounts CH list
* Windows Events log parser

BUNDLES
* UEBA Essentials
logauthorization, identity
Privilege Escalation Detected in Unixesa000043Detects 2 kinds of events: user escalates himself using su or administrator adds user to user defined list of groups.logauthorization, identity
Privilege User Account Password Changeesa000171Detects a logged modification of an administrative account password. The list of administrative users, which trigger the alert is configurable. Uses a Context Hub (CH) list to track administrative accounts.

VERSIONS SUPPORTED
* 11.1 and higher

CONFIGURATION
Rule Parameters:
* Name of the Context Hub. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default with the name of a custom CH admin accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972).

DEPENDENCIES
* Admin_Accounts CH list
* Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_activity = Modify

BUNDLES
* UEBA Essentials
logassurance, audit, authorization, compliance, identity
Punycode Phishing Attemptesa000161Identifies mail sessions that have a punycode hostname and also have a mismatch between the hostname in a link (href) and the text in the same link containing an IDN homograph. This suspected phishing attempt is then followed by HTTP(S) traffic with the same hostname in the certificate or in the host. Reference the RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2017/05/03/punycode-not-all-characters-are-created-equal.

Supported on ESA 10.6.3 and higher. To enable for ESA 10.6.2, you must make the keys 'ioc' and 'analysis_service' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. Select the 'Show Syntax' button in this rule to use as an example. This rule isn't supported prior to 10.6.2 due to the use of a function added to that version to compare multi-valued types.

DEPENDENCIES
Lua Parsers:
* HTTP_lua
* IDN_homograph
* phishing_lua
* MAIL_lua
* TLS_lua

You must also have at least one of the following mail protocol parsers enabled:
* SMTP_lua
* POP3_lua
* IMAP_lua
* WEBMAIL system parser

BUNDLES
* UEBA Essentials
packetattack phase, delivery, featured, threat
RDP Inbound Trafficesa000064Identifies RDP inbound traffic from one or more source IPs to 2 unique destination IPs within 60 seconds.

CONFIGURATION
You may customize the number of RDP connections and time window for the connections to occur. Enter a comma-separated whitelist of source and destination IPs in order to exclude them from matching the rule.

DEPENDENCIES
Lua Parsers
* RDP_lua
* traffic_flow

BUNDLES
* UEBA Essentials
packetaction on objectives, attack phase, lateral movement, threat
RDP traffic from Same source to Multiple different destinationsesa000063Detects RDP traffic from the same source to multiple different destinations. The time window and the number of destination connections are configurable. The default is the same source IP to 3 different destination IP addresses in a 3 minute time period.

BUNDLES
* UEBA Essentials
packetaction on objectives, attack phase, threat
Remote Data Harvestingesa000084Detects a successful Juniper web-based SSL VPN login followed by the transfer of one or more files to the source host, followed by a VPN logoff by the same user within 2 minutes. Only the Juniper SSL VPN event source is supported, and the associated log device parser must be deployed.logaction on objectives, attack phase, authentication, authorization, data exfiltration, identity, threat
Remote Password Cracking Tool Useesa000113Detects login failures from an IP address or host source to 3 different IP or host destinations. The time window and number of login failures are configurable. This module uses non-standard meta keys "host.src" and "host.dst". Login failures for IMAP and VNC protocols may be detected with this module. The LUA parsers for IMAP and VNC must be deployed on a Decoder.log, packetauthentication, identity
RIG Exploit Kitesa000160RIG exploit kit is suspected in the compromise of a vulnerable website. This is detected through anomalous HTTP session indicators in use with RIG Exploit Kit (EK) operations or a match to a shadow domain.

REFERENCES
Reference the RSA Link blog post from RSA Research for more details about this threat:
https://community.rsa.com/community/products/netwitness/blog/2017/02/01/rig-ek-chronology-of-an-exploit-kit https://community.rsa.com/community/products/netwitness/blog/rig-decimal-ip-campaign

VERSIONS SUPPORTED
* 10.6.2.1 and higher
* 10.6.2 and prior (see CONFIGURATION)

CONFIGURATION
To enable for ESA 10.6.2, you must make the keys 'ioc', 'eoc' and 'analysis_service' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. Select the 'Show Syntax' button in this rule to use as an example. For more information, see https://community.rsa.com/docs/DOC-76158.

DEPENDENCIES
* HTTP_lua Lua parser
* HTML_threat Lua parser
* Rig Exploit Kit application rule
* RSA FirstWatch Command and Control IPs feed

BUNDLES
* UEBA Essentials
log and packet, packetattack phase, exploit, featured, malware, threat
Rogue DHCP Server Detectedesa000150Detects traffic sourced on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is configurable. Prerequisites for logs are: meta key "protocol" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.log, packetassurance, organizational hazard, risk
SPAM Host Detectionesa00015110.4 or higher. Detects when a SPAM host is generating 500 or more connections destined for 1 or more hosts on TCP/25 within 1 minute, followed by 10 minutes of no initiated activity to any hosts on TCP/25. The following are configurable: the number of connections per minute, the no-activity interval in seconds, the maximum number of constituent events to store in the alert. Prerequisites for logs are: meta key "protocol" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.log, packetattack phase, delivery, threat
SSH connection from internet routable IP followed by HTTP/SSH service restart on destination: Logesa000078SSH connection is detected from an internet routable IP (non-RFC 1918 standard IP or external IP addresses) followed by a HTTP/SSH service restart on destination. The default time is 5 minutes and the default service names being monitored are sshd and httpd. This rule uses a non-indexed key "service.name". It must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.logaction on objectives, attack phase, lateral movement, threat
SSH Traffic Detected from a Source to Different Destinationsesa000044Detects SSH traffic (service=22) coming from a single IP address to 5 unique destination IPs within 3 minutes. The number of unique destination IP addresses, list of services, and the time window are configurable.packetevent analysis, operations, protocol analysis
Stealth Email Useesa000121Detects a user sign-up or sign-in attempt for the following stealth mail services: Stealth Email, Hush Mail, Neomailbox, Cryptoheaven and S-mail.packetassurance, organizational hazard, risk
Stealth Email Use with Large Sessionesa000128Detects a session larger than 1 MB to the following stealth mail services: Stealth Email, Hush Mail, Neomailbox, Cryptoheaven and S-mail. The minimum session size, number of connections, and time window are configurable.packetassurance, organizational hazard, risk
Suspicious Account Removalesa000091Detects a user account that has been added to an administrative group which disables or removes other accounts on the same server within 15 minutes. Both the list of administrator groups and event time window are configurable.

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authorization, identity, lateral movement, threat
Suspicious Communication Channel: Receiveresa000110Detects server responding with a TCP RST in response to a SYN/ACK multiple times to the same host within one minute. The IP address that is sending the RST (not RST / ACK) may potentially be the receiving side of a covert communication channel. A number of false positives are possible if application firewall is rejecting to connection attempts. Before this ESA rule can fire, both of the following must be done: TCP Flags Seen feed is deployed and enabled and meta key TCP Flags Seen (tcp_flags_seen) is indexed in index-concentrator-custom.xml.log, packetevent analysis, flow analysis, operations, protocol analysis
Suspicious Communication Channel: Senderesa000109Detects servers that are generating multiple SYN/ACKs to the same host without ever having received a SYN packet from the host. In normal TCP communications, SYN/ACKs should only be presented after receiving an initiating SYN packet. Before this ESA rule can fire, both of the following must be done: TCP Flags Seen feed is deployed and enabled and meta key TCP Flags Seen (tcp_flags_seen) is indexed in index-concentrator-custom.xml.log, packetevent analysis, flow analysis, operations, protocol analysis
Suspicious HTTP POST Commandsesa000149Detects multiple HTTP POST commands from an RFC 1918 host to a single external address. By default, detects a total of 15 Post commands that occur at the rate of one post per 50-70 seconds. Note that subsequent beaconing alerts after the first one, all having the same medium, ip_src, and ip_dst, would require one less POST than the first beacon alert. For example, for an alert to be generated in from System A, 15 POSTs would be needed, but subsequent alerts from that same system would require only 14 POSTs. If System A does not alert within the maximum timeframe for the subsequent alert, it would require 15 POSTs again for an alert to be generated. This activity is indicative of the posting of harvested data from a workstation infected with one of many Zeus variants. This rule uses these variables: the number of times POST must occur before alerting, the minimum time period between each POST, the buffer time between each POST. For example, if the post count is 15, the minimum time window is 50 and buffer is 20, then 15 post commands arriving at a rate of every 50 to 70 seconds will trigger the alert. Prerequisites for logs: meta keys "action" and "web_method" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.log, packetattack phase, command and control, threat
Suspicious Privileged User Access Activityesa000188Triggers when a privileged user account is observed logging into 3 or more unique hosts in 5 minutes. Uses a Context Hub (CH) list to track the lists of the privileged user accounts. Number of destination hosts and time window are configurable.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Name of a custom CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972).
* Within this number of seconds, allows you to choose the time window to trigger events. Default is 300 seconds.
* Number of destination hosts. Specify the unique number of destination hosts that a single privileged user logged in multiple times. By default, the count of hosts is 3.

DEPENDENCIES
* Admin_Accounts CH list
* At least one log parser enabled at log decoder which populates ec_activity = Logon, ec_outcome = Success, user_dst exists and ip_dst/host_dst exists.

BUNDLES
* UEBA Essentials
logauthorization, identity
SYN Flood Log Messagesesa000066SYN flood log messages with a count of 10 within 60 seconds from the device classes of either IDS, IPS or Firewall. The rule will trigger when the Event Classification Tags (ECT) of ec.theme is equal to "TEV" and ec.activity is equal to "Detect" and ec.subject is equal to "NetworkComm" in combination with a variation of the keyword Syn Flood found within "policy.name", "event.desc" or "msg.id". This alert uses non-standard meta key of "event.desc" and so it must be it must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file.logaction on objectives, attack phase, denial of service, event analysis, operations, protocol analysis, threat
Tor Outboundesa000164This rule indicates that tor outbound traffic have been detected. This rule triggers on following two conditions:
* Tor outbound app rule triggered for at least 2 times within a 5 minute time window
* At least 9 alerts indicating issuer and subject name missing in SSL certificate within a 5 minute time window

VERSIONS SUPPORTED
* 10.6.2.1 and higher
* 10.6.2 and prior (see CONFIGURATION)

CONFIGURATION
To enable for ESA 10.6.2 and prior, you must make the keys 'analysis_service' and 'ioc' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. For more information, see https://community.rsa.com/docs/DOC-76158

DEPENDENCIES
Packets:
Lua Parsers
* TLS_lua
* traffic_flow
Application Rule
* Tor Outbound

Logs:
Lua Parsers
* traffic_flow
Application Rule
* Tor Outbound
log, packetassurance, compliance, corporate, organizational hazard, risk, threat
User Account Created and Deleted within an Houresa000180Detects when a user account is created and then gets deleted within the same hour. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED
* 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame.
* Name of the Context Hub whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972).

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one log parser enabled at log decoder which populates ec_subject=User, ec_outcome=Success and either ec_activity=Create or ec_activity=Delete and user_dst is not null.

BUNDLES
* UEBA Essentials
logauthentication, authorization, identity
User Added to Admin Group Same User Login OR Same User su sudoesa000181Alert when user is upgraded to one of admin groups and same user logins or performs sudo operation. This rule is specific to Unix devices. The events may indicate malicious activity of user. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED
* 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame.
* Name of the Context Hub (CH) whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH Lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972).
* Group Name. Specify the user group-names for custom group accounts. Default values are 'root, wheel'.

DEPENDENCIES
* User_Whitelist CH list
* Unix device class log parsers.

BUNDLES
* UEBA Essentials
logauthentication, authorization, identity
User added to admin group then iptables is restartedesa000079Detects when a user is added to one of specified groups and then the same user restarts IPtables on the same device IP. This rule is specific to Linux devices.logaction on objectives, attack phase, authorization, identity, lateral movement, threat
User added to admin group then SIGHUP detectedesa000185Detects when a user is upgraded to one of the admin groups (custom list of groups) and a SIGHUP is detected on a service on the same device.ip. This rule is specific to Unix devices. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED
* 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame.
* Name of the Context Hub whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972).
* Group Name. Specify the user group-names for custom group accounts. Default values are 'root, wheel'.

DEPENDENCIES
* User_Whitelist CH list
* Unix device class Log parsers.

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authorization, identity, lateral movement, threat
User Added to Admin Group then SSH is Enabledesa000032Detects when a user is added to an administrator group and the SSH service starts on the same Linux machine. This rule relies on Event Categorization Tags (ECT) for group modification. You can configure the time period, service name, and the list of administrator groups.logaction on objectives, attack phase, authorization, data exfiltration, identity, threat
User added to admin group then syslog is disabledesa000041User was added to groups listed and same user stops syslog/rsyslog service on Linux machine. Rule relies on ec tags for Group modification. Linux machine does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.logaction on objectives, attack phase, authorization, data sabotage, identity, lateral movement, threat
User Login Baselineesa000173This rule detects user accounts suspected of misuse due to credential compromise or a malicious insider. The user account is suspicious due to unusual login activity within the organization. Login activity by user is stored and a score is calculated. When that score is higher than a configurable threshold and the number of unique devices being logged into is unusual, then an alert is generated.

REFERENCES
For more details about this rule, see the User Login Baseline topic at https://community.rsa.com/docs/DOC-86692.

VERSIONS SUPPORTED
* 11.1 and higher

CONFIGURATION
Rule Parameters:
* Blacklist of device class. By default, each device class supported by RSA are listed.
* Maximum average for user login activity. By default, this is 150 user logins over the length of the baseline.
* Maximum login count. By default, this is 300 user logins over the current window of 24 hours.
* Minimum average for user login activity. By default, this is an average of 3 user logins over the length of the baseline.
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972).
* Number of days to baseline user login activity. By default, the rule will store user login activity for 7 days.
* Number of unique device logins. By default, the number of unique devices is set to 20 over the current window of 24 hours.
* Score threshold to trigger the rule. By default, the score threshold is 80.
* Time in minutes to suppress alerts. The default value is 1440 minutes. The alert will be suppressed for all by the first event per user during this time period.

DEPENDENCIES
* User_Whitelist CH list
* At least one log parser which populates ec_activity = Logon and ec_outcome = Success or Failure with a user_dst key that is not null

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authentication, identity, lateral movement, threat
VM Clone After Multiple Root ESX Login Attemptsesa00005010.4 or higher. Alert if there are 3 root login failures to an ESX server followed by root login success to an ESX server followed by a VM Clone event within 5 minutes. The time window and number of root login failures are configurable.logaction on objectives, attack phase, authentication, identity, lateral movement, threat
Web DoS Alertesa000095Alert to a possible web DoS when 40 connection attempts occur within a 1 minute period, over port 80 or 443, from unique source IP addresses to the same destination IP address. The number of connection attempts, list of TCP destination ports, and whitelist of source IP addresses are configurable.packetaction on objectives, attack phase, denial of service, threat
Web DoS Attackesa000030Web DoS attack possible with 1000 connection attempts over port 80 or 443 from the same source IP to the same destination IP. The number of connection attempts, list of TCP destination ports and whitelist of source IPs are configurable.packetaction on objectives, attack phase, denial of service, threat
Webshells Detectedesa000163This rule indicates that 3 webshells have been detected through communication between the same IP source and destination pair within a 10 minute time window.

VERSIONS SUPPORTED
* 10.6.2.1 and higher
* 10.6.2 and prior (see CONFIGURATION)

CONFIGURATION
To enable for ESA 10.6.2 and prior, you must make the keys 'analysis_service' and 'ioc' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. For more information, see https://community.rsa.com/docs/DOC-76158

DEPENDENCIES
Lua Parsers
* HTTP_lua
* china_chopper
packetmalware, threat, web shells
Windows Audit Log Clearedesa000014Alert is fired when Windows Audit log is cleared.logassurance, audit, compliance
Windows Suspicious Admin Activity: Audit Log Clearedesa000176Detects when a user account is created, added to the Administrators group, and the audit logs are cleared within a five minute period.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logaction on objectives, assurance, attack phase, audit, authorization, compliance, data sabotage, identity, threat
Windows Suspicious Admin Activity: Firewall Service Stoppedesa000177Detects when a user account is created, added to administrators group, and the firewall is stopped within a five minute time period.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authorization, identity, lateral movement, threat
Windows Suspicious Admin Activity: Network Share Createdesa000178Detects when a user account is created, added to administrators group, and a network share is created within a five minute time period. You can configure the time period.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authorization, identity, lateral movement, threat
Windows Suspicious Admin Activity: Shared Object Accessedesa000179Detects when a Windows user account is created, a shared object is accessed, and the account is deleted within a five minute time period.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION
Rule Parameters:
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
* Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972)

DEPENDENCIES
* User_Whitelist CH list
* Existence of at least one Windows Event log parser enabled on the log decoder

BUNDLES
* UEBA Essentials
logaction on objectives, attack phase, authorization, identity, lateral movement, threat
Windows User Added to Administrators Group and Security Disabledesa000073Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specified time period. You can configure the list of administrator groups and time period (default values is five minutes). Note: This rule uses the "accesses" and "event.desc" non-standard meta keys. You must implement this non-standard meta keys after you download this rule.logaction on objectives, attack phase, authorization, identity, lateral movement, threat
Windows Worm Activity Detected Logsesa000082Detects log messages indicative of a worm with a destination port of 137, 138, 139 or 445 from at least 10 unique RFC-1918 source IPs within 1 minute. The list of destination ports, event time window and number of unique source IPs are configurable.logattack phase, crimeware, installation, malware, threat
Windows Worm Activity Detected Packetsesa000081Detects a single source IP reaching out to 10 distinct destination IP addresses on ports 137, 138, 139, or 445 within 1 minute. The list of destination ports, event time window and number of unique destination IPs are configurable.packetattack phase, crimeware, installation, malware, threat
Previous Topic:RSA Application Rules
You are here
Table of Contents > RSA NetWitness Platform Content > Rules > RSA ESA Rules

Attachments

    Outcomes