RSA ESA Rules

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on May 21, 2018
Version 167Show Document
  • View in full screen mode
 

The following table illustrates how the current RSA Event Stream Analysis Rules are displayed in the ESA Define view after you download them from Live. The Module Name is the internal identification code for the rule.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

Display Name

Module Name

Description

Medium

Account Added to Administrators Group and Removed

esa000090

Detects log events when a user is added to an administrative group, and then removed from the group within 15 minutes.

Both the list of administrator groups and event time window are configurable.

Logs

Account Removals From Protected Groups on Domain Controller

esa000133

Detects account removal from a protected group on a domain controller. There are five parameters:

  • Device host names to monitor
  • Device IP addresses to monitor
  • Protected groups to monitor
  • Number of times an account was removed before the alert triggers
  • Number of seconds in which events must occur

Logs

Advanced Rule Template

 

You must down load this template so that you can define Advanced ESA rules. See Add Rules to the Rule Library in the Alerting using ESA Guide for details on how to a create and maintain ESA rules.

N/A

Aggressive Internal Database Scan

esa000104

Detects a single host making connection attempts to 100 or more unique IP addresses within 1 minute over any combination of the following ports:

  • TCP/1433
  • UDP/1434
  • TCP/3306
  • TCP/5432
  • TCP/3351
  • TCP/1521

Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.

Packets

Aggressive Internal NetBIOS Scan

esa000103

Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of the following ports:

  • UDP/137
  • UDP/138
  • TCP139

Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.

Packets

Aggressive Internal Web Portal Scan

esa000102

Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443.

Source & Destination IPs must be internal addresses according to the RFC-1918 specification.

The list of ports, time window, and target host count are configurable.

Packets

AWS Critical VM Modified

esa000134

10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status.

In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value 'critical_vm'. The AWS CloudTrail log parser is a required dependency.

Logs

AWS Permissions Modified Followed By Instance State Change

esa000155

10.5 and higher. Detects when an Amazon Web Services (AWS) permission is modified followed by an instance state change.

By default, the creation of a new user followed by a run of a new instance or termination of an existing instance within 5 minutes trigger the rule.

The list of permission modifications, instance state changes and time window are configurable.

The CEF log parser is a required dependency.

Logs

Backdoor Activity Detected

esa000061

Detects backdoor activity using log files. By default, the rule triggers when there is a variation of the keyword backdoor found in either policy.name or event.category.name.

You can customize the list of backdoor names the rule looks for in policy.name and event.category.name.

Logs

Basic Rule Template

 

You must down load this template so that you can define Rule Builder ESA rules. See Add Rules to the Rule Library in the Alerting using ESA Guide for details on how to a create and maintain ESA rules.

N/A

BYOD Mobile Web Agent Detected

esa000117

Detects a web-browsing agent for a mobile device.

To configure the rule, specify the list of unauthorized browser agents and remove any mobile agents that are authorized from the list.

The rule is triggered when an employee uses an unauthorized device on the network.

In addition to the list of unauthorized browser agents, the following parameters are also configurable:

  • The number of connections allowed per source before the alert is triggered. Default is 1.
  • The time window within which the unauthorized use takes place. The default is 600 seconds. 

Packets

Cerber Ransomware

esa000158

For Cerber4 to Cerber6, the rule looks for a spray of outbound suspected command and control (C2) traffic via UDP port 6892 and 6893, from a single source IP to multiple destination IPs. The time window, list of UDP port numbers and amount of UDP traffic are configurable.

Prior to Cerber4, the detection relies on a pattern of Cerber ransomware in which a geolocation check of an IP is performed in order to bypass hosts in Eastern European countries directly followed by a one-way command and control (C2) via UDP port 6892. The time window, list of UDP port numbers and IP geolocation check sites are configurable.

The Lua parsers, traffic_flow and DNS_verbose_lua, are required.

For more details about this threat, reference these RSA Link blog posts from RSA Research:

Packets

Client Using Multiple DHCP Servers

esa000152

Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68, within 10 minutes. The time period is configurable.

Prerequisites for logs are: Meta-key 'protocol' must be indexed in table-map.xml and index-concentrator-custom.xml.

Packets

Cybergate RAT Download

esa000145

Detects an internal network session download of CyberGate RAT.

At least one network parser that supports the meta keys 'action' and 'filename' is required. Parsers include HTTP, FTP, IRC and NFS.

Packets

Detection of Encrypted Traffic to Countries

esa000065

Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries.

Note: You must upload and enable the TLS_lua parser, the SSH_lua parser, and their dependencies on the Decoder.

Packets

Detection of Syn Flood Attack using Netflow

esa000077

Alert generated after detecting the Denial of Service Syn Flood attack using Netflow.

In order for this ESA Rule to fire, ensure that the device parser RSAFlow for 10.3 log decoder or CEF for 10.4 log decoder and the TCP Flags Seen feed are enabled.

Also, for this alert to fire, ensure the following:

  • Meta-key direction is indexed in table-map.xml and index-concentrator-custom.xml, and 
  • Meta-key TCP Flags Seen (tcp_flags_seen) is indexed in index-concentrator-custom.xml

Logs

Detects Router Configuration Attempts

esa000069

Detects when a change in router configuration is attempted. This rule triggers when Event Classification Tag (ECT) of ec.activity is equal to 'Modify,' and ec.theme is equal to 'Configuration', or event.cat.name is equal to'Config.Changes' along with device.class equal to 'Router.'

Logs

Direct Login By A Watchlist Account

esa000169

A successful interactive or remote interactive logon to a user account on a Windows host. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED

  • NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Name of the Context Hub (CH) list for user blacklist. By default, the CH list is named User_Blacklist. You have to add users to the default User_Blacklist CH list or replace the default CH list with the name of a custom CH user blacklist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Blacklist CH list
  • Windows events log Parser

Logs

DNS Amplification

esa000013

Detects when a UDP destination port is 53 and the total size of the network session packets is more than 4000 bytes.

Both port and packet size are configurable.

Packets

ECAT Alert With Audit Log Cleared

esa000087

10.4 or higher. Detects when a host-based, ECAT alert is followed by a Windows audit log cleared activity within 2 minutes. The default time period is configurable.

Logs

ECAT Alert With Beaconing

esa000086

Detects when a host-based, ECAT alert is followed by beaconing activity within 10 minutes.

Logs, logs & packets

ECAT Alert With Botnet

esa000085

Detects when a host-based, ECAT alert is followed by botnet activity within 10 minutes.

Logs, logs & packets

ECAT Alert With Suspicious Encrypted Traffic

esa000088

Detects when a host-based, ECAT alert is followed by suspicious, encrypted traffic within 5 minutes.

Logs & packets

ECAT With SSH Traffic on Same Source

esa000094

This ESA alert looks for a host that has been connected to via SSH, and subsequently generates an ECAT alert within a specified time interval.

Logs & packets

ESA Event Source Monitor

esa000159

This rule monitors logs that have an event time one hour or more before the time ESA processes them. This could indicate a lag in processing time that should be investigated dependent upon your system configuration. The time window is configurable. This rule requires at least one configured event source.

Logs

Excessive Web Server Errors from Same IP

esa000003

Detects five or more error code responses from a web server that begin with the number 4 or 5 for the same source IP address within one minute. You can configure the number of errors and time period.

Logs

Failed logins Followed By Successful Login and a Password Change

esa000175

replaces esa000018

Five or more failed logins for a user followed by a successful login and a password change within 5 minutes.

VERSIONS SUPPORTED

NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon/Modify, ec_outcome = Success/Failure and user_dst is not null.

Logs

Failed logins outside business hours

esa000166

This rule is triggered when a user logs into a system after business hours (UTC time format) with the following conditions:

  • At least 2 failed logins, described by ec_activity = Logon and ec_outcome=failure
  • The failed logins are within a 3600 second (60 minute) timeframe
  • The failed logins are outside of business hours: by default, this means after 5 pm and before 9 am the following day in UTC time format
  • Device is not in the whitelist (device classes exempt from failed login alert)
  • Device is in the blacklist (device classes NOT exempt from failed login alert)

This rule suppresses "extra" failed logins. For example, using the default conditions, if within 60 minutes, sometime between 5 pm and 9 am the following day, user xyz tries to log on 5 times and fails each time, this rule triggers an alert only for the first 2 failed logins and will suppress the next 3 events (login failures).

CONFIGURATION

Rule Parameters:

  • Start of non-working hours time window for generating alerts is configurable. By default, 17 (UTC Format)
  • End of non-working hours time window for generating alerts is configurable. By default, 9 (UTC Format)
  • Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame.
  • Alerts suppressed events time window is configurable, which allows flexibility to select alert suppression time frame. By default, 3600 seconds time frame.
  • Blacklist device class is configurable to trigger alert. By default, 29 device classes listed as blacklist.
  • Whitelist device class is configurable to exempt from alert. By default, content management systems device class listed as whitelist.
  • Username is configurable, so that you can specify a list of usernames to be excluded from generating alerts. By default, service accounts are listed.

DEPENDENCIES

Log Parsers:

  • At least one log parser enabled at log decoder which populates ec_activity = Logon and ec_outcome=failure and user_dst.

Logs

File Transfer Followed by ECAT Alert From Same Source

esa000101

Detects a session greater than 5 MB to a non-RFC IP address range, followed by an ECAT alert from same source.

Logs & packets

Head Requests Flood

esa000057

Detects multiple Head requests from the same source within the given time period. Default values:

  • 30 Head requests
  • 60 seconds time period

This rule requires either the HTTP-flex or HTTP-lua parser (and their dependencies) to be enabled on the Packet Decoder.

Packets

Horizontal Port Scan

esa000167

This is the merging of the Port Scan Horizontal Log and Port Scan Horizontal Packet ESA rules.

Alerts when log events and network sessions contain 200 or more unique IP destinations with the same source IP and destination port within 60 seconds, indicating a horizontal port scan.

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. By default, 60 seconds time frame.
  • Blacklist device class is configurable to trigger alert. By default, Firewall device class listed as blacklist.
  • Whitelist source IP is configurable to exempt from alert. By default, 1.1.1.1 source IP source listed as whitelist.
  • Whitelist destination IP is configurable to exempt from alert. By default, 1.1.1.2 destination IP listed as whitelist.
  • Whitelist for destination port is configurable (such as IP destination port for logs , TCP and UDP destination port for packets in this scenario) to exempt from alert. By default, 0 destination port number listed as whitelist.
  • Destination port range is configurable to fire the alert. By default, 1 as low range and 1024 as a high range destination port number listed.

DEPENDENCIES

Lua Parsers: traffic_flow

Logs or Packets

HTTP Outbound Traffic to Multiple Destinations From Single Source

esa000056

Detects HTTP outbound traffic to 50 unique destination IPs from a single source IP within a 60-second time period. Outbound traffic is traffic that does not have a private reserved address. the source IP must be within the RFC-1918 specification. You can configure the time period, the number of unique destination IPs, and the source IP whitelist.

Packets

ICMP Reconnaissance Scan

esa000022

Detects log events that contain 20 messages indicating a reconnaissance event using ICMP protocol within 300 seconds from the same source IP. These events may indicate a sweep of a network to discover the range of hosts present and alive. You can configure the time period and number of messages.

Note: This rule uses the protocol non-standard meta key. You must implement this non-standard meta key after you download this rule.

Logs

IDS or IPS Generating Same Events in Network from a Source

esa000042

Detects similar IDS/IPS events from the same source and multiple destination IP addresses. The number of unique destinations and the time period are configurable.

Logs

Insider Threat Mass Audit Clearing

esa000197

replaces esa000116

Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 600 seconds (10 minutes).
  • Number of systems whose Event Log was cleared. The default value is 5.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • Windows Events log parser

Logs

Internal Data Posting to 3rd party sites

esa000089

Detects when an internal IP address A receives an amount of data greater than configured size from internal IP address B, and then within the specified time interval, IP A posts data to external 3rd party sites.

VERSIONS SUPPORTED

SA / NW versions 10.6.0 and higher

CONFIGURATION

  • Minimum session size to trigger in bytes. The default is 5 MB (5242880 Bytes)
  • List of IPs allowed to post data outbound
  • List of allowed 3rd party hosts to post data

DEPENDENCIES

Lua Parser: traffic_flow

Packets

Intrusion alert source generates an ECAT alert 

esa000115

Detects when the source address of an IPS alert generates an ECAT alert. The alert shows only the IPS event. You pivot on the source address to fetch the ECAT event in Investigation view

This rule requires a logging IDS, IPS or intrusion device and a logging ECAT device.

Logs

IPS alert target generates an ECAT alert

esa000114

Detects when the destination address of an IPS alert generates an ECAT alert. The ESA alert shows only the IPS event. You pivot on the destination address to fetch the ECAT event in Investigation view.This rule requires a logging IDS, IPS or intrusion device and a logging ECAT device.

Logs

jRAT Download

esa000144

Detects an internal network session download of jRAT.

At least one network parser that supports the meta keys 'action' and 'filename' is required. Parsers include HTTP, FTP, IRC and NFS.

Packets

Juniper ScreenOS Administrative Access (CVE-2015-7755)esa000156

10.4 or higher. The Juniper breach notification, Administrative Access (CVE-2015-7755), allows unauthorized remote administrative access to the device.

Exploitation of this vulnerability can lead to complete compromise of the affected device.

Upon exploitation of this vulnerability, the log file would contain an entry that 'system' had logged on followed by password authentication for a username.

This issue only affects ScreenOS 6.3.0r17 through 6.3.0r20. No other Juniper products or versions of ScreenOS are affected by this issue.

Logs

krbtgt Account Modified on Domain controller

esa000186

replaces esa000132

Detects modification to the krbtgt account on domain controller. There are four parameters: device hostnames to monitor, device IP addresses to monitor, number of events required to trigger the alert and number of seconds in which events must occur.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 60 seconds.
  • Number of krbtgt modifications to trigger events. The default value is 1.
  • Name of the following whitelists:

    • Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist.
    • Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist.

    Add or remove entries from the default CH list or replace the default with the name of a custom CH user blacklist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • Host_Blacklist CH list
  • IP_Blacklist CH list
  • At least one Windows Event log parser enabled on the log decoder.

Logs

Lateral Movement Suspected Windows

esa000195

replaces esa000157

Detects within a Windows environment a sequence of events in which an executable is copied to a file share, the executable is used to create a new service and the service is started within 5 minutes.

Notes:

  • The time window is configurable.
  • All events must be logged for the same event computer.
  • The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system.
  • Detailed file audit logging must be enabled for the file copy event to be recorded.
  • A Microsoft Windows log parser must be enabled.

Note: This rule uses the event.computerservice.name, and disposition non-standard meta keys. These keys must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. See Implement Non-Standard Meta Keys Used in ESA Rules for details.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • Host_Whitelist CH list
  • At least one Windows Event log parser enabled on the log decoder.

Logs

Logins Across Multiple Servers

esa000168

Replaces esa000111 and esa000131

Detects logins from the same user across multiple separate servers or hosts.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. Default value is 300 seconds.
  • Number of unique destinations. Default value is 3.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon.

Logs

Malicious Account Creation Followed by Failed Authorization to Neighboring Devices

esa000060

Detects when a new account is created on a system and three authentication failures occur from that system with the new account name. For example, someone gains access to a system, creates a user account, and attempts to log into other appliances from the compromised system hoping that the system is considered trusted

Logs

Malware Domains feed hit followed by an ECAT alert

esa000119

10.4 or higher. Is triggered when the same host registers a hit against a Malware Domains feed and then generates an ECAT alert.

The Malware Domains feed can be deployed on a Log Decoder or Decoder. RSA ECAT Log Parser must be enabled on the Log Decoder.

Logs, Logs & packets

Malware Dropper

esa000154

This rule triggers upon download of pdf, java, rtf, or Microsoft Office file, followed by download of EXE file within 5 minutes. This is indicative of a two-stage malware dropper, where scripting code in a container file (such as pdf, java, RTF, or Microsoft Office file in this scenario), results in a request for a download of malware.

CONFIGURATION
Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame.
  • Malware dropper filetype is configurable, so that you can specify a list of malware dropper filetypes to trigger alerts. By default, RTF, pdf, java and Microsoft Office files are listed.
  • Malware dropped filetype is configurable, so that you can specify a list of malware dropped filetypes to trigger alerts. By default, windows executable files are listed.

DEPENDENCIES
Lua Parsers:

  • fingerprint_pdf_lua
  • fingerprint_java
  • fingerprint_rtf
  • fingerprint_office
  • windows_executable

CONFIGURATION

To configure other dropper filetypes, you need to enable the corresponding Lua parser. For example, you could add the msi filetype to the list of dropper filetypes, and then enable the fingerprint_msi Lua parser. Note, however, that only the default set of dropper and dropped filetypes have been tested for this rule.

Note: For the filetype value that you need to add to the rule, see the Packet Parsers section of the Lua Parsers table. For example, the msi filetype is windows installer msi.

Packets

Malware IP List feed hit followed by an ECAT alert

esa000120

10.4 or higher. Is triggered when the same host registers a hit against a Malware IP List feed and then generates an ECAT alert within a five-minute time period.

Note:

  • The time period is configurable.
  • The Malware IP List feed can be deployed on a Log Decoder or Decoder.
  • RSA ECAT Log Parser must be enabled on the Log Decoder.

Logs, Logs & packets

Multiple Account Lockouts from Same or Different Users

esa000170

Replaces esa000004

Detects multiple account lockouts reported for a single or multiple users within a configurable time period (default is 10 minutes).

VERSIONS SUPPORTED

  • NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. Default value is 600 seconds.
  • Number of account lockouts before this module alerts. By default, value is 10.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one Windows Events log parser enabled on the log decoder

Logs

Multiple Failed Logins Followed by Successful Login

esa000174

replaces esa000005

Detects multiple failed logons followed by a successful logon by the same user within 5 minutes. The time window and number of failed logins are configurable.

VERSIONS SUPPORTED

NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Number of Failed logins before looking for Successful login. The default value is 3.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon, ec_outcome = Success/Failure and user_dst is not null

Logs

Multiple Failed Logins from Multiple Diff Sources to Same Dest

esa000182

replaces esa000039

Alerts when log events contain multiple failed logins from a single user from multiple different sources to same destination.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 3600 seconds (60 minutes).
  • Number of login failures to trigger events. The default value is 3.
  • Name of the following whitelists:

    • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist.
    • Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist.
    • Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist.

    Add or remove entries from the default CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • Host_Whitelist CH list
  • IP_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure

Logs

Multiple Failed Logins from Multiple Users to Same Destination

esa000192

replaces esa000046

Alerts when log events contain multiple failed logins from multiple different users from same source to same destination in configured time.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 180 seconds.
  • Number of login failures to trigger events. The default value is 3.
  • Name of the following whitelists:

    • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist.
    • Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist.
    • Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist.

    Add or remove entries from the default CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • Host_Whitelist CH list
  • IP_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure

Logs

Multiple Failed Logins from Same User Originating from Different Countries

esa000193

replaces esa000093

Detects multiple failed logins from the same user, originating from multiple different countries, based upon GeoIP of SourceIP.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Number of unique countries from where failed logins originated to trigger events. The default value is 2.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure
  • Requires the built-in GeoIP parser to be enabled.

Logs

Multiple Failed Logins to Single Host from Multiple Hosts

esa000045

Detects when log events contain multiple failed logins to a single host from multiple different sources in 300 seconds. User info is not correlated among events. Both the time window and number of failed logins are configurable.

Logs

Multiple Failed Privilege Escalations by the Same User

esa000196

replaces esa000099

Triggers after a user account fails privilege escalation multiple times within a configurable number of minutes (default is 5 minutes).

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds (5 minutes).
  • Number of failed privilege escalation attempts. The default value is 3.
  • Name of the CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • Admin_Accounts CH list
  • At least one Windows Event log parser or Unix log parsers like aix, hpux or solaris enabled on the log decoder

Logs

Multiple Intrusion Scan Events from Same User to Unique Destinations

esa000068

Detects scan events from intrusion devices to unique destinations from the same user. All events leading to alert will have same username and different destination address. This rule triggers when the detected events have the ECT (Event Classification Tag) for ec.activity = ‘Scan’, have the message-IDs/policy names from the user-defined list, and the count matches the number of unique Destination IPs to be monitored. By default, the number of unique destination IP addresses is 3.

The number of unique destination addresses, and the list of message-ids and policy names are configurable. Message-id and policy name values must be in lowercase.

Logs

Multiple Login Failures by Administrators to Domain Controller
 

esa000198

replaces esa000129

This rule is triggered when a user enters Administrator credentials to log in to a domain controller and fails multiple times within a configurable number of minutes (default is 3 minutes).

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 180 seconds.
  • Number of login failures to trigger events. The default value is 3.
  • Name of the following CH lists:

    • Name of a custom CH list with privileged user accounts. By default, the CH list is named Admin_Accounts.
    • Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist.
    • Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist.

    Add or remove entries from the default CH list or replace the default with the name of a custom CH list. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • Admin_Accounts CH list
  • Host_Blacklist CH list
  • IP_Blacklist CH list
  • At least one Windows Event log parser enabled on the log decoder

Logs

Multiple Login Failures by Guest to Domain Controller

esa000199

replaces esa000130

Triggered when a user enters Guest credentials to log in to a domain controller and fails multiple times within a configureable number of minutes (default is 3 minutes).

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 180 seconds.
  • Number of login failures to trigger events. The default value is 3.
  • Name of the following CH lists:

    • Name of a custom CH list with guest user accounts. By default, the CH list is named Guest_Accounts.
    • Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist.
    • Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist.

    Add or remove entries from the default CH list or replace the default with the name of a custom CH list. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • Guest_Accounts CH list
  • Host_Blacklist CH list
  • IP_Blacklist CH list
  • At least one Windows Event log parser enabled on the log decoder

Logs

Multiple Login Failures Due to  Username That Does Not Exist

esa000038

Alerts when log events contain multiple login failures due to a username that does not exist from same source in 180 seconds.

In this scenario, the username being logged into does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.

Logs

Multiple Login Failures from Same Source IP with Unique Usernames

esa000067

Detects multiple failed log-on events from same source IP with unique usernames within the specified time period. You can configure the number of failed log-on events and the time period. The default number of failed log-on events and usernames is three and the default time period is 180 seconds (three minutes).

Logs

Multiple Service Connections with Authorization Failures

esa000051

Detects 4 failed login attempts from the same source to the same destination on different destination ports, within a 5 minute period. You can configure the time period, list of destination ports to be monitored, and the number of connection attempts.

Logs

Multiple Successful Logins from  Multiple Diff Src to Diff Dest

esa000183

replaces esa000047

Alerts when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 180 seconds.
  • Number of successful logons to trigger events. The default value is 3.
  • Name of the following whitelists:

    • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist.
    • Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist.
    • Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist.

    Add or remove entries from the default CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • Host_Whitelist CH list
  • IP_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success

Logs

Multiple Successful Logins from Multiple Diff Src to Same Dest

esa000191

replaces esa000040

Alerts when log events contain multiple successful logins from a single user from multiple different sources to same destination in configured time.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 3600 seconds (60 minutes).
  • Number of success logins to trigger events. The default value is 3.
  • Name of the following whitelists:

    • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist.
    • Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist.
    • Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist.

    Add or remove entries from the default CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • Host_Whitelist CH list
  • IP_Whitelist CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success

Logs

Multiple SYN Packets from Same Source

esa000070

Detects multiple SYN packets from the same source within a one-minute time period. You can configure the time period and the number of SYN packets. The default is 100 SYN packets within a 60-second time period.

Packets

Netflow - Spam Detection
 
esa000147

10.4 or higher. Detects spam based on a specified number of connection attempts from one host within one minute over specified ports. For example, this criteria would trigger the rule:
Host 1.1.1.1 reaches out to 1000 other hosts within one minute over ports 25, 110, or 143.

The following parameters are configurable:

  • Source IP addresses to exclude
  • Number of connection attempts
  • IP destination ports to include

Prerequisites are:

  • Device parser must be enabled. Use RSAFlow for 10.3 logdecoder or CEF for 10.4 logdecoder.
  • Meta-key 'direction' must be indexed in table-map.xml and index-concentrator-custom.xml.

Logs

Netflow - Web DoS detection
 

esa000139

10.4 or higher. Lists RFC 1918 IP addresses that generate more than a specified number of network flows to a single Internet routable host, via TCP 80 or 443, within a specified number of minutes.

These parameters are configurable:

  • Number of flows. Default is 1000.
  • Number of minutes. Default is 1.
  • IP source addresses to exclude from the rule. Dummy proxies are 10.1.1.1 and 10.2.2.2.

Prerequisites are:

  • Device parser must be enabled, RSAFlow for 10.3 logdecoder or CEF for 10.4 logdecoder.
  • Meta-key 'direction' must be indexed in table-map.xml and index-concentrator-custom.xml.

Logs

Netflow - Windows Worm Propagation

esa000148

10.4 or higher. Detects worm propagation based on a specified number of connection attempts from one host within one minute over specified ports. For example, this criteria would trigger the rule:
Host 1.1.1.1 reaches out to 500 other hosts in one minute over ports 135, 137, 139, or 445.

The following parameters are configurable:

  • Source IP addresses to exclude
  • Number of connection attempts
  • TCP destination ports to include

Prerequisites are:

  • Device parser must be enabled. Use RSAFlow for 10.3 logdecoder or CEF for 10.4 logdecoder.
  • Meta-key 'direction' must be indexed in table-map.xml and index-concentrator-custom.xml.

Logs

No Log Traffic Detected from Device in Given Time Frame

esa000059

Detects when there is no traffic from a device for a specified time period. The rule identifies log traffic through:

  • device.ip and device.type, or
  • device.host and device.type, or
  • a combination of both

The rule looks for time lag after it receives an event and fires the alert when the time lag exceeds preset time.

Logs

No Packet traffic detected from source IP address in given timeframe.

esa000058

Detects when there is no traffic from a packet source for a specified time period. The rule identifies packet traffic through the ip.src. The rule looks for time lag after it receives event and fires the alert when the time lag exceeds preset time.

Packets

NTDSXTRACT Tool Download

esa000142

Detects an internal network session download of NTDSXTRACT, a tool framework for extracting data from the active directory database file NTDS.DIT.

At least one network parser that supports the meta keys 'action' and 'filename' is required. Parsers include HTTP, FTP, IRC and NFS.

Packets

P2P Software as Detected by an Intrusion Detection Device

esa000027

Detects P2P software found by an Intrusion Detection Service (IDS) device, Intrusion Prevention Service (IPS) device, firewall, or vulnerability scanner.

Logs

Port Scan Vertical Log

esa000036

Alerts when log events contain 200 unique destination ports with the same source and destination IP within 60 seconds, indicating a vertical port scan.

Both the time window and number of unique destination ports are configurable.

Logs

Port Scan Vertical Packet

esa000034

Alerts when network sessions contain 40 unique destination ports with the same source and destination IP within 180 seconds, indicating a vertical port scan.

The time window, destination port range and number of unique destination ports are configurable.

Packets

Potential APT Service Install

esa000153

10.4 or higher. Detects a host making a connection to an internet, routable IP address on port 80 or 443, and then subsequently generating a Windows "service installed" message, within a 2 minute time window.

The time window is configurable.

Logs & packets

Potential HTTP slow post DoS

esa000096

Triggers when a single host executes an HTTP POST to a single destination with less than or equal to 1 byte of data every 50 seconds. Both the time window and number of bytes are configurable.

Note: This rule uses the HTTP_lua parser. You must implement this non-standard meta key after you download this rule. See Implement Non-Standard Meta Keys Used in ESA Rules for details.

Packets

Privilege Escalation Detected

esa000172

Replaces esa000006

Detects escalation in privileges for a Windows user or group. Uses a Context Hub (CH) list to track the lists of administrative user accounts. This list of administrative groups is also configurable.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Name of a custom CH list with administrative accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with administrative accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.
  • Group Name. Specify the user group-names for administrator accounts. Default values are 'Administrators, Domain Admins, Schema Admins'.

DEPENDENCIES

  • Admin_Accounts CH list
  • Windows Events log parser

Logs

Privilege Escalation Detected in Unix

esa000043

Detects two kinds of events:

  • user escalates himself using su, or

  • administrator adds user to user-defined list of groups

Logs

Privilege User Account Password Change

esa000171 replaces esa000016

Detects a logged modification of an administrative account password. The list of administrative users, which trigger the alert is configurable. Uses a Context Hub (CH) list to track administrative accounts.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Name of the CH list for user whitelist. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default with the name of a custom CH admin accounts list. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • Admin_Accounts CH list
  • At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_activity = Modify

Logs

PunyCode Phishing Attempt

esa000161

Identifies mail sessions that have a punycode hostname and also have a mismatch between the hostname in a link (href) and the text in the same link containing an IDN homograph. This suspected phishing attempt is then followed by HTTP(S) traffic with the same hostname in the certificate or in the host. Reference the RSA Link blog post from RSA Research for more details about this threat: PunyCode - Not All Characters are Created Equal.

Supported on ESA 10.6.3 and higher. To enable for ESA 10.6.2, you must make the keys ioc and analysis_service multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service.

If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. Select the Show Syntax button in this rule to use as an example. This rule isn't supported prior to 10.6.2 due to the use of a function added to that version to compare multi-valued types.

DEPENDENCIES

Lua parsers:

  • HTTP_lua
  • IDN_homograph
  • MAIL_lua
  • phishing_lua
  • TLS_lua

You must also have at least one of the following mail protocol parsers enabled:

  • SMTP_lua
  • POP3_lua
  • IMAP_lua
  • WEBMAIL system parser

Feed: Hunting

Packets

RDP Inbound Traffic

esa000064

Identifies RDP inbound traffic from one or more source IPs to 2 unique destination IPs within 60 seconds.

CONFIGURATION

You may customize the number of RDP connections and time window for the connections to occur. Enter a comma-separated whitelist of source and destination IPs in order to exclude them from matching the rule.

DEPENDENCIES

Lua parsers:

  • RDP_lua
  • traffic_flow

Packets

RDP Traffic from Same Source to Multiple Different Destinations

esa000063

Detects RDP traffic from the same source to multiple different destinations.

The time window and the number of destination connections are configurable. The default is the same source IP to 3 different destination IP addresses in a 3 minute time period.

Packets

Reception of executable file followed by ECAT alert

esa000100

Detects when a host-based, ECAT alert is followed by Reception of executable file alert within 10 minutes.

Logs & packets

Remote Data Harvesting

esa000084

Detects a successful Juniper web-based SSL VPN login followed by the transfer of one or more files to the source host, followed by a VPN logoff by the same user within 2 minutes.

Only the Juniper SSL VPN event source is supported, and the associated log device parser must be deployed.

Logs

Remote Password Cracking Tool Use

esa000113

Detects login failures from an IP address or host source to 3 different IP or host destinations. The time window and number of login failures are configurable.

This module uses non-standard meta keys, host.src and host.dst. It detects login failures for IMAP and VNC protocols. The Lua parsers for IMAP and VNC must be deployed on the Decoder.

Logs

RIG Exploit Kit

esa000160

RIG exploit kit is suspected in the compromise of a vulnerable website. This is detected through anomalous HTTP session indicators in use with RIG Exploit Kit (EK) operations or a match to a shadow domain.

REFERENCES

Reference the following RSA Link blog posts from RSA Research for more details about this threat:

VERSIONS SUPPORTED

  • 10.6.2.1 and higher
  • 10.6.2 and prior (see CONFIGURATION)

CONFIGURATION

To enable for ESA 10.6.2 and earlier, you must make the keys ioc, eoc and analysis_service multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. Select the Show Syntax button in this rule to use as an example. For more information, see ESA rule is disabled after being deployed to the ESA service in RSA Security Analytics.

DEPENDENCIES

  • The HTML_lua Lua parser
  • The HTML_threat Lua parser
  • The Rig Exploit Kit Application Rule
  • The FirstWatch Command and Control IPs feed

Packets, Logs & packets

Rogue DHCP Server Detected

esa000150

Detects traffic sourced on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is configurable.

Prerequisites for logs are: Meta-key protocol must be indexed in table-map.xml and index-concentrator-custom.xml.

Logs or packets

Spam Host Detection

esa000151

10.4 or higher. Detects when a SPAM host is generating 500 or more connections destined for 1 or more hosts on TCP/25 within 1 minute, followed by 10 minutes of no initiated activity to any hosts on TCP/25.

The following are configurable:

  • the number of connections per minute
  • the no-activity interval in seconds
  • the maximum number of constituent events to store in the alert

Prerequisites for logs are: Meta-key protocol must be indexed in table-map.xml and index-concentrator-custom.xml.

Logs or packets

SSH connection from internet routable IP followed by HTTP/SSH service restart on destination: Log
 

esa000078

SSH connection is detected from an internet routable IP (non-RFC 1918 standard IP or external IP addresses) followed by a HTTP/SSH service restart on destination. The default time is 5 minutes and the default service names being monitored are sshd and httpd.

This rule uses a non-indexed key, service.name. It needs to be indexed on Log Decoder in table-map.xml and added to Concentrator through index_concentrator_custom.xml.

Logs & packets

SSH Traffic Detected from a Source to Different Destinations

esa000044

Detects SSH traffic (service=22) coming from a single IP address to 5 unique destination IPs within 3 minutes.

The number of unique destination IP addresses, list of services, and the time window are configurable.

Packets

Stealth Email Use

esa000121

Detects a user sign-up or sign-in attempt for the following stealth mail services:

Packets

Stealth Email Use with Large Session

esa000128

Detects a session larger than 1 MB to the following stealth mail services:

The minimum session size, number of connections, and time window are configurable.

Packets

Suspicious Account Removal

esa000091

Detects a user account that has been added to an administrative group which disables or removes other accounts on the same server within 15 minutes.

Both the list of administrator groups and event time window are configurable.

Logs

Suspicious Communication Channel: Receiver

esa000110

Detects server responding with a TCP RST in response to a SYN/ACK multiple times to the same host within one minute.

The IP address that is sending the RST (not RST/ACK) may potentially be the receiving side of a covert communication channel.

Before this rule can fire, both of the following must be done:

  • TCP Flags Seen feed is deployed and enabled
  • Meta-key TCP Flags Seen (tcp_flags_seen) is indexed in index-concentrator-custom.xml

Logs or  packets

Suspicious Communication Channel: Sender

esa000109

Detects servers that are generating multiple SYN/ACKs to the same host without ever having received a SYN packet from the host.

In normal TCP communications, SYN/ACKs should only be presented after receiving an initiating SYN packet.

Before this rule can fire, both of the following must be done:

  • TCP Flags Seen feed is deployed and enabled
  • Meta-key TCP Flags Seen (tcp_flags_seen) is indexed in index-concentrator-custom.xml

Logs or packets

Suspicious HTTP POST Commands

esa000149

Detects multiple HTTP POST commands from an RFC 1918 host to a single external address. By default, detects a total of 15 POST commands that occur at the rate of one POST per 50–70 seconds.

Note that subsequent beaconing alerts after the first one, all having the same medium, ip_src, and ip_dst, would require one less POST than the first beacon alert. For example, for an alert to be generated in from System A, 15 POSTs would be needed, but subsequent alerts from that same system would require only 14 POSTs.

If System A does not alert within the maximum timeframe for the subsequent alert, it would require 15 POSTs again for an alert to be generated.

This activity is indicative of the posting of harvested data from a workstation infected with one of many Zeus variants.

This rule uses three variables:

  • post_count: the number of times POST must occur before alerting. Default value is 15.
  • time_window_min: the minimum time period between each POST. Default value is 50 seconds.
  • time_window_buffer: the buffer time between each POST. Default value is 20 seconds.

For example, if the post_count is 15, time_window_min is 50, and time_window_buffer is 20, then 15 post commands arriving at a rate of every 50 to 70 seconds will trigger the alert.

Prerequisites for logs: Meta-keys 'action' and 'web_method' must be indexed in table-map.xml and index-concentrator-custom.xml.

Logs or packets

Suspicious Privileged User Access Activity

esa000188

replaces esa000098

Triggers when a privileged user account is observed logging into 3 or more unique hosts within 5 minutes. Uses a Context Hub (CH) list to track the lists of the privileged user accounts. Number of destination hosts and time window are configurable.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Name of a custom CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.
  • Within this number of seconds, allows you to choose the time window to trigger events. Default is 300 seconds.
  • Number of destination hosts. Specify the unique number of destination hosts that a single privileged user logged into multiple times. By default, the count of hosts is 3.

DEPENDENCIES

  • Admin_Accounts CH list
  • At least one log parser enabled at log decoder which populates ec_activity = Logon, ec_outcome = Success, user_dst exists and ip_dst/host_dst exists.

Logs

SYN Flood Log Messages

esa000066

Detects SYN flood log messages with a count of 10 within 60-second time period from the device classes of either IDS, IPS, or Firewall.

The rule triggers an alert when the Event Classification Tags (ECT) of ec.theme is equal to 'TEV' and ec.activity is equal to 'Detect' and ec.subject is equal to 'NetworkComm' in combination with a variation of the keyword 'Syn Flood' found within policy.nameevent.desc, or msg.id.

Logs

Third Party IOC IP and Domain Feed Hit and an ECAT alert  

esa000118

10.4 or higher. Is triggered when the same host registers a hit against the Third Party IOC IP and Domain Feed and then generates an ECAT alert.

The Third Party IOC IP and Domain Feeds should be deployed on the same machine, which can be a Log Decoder or Decoder. RSA ECAT Log Parser must be enabled on the Log Decoder.

Logs

Tor Outbound

esa000164

Indicates that tor outbound traffic have been detected. This rule triggers on the following two conditions:

  • Tor outbound app rule triggered at least 2 times within a 5 minute time window
  • At least 9 alerts indicating issuer and subject name missing in SSL certificate within a 5 minute time window

VERSIONS SUPPORTED

  • 10.6.2.1 and higher
  • 10.6.2 and prior (see CONFIGURATION)

CONFIGURATION

To enable for ESA 10.6.2 and prior, you must make the keys ioc and analysis_service multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. Select the Show Syntax button in this rule to use as an example. For more information, see the Knowledge Base article, ESA rule is disabled after being deployed to the ESA service in RSA Security Analytics.

DEPENDENCIES

Packets:

  • Lua Parsers:

    • TLS_lua
    • traffic_flow
  • Application Rule: Tor Outbound

Logs:

  • Lua Parsers: traffic_flow

  • Application Rule: Tor Outbound

Logs or packets

User Account Created and Deleted Within an Hour

esa000180

replaces esa000029

Detects when a user account is created and then gets deleted within the same hour. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 3600 seconds (60 minutes).
  • Name of the Context Hub whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one log parser enabled at log decoder which populates ec_subject=User, ec_outcome=Success and either ec_activity=Create or ec_activity=Delete and user_dst is not null.

Logs

User Added to Admin Group Same User Login OR Same User su sudo

esa000181

replaces esa000031

Alerts when user is upgraded to one of the admin groups and same user logs in or performs sudo operation, which may indicate malicious activity by the user. This rule is specific to Unix devices. The events may indicate malicious activity by the user. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the Context Hub (CH) whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.
  • Group Name. Specify the user group-names for custom group accounts. Default values are 'root, wheel'.

DEPENDENCIES

  • User_Whitelist CH list
  • Unix device class log parsers.

Logs

User Added to Admin Group Then iptables is Restarted

esa000079

Alert generated when a user is added to one of the admin groups (custom list of groups) and then IPtables are restarted on the same device IP. This rule is specific to Unix devices.

Logs

User Added to Admin Group then SSH is Enabled

esa000032

Detects when a user is added to an administrator group and the SSH service starts on the same Linux machine.

This rule relies on Event Categorization Tags (ECT) for group modification. You can configure the time period, service name, and the list of administrator groups.

Logs

User Added to Admin Group Then Syslog Is Disabled

esa000041

Detects when a user is added to the specified groups and the same user stops syslog/rsyslog service on Linux m/c. The rule relies on Event Categorization Tags (ECT) for group modification. Linux m/c does not generate events for stopping Syslog service, but an event is triggered for stopping kernel logging. This event is used to fire the rule.

Logs

User added to administrative group then SIGHUP detected

esa000185

replaces esa000076

Detects when a user is upgraded to one of the admin groups (custom list of groups) and a SIGHUP is detected on a service on the same device.ip. This rule is specific to Unix devices. Uses a Context Hub (CH) list to track users.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the Context Hub whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.
  • Group Name. Specify the user group-names for custom group accounts. Default values are 'root, wheel'.

DEPENDENCIES

  • User_Whitelist CH list
  • Unix device class Log parsers.

Logs

User Login Baseline

esa000173

Alerts if a user account is suspected of misuse due to credential compromise or a malicious insider and that user is attempting to move laterally across the organization. This rule calculates a baseline of user login activity over 7 days and will alert if the last 24 hours of user activity goes above the baseline based on a configurable score.

For more details, see User Login Baseline ESA Rule.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Blacklist of device class. By default, each device class supported by RSA that outputs the normalized meta and values for login success and failure are listed.
  • Maximum average for user login activity. By default, this is 150 user logins over the length of the baseline.
  • Maximum login count. By default, this is 300 user logins over the last 24 hours.
  • Minimum average for user login activity. By default, this is an average of 3 user logins over the length of the baseline.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.
  • Number of days to baseline user login activity. By default, the rule will store user login activity for 7 days.
  • Number of unique device logins. By default, the number of unique devices is set to 20. his requirement gives higher confidence the user account behavior is anomalous.
  • Score threshold to trigger the rule By default, the score threshold is 80. Increase the score to decrease the amount of false positives.
  • Time in minutes to suppress alerts. The default value is 60 minutes. The alert will be suppressed for all by the first event per user during this time period.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one log parser which populates ec_activity = Logon and ec_outcome = Success or Failure with a user_dst key that is not null.

Logs

VM Clone After Multiple Root ESX Login Attempts

esa000050

10.4 or higher. Alert if there are 3 root login failures to an ESX server followed by root login success to an ESX server followed by a VM Clone event within 5 minutes. The time window and number of root login failures are configurable.

Logs

Web DoS Alert

esa000095

Alert to a possible web DoS when 40 connection attempts occur within a 1 minute period, over port 80 or 443, from unique source IP addresses to the same destination IP address.

The number of connection attempts, list of TCP destination ports, and whitelist of source IP addresses are configurable.

Packets

Web DoS Attack

esa000030

Detects when a Web DoS attack is possible with 1000 connection attempts over port 80 or 443 from the same source IP to the same destination IP address.

You can configure the number of connection attempts, list of TCP destination ports, and the white list of source IP addresses.

Packets

Webshell Detected

esa000163

This rule indicates that 3 webshells have been detected through communication between the same IP source and destination pair within a 10 minute time window.

Versions Supported:

  • 10.6.2.1 and higher
  • 10.6.2 and prior (see Configuration)

Configuration:

To enable for ESA 10.6.2 and prior, you must make the keys ioc and analysis_service multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service.

If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. For more information, see https://community.rsa.com/docs/DOC-76158

Dependencies

Lua Parsers:

  • HTTP_lua
  • china_chopper
Packets

Windows Audit Log Cleared

esa000014

Alerts when the Windows Audit Log is cleared.

Logs

Windows Suspicious Admin Activity: Audit log Cleared

esa000176

replaces esa000019

Detects when a user account is created, added to the Administrators group, and the audit logs are cleared within a five minute period.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one Windows Event log parser enabled on the log decoder

Logs

Windows Suspicious Admin Activity: Firewall Service Stopped

esa000177

replaces esa000024

Detects when a user account is created, added to administrators group, and the firewall is stopped within a five minute time period.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one Windows Event log parser enabled on the log decoder"

Logs

Windows Suspicious Admin Activity: Network Share Created

esa000178

replaces esa000025

Detects when a user account is created, added to administrators group, and a network share is created within a configurable time period (default is 5 minutes).

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one Windows Event log parser enabled on the log decoder

Logs

Windows Suspicious Admin Activity: Shared Object Accessed

esa000179

replaces esa000026

Detects when a Windows user account is created, a shared object is accessed, and the account is deleted within a five minute time period.

VERSIONS SUPPORTED
NetWitness 11.1 and higher

CONFIGURATION

Rule Parameters:

  • Within this number of seconds, allows you to choose the time window to trigger events. The default value is 300 seconds.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists.

DEPENDENCIES

  • User_Whitelist CH list
  • At least one Windows Event log parser enabled on the log decoder

Logs

Windows User Added to Administrators Group and Security Disabled

esa000073

Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specified time period. You can configure the list of administrator groups and time period (default values is five minutes).

Note: This rule uses the accesses non-standard meta key. You must implement this non-standard meta key after you download this rule. See Implement Non-Standard Meta Keys Used in ESA Rules for details.

Logs

Windows Worm Activity Detected Logs

esa000082

Detects log messages indicative of a worm with a destination port of 137, 138, 139 or 445 from at least 10 unique RFC-1918 source IPs within 1 minute. The list of destination ports, event time window and number of unique source IPs are configurable.

Logs

Windows Worm Activity Detected Packets

esa000081

Detects a single source IP reaching out to 10 distinct destination IP addresses on ports 137, 138, 139, or 445 within 1 minute. The list of destination ports, event time window and number of unique destination IPs are configurable.

Packets

Previous Topic:RSA Correlation Rules
You are here
Table of Contents > RSA NetWitness Suite Content > Rules > RSA ESA Rules

Attachments

    Outcomes