RSA Correlation Rules

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Sep 20, 2017
Version 97Show Document
  • View in full screen mode
  

The following table describes the RSA Correlation Rules delivered with Security Analytics.

                                                                       

Display Name

Description

IPV4 Potential DB Server Sweep

Detects when Packet or Log Decoder receives sessions from a unique, source IPV4 address that connects to five or more unique destination IPV4 addresses on destination ports 1433 (MSSQL), 1521 (Oracle), and 3306 (mysql) within one minute.

This rule should be deployed on Concentrator, as it examines both Log and Packet metadata. The rule uses ip.dstport for logs and tcp.dstport for packets. For IP addresses, the rule examines ip.src and ip.dst metadata.

IPV6 Potential DB Server Sweep

Detects when Packet or Log Decoder receives sessions from a unique source IPV6 address that connects to five or more unique destination IPV6 addresses on destination ports 1433 (MSSQL), 1521 (Oracle), and 3306 (mysql) within one minute.

This rule should be deployed on Concentrator, as it examines both Log and Packet metadata. The rule uses ip.dstport for logs and tcp.dstport for packets. For IP addresses, the rule examines ipv6.src and ipv6.dst metadata.

IPv4 Horizontal Port Scan 5

Detects when a unique IPv4 source address communicates with five or more unique IP destination addresses within one minute, across network sessions.

IPv6 Horizontal Port Scan 5

Detects when a unique IPv6 source address communicates with five or more unique IP destination addresses, within one minute across network sessions.

IPv4 Vertical TCP Port Scan 5

Detects when a unique combination of IPv4 source and destination addresses communicate over five or more unique TCP ports within one minute, across network sessions.

IPv4 Vertical UDP Port Scan 5

Detects when a unique combination of IPv4 source and destination addresses communicate over five or more unique UDP ports within one minute, across network sessions.

IPv6 Vertical TCP Port Scan 5

Detects when a unique combination of IPv6 source and destination addresses communicate over five or more unique TCP ports within one minute across network sessions.

IPv6 Vertical UDP Port Scan 5

Detects when a unique combination of IPv6 source and destination addresses communicate over five or more unique UDP ports within one minute, across network sessions.

IPv4 Potential Web Sweep 10

Detects when a unique IPv4 source address communicates over ten or more unique IP destination addresses over port 80, within one minute. 

IPv6 Potential Web Sweep 10

Detects when a unique IPv6 source address communicates over ten or more unique IP destination addresses over port 80, within one minute.

IPv4 Bulk Data Transfer 20 Mb

Detects events when the amount of data transferred between Source-Destination IPV4 pairs is more than 20 MB of data, within 5 minutes.

IPV6 Bulk Data Transfer 20 Mb

Detects events when the amount of data transferred between Source-Destination IPV6 pairs is more than 20 MB of data, within 5 minutes.

IPv4 Bulk Data Transfer 50 Mb

Detects events when the amount of data transferred between Source-Destination IPV4 pairs is more than 50 MB of data, within 5 minutes.

IPV6 Bulk Data Transfer 50 Mb

Detects events when the amount of data transferred between Source-Destination IPV6 pairs is more than 50 MB of data, within 5 minutes.

Windows Automated Explicit Logon

Detects automated logons attempted to the same destination using explicit credentials.

This rule only applies when an atypical process,  0x4 (system), cscript.exe  (to Remote) or svchost.exe (to Remote), is reported within the event. In order to import and deploy the rule, the custom meta key event.computer must be added.

Previous Topic:RSA Application Rules
You are here
Table of Contents > Rules and Reports > RSA Correlation Rules

Attachments

    Outcomes