RSA Security Analytics Reports

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Jun 18, 2018
Version 153Show Document
  • View in full screen mode
 

This topic lists the RSA Security Analytics Reports. The reports are built upon rules and lists. When you download a report, all necessary RSA Security Analytics Rules and RSA Security Analytics Lists are also downloaded. You may, however, need to download supporting RSA Application Rules, RSA Correlation Rules, and parsers.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                    

Report

Description

Dependencies

All Risk Suspicious

Lists All Risk Suspicious by Source, Destination and Session Size

Dependent on the following RSA Security Analytics Rules:

  • All Risk Suspicious By Source IP
  • All Risk Suspicious By Destination IP
  • All Risk Suspicious By Session Size

Dependent on the following RSA Lua parsers:

  • HTTP_SQL_Injection
  • fingerprint_javascript_lua
  • SMB_lua
  • fingerprint_zip
  • OCSP_lua
  • Signed_Executable
  • Mail_lua
  • PACKERS
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua
  • fingerprint_flash
  • fingerprint_rar_lua

Uses metadata generated from the Alert IDs Suspicious feed.

All Risk Warning

Lists All Risk Warning by Source, Destination and Session Size

Dependent on the following RSA Security Analytics Rules:

  • All Risk Warning By Source IP
  • All Risk Warning By Destination IP
  • All Risk Warning By Session Size

Dependent on the following RSA Lua Parsers:

  • fingerprint_javascript_lua
  • phishing_lua
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua

Uses metadata generated from the Alert IDs Warning feed.

Anonymous Proxy and Remote Control Activity

Displays suspected use of services, clients or protocols for anonymous access or remote control activities.

Dependent on the following RSA Security Analytics Rules:

  • Anonymous Access by Suspicious Source
  • Anonymous Proxy Service Connection
  • Remote Control Client Site
  • Remote Control or Proxy Client Download
  • Tunneling Protocols Outbound

Dependent on the following RSA Application Rules:

  • Proxy Anonymous Services
  • Remote Control Client Website
  • Proxy Client Download
  • Remote Control Client Download
  • Tor Outbound
  • ssh to external

Dependent on the following Parsers:

  • HTTP
  • HTTPS
  • SSH
  • TLS_lua

Uses metadata generated from the following feeds

  • RSA FirstWatch Criminal Socks User IPs
  • RSA FirstWatch Criminal SOCKS node IPs
  • RSA FirstWatch Criminal VPN Entry IPs
  • RSA FirstWatch Criminal VPN Entry Domains
  • RSA FirstWatch Criminal VPN Exit IPs
  • RSA FirstWatch Criminal VPN Exit Domains
  • Tor Nodes
  • Tor Exist Nodes

AWS Access Permissions Modified Report

10.5 and higher. Detects when Amazon Web Services (AWS) instance permissions are modified.

Dependent on the CEF log parser.

Dependent on the AWS Access Permissions Modified RSA Security Analytics Rule.

AWS Critical VM Modified Report

10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status.

In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value 'critical_vm'.

Dependent on the CEF log parser.

Dependent on the AWS Critical VM Modified RSA Security Analytics Rule.

Bulk Data Transfer Report

Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.

Dependent on the Bulk Data Transfer RSA Security Analytics rule.

Dependent on the following RSA Correlation Rules:

  • IPV4 Bulk Data Transfer 20 Mb
  • IPV4 Bulk Data Transfer 50 Mb
  • IPV6 Bulk Data Transfer 20 Mb
  • IPV6 Bulk Data Transfer 50 Mb

Cleartext Authentications

Displays events in which passwords were sent over cleartext, using non-secure network protocols: FTP, HTTP, POP3, or SMTP

Dependent on the Cleartext Authentications RSA Security Analytics Rule.

Dependent on the following RSA Application Rules:

  • TDSS Rootkit Variant Beaconing
  • TSONE Dorkbot Beaconing
  • Wikileaks Email Submission
  • File Transport over ICMP
  • File Transport over Unknown Protocol

Encrypted Traffic

Shows encrypted sessions that may warrant additional investigation by an analyst. A threat actor may use atypical protocols or ports to hide malicious activities such as data exfiltration.

Dependent on the following RSA Security Analytics Rules:

  • Encrypted Traffic over Non-Standard Port
  • Large Outbound Encrypted Sessions
  • Tox P2P Activity

Dependent upon Native or Lua network parsers for SSH and TLS.

Dependent on the Tox Supernode Feed.

Encrypted Traffic over Non-Standard Port

Summarizes sessions containing encrypted traffic that are not on port 22, 993, 995 or 443.

Dependent on the Encrypted Traffic Over Non-Standard Port RSA Security Analytics Rule.

Endpoint Machine Summary Report

Shows information for the machines configured to run the RSA NetWitness Endpoint agent including an OS and endpoint version summary.

Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

VERSIONS SUPPORTED

RSA NetWitness Endpoint 11.1 and higher

Security Analytics Rules:

  • Endpoint Operating Systems Summary
  • Endpoint Version Summary

Endpoint Scan Data Autorun and Scheduled Task Report

Looks for suspicious autoruns and tasks using a few key features. Autoruns/Scheduled Tasks mechanisms are often used by attackers to maintain persistence on a compromised host. This is not an exhaustive set of potentially suspicious autorun behavior, but should give an analyst visibility into some of the more common techniques leveraged by attackers.

Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

VERSIONS SUPPORTED

RSA NetWitness Endpoint 11.1 and higher

Security Analytics Rules:

  • Autoruns and Scheduled Tasks from or referencing AppData
  • Autoruns and Scheduled Tasks from Root of ProgramData
  • Autoruns and Scheduled Tasks Invoking Command Shell
  • Autoruns and Scheduled Tasks Invoking Windows Script Host
  • Autoruns and Scheduled Tasks Running Scripts
  • Rarest Autorun Registry Keys

Endpoint Scan Data File and Process Outliers Report

Focuses on rarity of particular process, file, and autorun features in the environment. While rarity in each of these results does not automatically imply malicious activity, it is important to analyze and justify outliers before ruling out the possibility. As certain results are determined to be benign, care should be taken to adjust the rule logic accordingly to avoid future hits. The schedule of this report should be at the same interval as your scheduled scans to avoid aggregating results across multiple scans.

Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

VERSIONS SUPPORTED

RSA NetWitness Endpoint 11.1 and higher

Security Analytics Rules:

  • Rarest Child Processes of Web Server Processes
  • Rarest Code Signing Certificate CNs
  • Rarest Parent Processes of cmd.exe
  • Rarest Parent Processes of powershell.exe
  • Rarest Processes Running from AppData
  • Windows Process Parent Child Mismatch

Endpoint Scan Data Host Report

Returns information about the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine. Information includes autoruns, tasks, machine details, processes, services, DLLs and files

Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

VERSIONS SUPPORTED

RSA NetWitness Endpoint 11.1 and higher

CONFIGURATION

When the Endpoint Scan Data Host Report is scheduled to run, you must enter a hostname to return this scan data information.

Security Analytics Rules:

  • Autoruns and Tasks on Host
  • DLLs on Host
  • Files on Host
  • Machine Details on Host
  • Processes on Host
  • Services on Host

 

Executables

Presents instances of executable files that have been sent over the network.

This report has four sections:

  • Executables by
    • Domain
    • Country
  • Executables with abnormal characteristics
    • Suspicious
    • Warning

Dependent on the following RSA Security Analytics Rules:

  • Executables By Domain
  • Executables By Country
  • Executables With Abnormal Characteristics - Suspicious
  • Executables With Abnormal Characteristics - Warning

Dependent on the windows_executable RSA Lua parser.

Uses metadata generated from the Alert IDs Suspicious and Alert IDs Suspicious feeds.

File Transport over Uncommon Protocol

Displays files transported over uncommon protocols such as ICMP, as well as protocols identified as unknown.

Ignores files that are transferred over these common protocols:

  • HTTP
  • FTP
  • SMTP
  • POP
  • RSYNC
  • TFTP

Dependent on the File Transport Over Uncommon Protocol RSA Security Analytics Rule.

Dependent on the following RSA Application Rules:

  • File Transport of ICMP
  • File Transport over Unknown Protocol

Dependent on the Alert IDs Info feed.

Global Filtering Candidate

Shows an aggregated view of traffic that is being captured in your SA deployment.

Use this view to determine candidates for filtering. For instance, if the entire company reads CNN throughout the day, this report will show that usage. You could then make a decision to filter the CNN traffic from view, so that suspicious traffic becomes more noticeable.

Available rules and lists cover different browsing categories, such as Ad servers, streaming sites, social networks, and so on.

Dependent on the following RSA Security Analytics Rules:

  • GFC Ad Servers by Bandwidth
  • GFC Content Delivery Networks by Bandwidth
  • GFC News Portals by Bandwidth
  • GFC Streaming Media by Bandwidth
  • GFC Top Social Sites by Bandwidth
  • GFC Vendor Update Sites by Bandwidth

Dependent on the following Lists:

  • Ad Servers
  • Content Delivery Networks
  • News Portals
  • Social Sites
  • Streaming Media Sites
  • Vendor Update Sites

Hunting Detail

Note: This should be run as a daily report. The amount of meta values reported may be large depending on traffic volume and running over longer time frames may result in a query timeout.

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the Hunting Guide and the Hunting Feed for more details about the contents of the pack and the suggested investigation techniques.

This report displays events that have been categorized according to the following meta keys with added contextual evidence to assist an analyst.

  • Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated.
  • Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated.
  • File Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.
  • Indicators of Compromise: Possible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated.
  • Service Analysis: Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated.
  • Session Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.

Dependent on the following RSA Security Analytics Rules:

  • Behaviors of Compromise Detail
  • Indicators of Compromise Detail
  • Enablers of Compromise Detail
  • File Analysis Detail
  • Session Analysis Detail
  • Service Analysis Detail

Dependent on the Hunting Feed

Dependent on the following Lua parsers:

  • apt_artifacts
  • DNS_verbose_lua
  • DynDNS
  • fingerprint_java
  • HTTP_lua
  • ICMP
  • MAIL_lua
  • MSU_rat
  • plugx
  • Poison_Ivy
  • RDP_lua
  • session_analysis
  • SMB_lua
  • TLD_lua
  • TLS_lua
  • traffic_flow
  • windows_command_shell_lua
  • windows_executable
  • xor_executable_lua

Hunting Summary Report

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the Hunting Guide and the Hunting Feed for more details about the contents of the pack and the suggested investigation techniques.

This report displays a summary of the events that have been categorized according to the following meta keys.

  • Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated.
  • Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated.
  • File Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.
  • Indicators of Compromise: Possible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated.
  • Service Analysis: Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated.
  • Session Analysis: A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.

Dependent on the following RSA Security Analytics Rules:

  • Behaviors of Compromise
  • Indicators of Compromise
  • Enablers of Compromise
  • File Analysis
  • Session Analysis
  • Service Analysis

Dependent on the Hunting Feed

Dependent on the following Lua parsers:

  • apt_artifacts
  • DNS_verbose_lua
  • DynDNS
  • fingerprint_java
  • HTTP_lua
  • ICMP
  • MAIL_lua
  • MSU_rat
  • plugx
  • Poison_Ivy
  • RDP_lua
  • session_analysis
  • SMB_lua
  • TLD_lua
  • TLS_lua
  • traffic_flow
  • windows_command_shell_lua
  • windows_executable
  • xor_executable_lua

Identity Management

Summarizes user account activity (creates, deletions, disables, modifications), group modifications, password changes and access revocations.

Dependent on the following RSA Security Analytics Rules:

  • Accounts Created
  • Accounts Deleted
  • Accounts Disabled
  • Accounts Modified
  • Group Management
  • Password Changes
  • Password Changes Summary
  • User Access Revoked

Dependent on the following RSA Security Analytics Application Rules:

  • account:created
  • account:deleted
  • account:disabled
  • account:modified
  • account:group-management
  • account:password-change
  • access:user-access-revoked

IP Profiling

 

Summarizes activity on your network based on a list of source IP addresses.

The report includes bandwidth utilization, risk alerts, threats, top destinations, OS types, browsers and clients.

To use the report, create and populate the report list with source IP addresses as noted in the dependencies.

Dependent on the following RSA Security Analytics Rules:

  • Alert IDs by Profiled Source IP
  • Alerts By Profiled Source IP
  • Bandwidth by Profiled Source IP
  • Browser IDs by Profiled Source IP
  • Clients IDs by Profiled Source IP
  • OS By Profiled Source IP
  • Risk Info By Profiled Source IP
  • Risk Suspicious By Profiled Source IP
  • Risk Warning By Profiled Source IP
  • Services By Profiled Source IP
  • Threat Categories By Profiled Source IP
  • Threat Sources By Profiled Source IP
  • Top Destinations by By Profiled Source IP - Bandwidth
  • Top Destinations by By Profiled Source IP - Sessions

Dependent on the Filtering Candidate/Profile by Source IP List.

Dependent on the following RSA Lua parsers:

  • Browser Detection
  • OS Types

Uses metadata generated from the following feeds:

  • Alert IDs Info
  • Alert IDs Suspicious
  • Alert IDs Warning

Large Outbound Encrypted Sessions

Summarizes instances of HTTPS or SSH on any port where the destination is to non-RFC1918 address space that have a session size of 5MB or greater. These connections are indicative of a file transfer.

Dependent on the Large Outbound Encrypted Sessions RSA Security Analytics Rule.

Dependent on the Large Outbound Encrypted Session RSA Security Analytics Application Rule.

Large Outbound Sessions

Summarizes instances of connections to 3rd Party sites from RFC1918 address space that has a session size of 5MB or greater. These connections are indicative of large file transfers.

Dependent on the Large Outbound Sessions RSA Security Analytics Rule.

Dependent on the Large Outbound Session RSA Security Analytics Application Rule.

Lateral Movement Indicators - Windows

Displays possible indicators of lateral movement on Windows systems.

For details on creating the High Value Assets custom feed, see Create Meta and Feed for Lateral Movement.

Dependent on the following RSA Security Analytics Rules:

  • Windows NTLM Network Logon Successful
  • Windows Logon to High Value Assets
  • Windows Credential Harvesting Services
  • Windows Automated Explicit Logon

Dependent on the following RSA Security Analytics Application Rules:

  • Windows NTLM Network Logon Successful (nw30060)

  • Windows Credential Harvesting Services (nw05415)

Dependent on the following RSA Correlation Rule: Windows Automated Explicit Logon (nw05410).

Requires the winevent.nic log parser.

Uses metadata generated from the following feed:

High Value Assets (Custom feed populating custom meta keys of High Value Asset Group, fd.hv.group and Escalation Contact, fd.escalate). The feed may populate these keys based on the event computer or device IP.

Malware Activity

Displays traffic that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network.

The native Network packet parser must be enabled. (This parser is enabled by default.)

You need at least one of these feeds deployed:

  • Investigation
  • RSA FirstWatch C2 Domains
  • RSA FirstWatch C2 IPs
  • RSA FirstWatch APT Domains
  • RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least one of the related Lua parsers:

  • HTTP_lua, or TLS_lua
  • DNS_verbose_lua or DynDNS

If collecting logs, you need at least one event source with device class of web logs. This includes web proxy and security products such as Cisco WSA and SQUID. And you will need at least one event source from the following device classes:

  • Firewall,
  • IDS,
  • IPS,
  • Netflow (rsaflow)
         

Note

For deployments prior to 10.6.2, you also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.

Netflow - Excessive DNS Responses

10.4 or higher Log Collector required for Netflow collection protocol. Displays Excessive DNS Responses by Client and Server IP addresses. This could indicate that someone is collecting information for a possible attack.

Ensure that the meta-keys 'direction' and "Source Port (ip.srcport) " are indexed in table-map.xml and index-concentrator-custom.xml

Dependent on the following RSA Security Analytics Rules:

  • Netflow - Excessive DNS Responses by Client IP
  • Netflow - Excessive DNS Responses by Server IP

Dependent on the following device parser:

  • For SA 10.3.x and lower: rsaflow
  • For SA 10.4 and higher: cef

Netflow - Filtering Candidates

10.4 or higher Log Collector required for Netflow collection protocol. Displays information about Network Traffic analysis. An overview of the network is presented by listing the Top Protocols, Top Applications and First Heard IPs.

Ensure that the meta-key 'direction' is indexed in table-map.xml and index-concentrator-custom.xml

Dependent on the Large Outbound Encrypted Sessions RSA Security Analytics Rule.

  • Netflow - Top Applications
  • Netflow - Top Protocols
  • Netflow - First Heard by Source IP
  • Netflow - First Heard by Destination IP

Dependent on the following device parser:

  • For SA 10.3.x and lower: rsaflow
  • For SA 10.4 and higher: cef

Netflow - TCP Resets by Source IP

10.4 or higher Log Collector required for Netflow collection protocol. Displays TCP Resets by Source IP addresses. Useful for determining if any devices are behaving abnormally.

Ensure that the meta-key 'direction' is indexed in table-map.xml and index-concentrator-custom.xml

Dependent on the Netflow - TCP Resets by Source IP RSA Security Analytics Rule.

Dependent on the following device parser:

  • For SA 10.3.x and lower: rsaflow
  • For SA 10.4 and higher: cef

Dependent on the TCP Flags Seen RSA Security Analytics Feed.

Netflow - Top Communicants

10.4 or higher Log Collector required for Netflow collection protocol. Displays different types of Top Talkers via Netflow. The data in the report can be used for identifying possible sources of DoS or disruption.

It can also be used to identify sources for Data Ex-filtration.

Ensure that the meta-key direction is indexed in table-map.xml and index-concentrator-custom.xml.

Dependent on the following RSA Security Analytics Rules:

  • Netflow - Volume - Top Talkers by Destination Port
  • Netflow - Volume - Top Talkers by Source IP
  • Netflow - Top Talkers by Source IP

Dependent on the following device parser:

  • For SA 10.3.x and lower: rsaflow
  • For SA 10.4 and higher: cef

NetWitness Incident Management

Provides the ability to report on the IMDB component of NetWitness.

For more details, see the Reporting on IMDB blog post on RSA Link.

Dependent on the following RSA Security Analytics Rules:

  • NetWitness Alert Summary
  • NetWitness Incident Summary
  • NetWitness Alert Details

Network Activity

Displays summary data for top network activity for the following:

  • Top Alias Host Destination by Session Count
  • Top Alias Host Destination by Source IP
  • Top Destination Country by Session Count
  • Top Destination Country by Session Size
  • Top Destination Country by Source IP
  • Top HTTPS Destination IP by Session Size
  • Top Network Service by Session Count

Dependent on the following RSA Security Analytics Rules:

  • Top Alias Host Destination by Session Count
  • Top Alias Host Destination by Source IP
  • Top Destination Country by Session Count
  • Top Destination Country by Session Size
  • Top Destination Country by Source IP
  • Top HTTPS Destination IP by Session Size
  • Top Network Service by Session Count

Non-Standard Traffic

This report displays sessions which are categorized as unusual based on service and port usage. Sessions will either include session found on non standard port or unknown service on standard port

Dependent on the following RSA Security Analytics Rules:

  • Unknown service detected over Standard Network Port
  • Known Service detected on Non-Standard Network Port

Dependent on the following RSA Application Rules:

  • DNS Over Non-Standard Port
  • Non-Standard Port Use - Telnet
  • Non-Standard Port Use - FTP
  • HTTP over Non-Standard Port
  • Non-Standard Port Use - SSH
  • Non-Standard Port Use - SMTP
  • Non-Standard Port Use - DHCP
  • Non-Standard Port Use - TFTP
  • Non-Standard Port Use - POP3
  • Non-Standard Port Use - NNTP
  • Non-Standard Port Use - RPC
  • Non-Standard Port Use - NetBios
  • Non-Standard Port Use - SMB
  • Non-Standard Port Use - SNMP
  • Non-Standard Port Use - SSL
  • Non-Standard Port Use - RIP
  • Non-Standard Port Use - TDS
  • Non-Standard Port Use - TNS
  • Non-Standard Port Use - H323
  • Non-Standard Port Use - RTP
  • Non-Standard Port Use - SIP
  • Non-Standard Port Use - IRC
  • Unknown Service Over DNS Port
  • Unknown Service Over FTP Port
  • Unknown Service Over HTTP Port
  • Unknown Service Over Telnet Port
  • Unknown Service Over SMTP Port
  • Unknown Service Over POP3 Port
  • Unknown Service Over IRC Port
  • Unknown Service Over NNTP Port
  • Unknown Service Over SMB Port
  • Unknown Service Telnet Port
  • Unknown Service Over SSL Port

Password Change on Privileged Account

Displays instances of privileged account passwords being changed.

It includes a list that may be customized to include the privileged user accounts in your network environment.

To use the report, create and populate the report list with user accounts as noted in the dependencies.

Dependent on the Password Change on Privileged Account RSA Security Analytics Rule.

Dependent on the account:password-change RSA Security Analytics Application Rule.

Dependent on the User Activity / Administrative Users List.

Phishing Profile

Summarizes data relevant to phishing.

In particular, it summarizes the following:

  • Top email addresses by frequency
  • Top email destinations by frequency
  • Top email subjects
  • Top file extension of attachments by frequency
  • HREF header mismatches

Dependent on the following RSA Security Analytics Rules:

  • Top Email Addresses By Frequency
  • Top Email Destinations By Frequency
  • Top Email Subjects
  • Top File Extensions By Frequency
  • Mismatched HREF Header

Dependent on the following RSA Lua parsers:

  • imap.lua
  • smtp.lua

RSA SecurID Authentication Summary

This report summarizes all RSA SecurID Authentications. An incident response analyst may want to review all two-factor authentication activity over a given period of time.

Each authentication type is paired with associated user, event counts and a description of each outcome.

Note: You need to index the non-standard meta key result on the Log Decoder and Concentrator in order to fully populate this report. The key needs to be added to the following files and services restarted.

To index-concentrator-custom.xml on the Concentrator, add:

<key description="Result" level="IndexValues" name="result" format="Text" valueMax="10000" defaultAction="Open"/>

To table-map-custom.xml on the Log Decoder, add:

<mapping envisionName="result" nwName="result" flags="None" format="Text" envisionDisplayName="Result|Volume|Information|
Reason|Succeed/Failed"/>

Dependent on the following RSA Security Analytics rules:

  • RSA SecurID-Bad PIN Good Token Code
  • RSA SecurID-Bad PIN Previous Token Code
  • RSA SecurID-Bad Token Code Bad PIN
  • RSA SecurID-Bad Token Code Good PIN
  • RSA SecurID-Static Passcode Authentication
  • RSA SecurID-Token Code Reuse
  • RSA SecurID-Unknown User Failed Login
  • RSA SecurID-Account Lockouts

Also dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

Scanning Activity

Reports vertical and horizontal port scans for both IPv4 and IPv6 addresses across network sessions.

Dependent on the following RSA Security Analytics Rules:

  • IPv4 Horizontal Port Scans
  • IPv4 Vertical Port Scans
  • IPv6 Horizontal Port Scans
  • IPv6 Vertical Port Scans

Dependent on the following RSA Correlation Rules:

  • IPv4 Horizontal Port Scans
    • IPv4 Horizontal Port Scan 5
    • IPv4 Potential Web Sweep 10
    • IPv4 Potential DB Server Sweep
  • IPv4 Vertical Port Scans
    • IPv4 Vertical TCP Port Scan 5
    • IPv4 Vertical UDP Port Scan 5
  • IPv6 Horizontal Port Scans
    • IPv6 Horizontal Port Scan 5
    • IPv6 Potential Web Sweep 10
    • IPv6 Potential DB Server Sweep
  • IPv6 Vertical Port Scans
    • IPv6 Vertical TCP Port Scan 5
    • IPv6 Vertical UDP Port Scan 5

Security Analytics Administration Report

10.5 and higher. Provides a summary and detail view of the Security Analytics Administration - Audit events rule.

This Report uses non-indexed keys result and msg. They need to be indexed on Log Decoder in table-map-custom.xml and added to Concentrator through index_concentrator_custom.xml.

Dependent on the following RSA Security Analytics Rules:

  • Events Classification Summary
  • Hosts and Events Summary
  • User Activity by Source IP Summary
  • User Authentication Attempts Details
  • User Authentication Failure Details
  • User Authentication Failure Reason Summary

Shadow IT Use

Detects shadow IT use within the organization.

At least one of the dependent application rules—organized by category of shadow IT—must be deployed to the decoder in order to populate the report.

Dependent on the following RSA Security Analytics Rules:

  • Shadow IT Use High Risk
  • Shadow IT Use by Category - Event Count
  • Shadow IT Use by Category - Session Size
  • Shadow IT Use by IP Source
  • Shadow IT Use by BYOD

Dependent on the following List: Watchlist by IP (optional for High Risk report)

Dependent on the following RSA Application Rules:

  • Stealth EmailUse
  • Voice Chat Apps
  • File Sharing Apps
  • BYOD Mobile Web Agent Detected
  • Large Outbound Session

Dependent on the following RSA Lua Parsers:

  • http_lua
  • tls_lua

Suspicious SSH Activity

Reports 2 activities:

  • ANY ssh going to external IP addresses
  • ANY ssh detected over a port other than 22

Dependent on the following RSA Security Analytics Rules:

  • SSH to External Address
  • SSH over Non Standard Port

Dependent on the following RSA Application Rules:

  • SSH to external
  • Non-standard port use

Top 10 Risk Suspicious

Summarizes Top 10 Risk Suspicious by Source, Destination and Session Size

Dependent on the following RSA Security Analytics Rules:

  • Top 10 Risk Suspicious By Source IP
  • Top 10 Risk Suspicious By Destination IP
  • Top 10 Risk Suspicious By Session Size

Dependent on the following RSA Lua Parsers:

  • HTTP_SQL_Injection
  • fingerprint_javascript_lua
  • SMB_lua
  • fingerprint_zip
  • OCSP_lua
  • Signed_Executable
  • Mail_lua
  • PACKERS
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua
  • fingerprint_flash
  • fingerprint_rar_lua

Uses metadata generated from the Alert IDs Suspicious feed.

Top 10 Risk Warning

Summarizes Top 10 Risk Warning by Source, Destination and Session Size

Dependent on the following RSA Security Analytics Rules:

  • Top 10 Risk Warning By Source IP
  • Top 10 Risk Warning By Destination IP
  • Top 10 Risk Warning By Session Size

Dependent on the following RSA Lua Parsers:

  • fingerprint_javascript_lua
  • phishing_lua
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua

Uses metadata generated from the Alert IDs Warning feed.

Top 10 Situational Awareness

Summarizes a set of top 10 data points to provide situational awareness of the general goings-on in your network environment.

These data points include: Web sites by category, destination countries, detailed destination countries, destination IPs, search engine queries, services, uncategorized sites, websites and countries with warning or suspicious level alerts.

Dependent on the following RSA Security Analytics Rules:

  • Top 10 Categorized Sites
  • Top 10 Destination Countries
  • Top 10 Destination Countries by Service Type
  • Top 10 Destination IP Addresses
  • Top 10 Search Engine Queries
  • Top 10 Services
  • Top 10 Uncategorized Sites
  • Top 10 Websites
  • Top 10 Destination Countries With Warning And Suspicious Level Alerts

Dependent on the following RSA Lua parsers:

  • proxy_block.lua
  • search_query

Uses metadata generated from the Alert IDs Suspicious and Alert IDS Suspicious feeds.

Top Communicants

Summarizes the top communicants on your network by foreign country, protocol, outbound protocol, outbound source IP and foreign domain.

Dependent on the following RSA Security Analytics Rules:

  • Top Foreign Countries
  • Top Foreign Domains
  • Top Outbound Protocols
  • Top Outbound Source IP
  • Top Protocols

Also dependent on the Local_Country List.

User Watch

Summarizes observed activity associated with one or more users populated in a watchlist.

Activity summaries include login, logout, cleartext authentication, email and activity categorized as risk.suspicious and risk.warning.

To use the report, create and populate the report lists as noted in the dependencies.

Dependent on the following RSA Security Analytics Rules:

  • Cleartext Authentications By User Watchlist
  • Email Address Activity By User Watchlist
  • Email Address User By User Watchlist
  • Login Failures by User Watchlist
  • Login Success by User Watchlist

Dependent on the following RSA Security Analytics Application Rules:

  • Passwords over HTTP
  • Passwords over FTP
  • Passwords over Pop3
  • Passwords over SMTP
  • Passwords over Other Protocols
  • account:logon-failure
  • account:logon-success
  • account:logout

Dependent on the following Lists:

  • User Activity/Watchlist by Name
  • User Activity/Watchlist by IP
  • User Activity/Watchlist by Hostname
  • User Activity/Watchlist by Email Address

Uses metadata generated from the following feeds:

  • Alert IDs Suspicious
  • Alert IDs Warning
You are here
Table of Contents > RSA NetWitness Platform Content > Reports > RSA Security Analytics Reports

Attachments

    Outcomes