RSA NetWitness Reports

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Oct 8, 2018
Version 168Show Document
  • View in full screen mode
 

This topic lists the RSA NetWitness Reports. The reports are built upon rules and lists. When you download a report, all necessary RSA NetWitness Rules and RSA NetWitness Lists are also downloaded. You may, however, need to download supporting RSA Application Rules and parsers.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                  
Display NameFile NameDescriptionMediumTags
All Risk SuspiciousAll Risk SuspiciousThis report lists All Risk Suspicious by Source, Destination and Session Sizelog, packetthreat, identity, assurance, operations, situation awareness
All Risk WarningAll Risk WarningThis report lists All Risk Warning by Source, Destination and Session Sizelog, packetthreat, identity, assurance, operations, situation awareness
Anonymous Proxy and Remote Control ActivityAnonymous Proxy and Remote Control ActivityDisplays suspected use of services, clients or protocols for anonymous access or remote control activities.log, packetassurance, compliance, audit, operations, event analysis, situation awareness
AWS Access Permissions Modified ReportAWS Access Permissions Modified Report10.5 and higher. Detects when Amazon Web Services (AWS) instance permissions are modified. The AWS CloudTrail log parser is a required dependency.logassurance, compliance, audit, identity, authorization
AWS Critical VM Modified ReportAWS Critical VM Modified Report10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value "critical_vm". The AWS CloudTrail log parser is a required dependency.logassurance, compliance, audit, identity, authorization
BASEL II - Compliance ReportBASEL II - Compliance ReportThis article introduces Basel II report templates. Basel II compliance reports are based on recommendations by bank supervisors and central bankers to improve the consistency of capital regulations internationally, make regulatory capital more risk sensitive, and promote enhanced risk-management practices among international banking organizations.logassurance, compliance, audit
BILL 198 - Compliance ReportBILL 198 - Compliance ReportThis article introduces Bill 198 compliance reports. Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect investors in public Canadian companies by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.logassurance, compliance, audit
Bulk Data Transfer - ReportBulk Data Transfer - ReportDisplays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.packetassurance, compliance, audit
Cleartext AuthenticationsCleartext AuthenticationsThis report displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.packetassurance, risk, organizational hazard, operations, event analysis, protocol analysis
Encrypted TrafficEncrypted TrafficThis report shows encrypted sessions that may warrant additional investigation by an analyst. A threat actor may use atypical protocols or ports to hide malicious activities such as data exfiltration.log, packetoperations, situation awareness
Encrypted Traffic over Non-Standard PortEncrypted Traffic over Non-Standard PortSummarizes sessions containing encrypted traffic that are not on port 22, 993, 995 or 443.packetoperations, event analysis, protocol analysis
Endpoint Machine Summary Reportendpoint_machine_summary_reportThis report shows information for the machines configured to run the RSA NetWitness Endpoint agent including an OS and endpoint version summary. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher

DEPENDENCIES
NetWitness Rules:
* Endpoint Operating Systems Summary
* Endpoint Version Summary
logassurance, compliance, corporate, risk, vulnerability management
Endpoint Scan Data Autorun and Scheduled Task Reportendpoint_scan_data_autorun_and_scheduled_task_reportThis report looks for suspicious autoruns and tasks using a few key features. Autoruns/Scheduled Tasks mechanisms are often used by attackers to maintain persistence on a compromised host. This is not an exhaustive set of potentially suspicious autorun behavior, but should give an analyst visibility into some of the more common techniques leveraged by attackers. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher

DEPENDENCIES
NetWitness Rules:
* Autoruns and Scheduled Tasks From or Referencing AppData
* Autoruns and Scheduled Tasks From Root of Program Data
* Autoruns and Scheduled Tasks Invoking Command Shell
* Autoruns and Scheduled Tasks Invoking Windows Script Host
* Autoruns and Scheduled Tasks Running Scripts
* Rarest Autorun Registry Keys
logattack phase, exploit, threat
Endpoint Scan Data File and Process Outliers Reportendpoint_scan_data_file_and_process_outliers_reportThis report focuses on rarity of particular process, file, and autorun features in the environment. While rarity in each of these results does not automatically imply malicious activity, it is important to analyze and justify outliers before ruling out the possibility. As certain results are determined to be benign, care should be taken to adjust the rule logic accordingly to avoid future hits. The schedule of this report should be at the same interval as your scheduled scans to avoid aggregating results across multiple scans. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher

DEPENDENCIES
NetWitness Rules:
* Rarest Child Processes of Web Server Processes
* Rarest Code Signing Certificate CNs
* Rarest Parent Processes of cmd.exe
* Rarest Parent Processes of powershell.exe
* Rarest Processes Running from AppData
* Windows Process Parent Child Mismatch
logattack phase, exploit, malware, threat
Endpoint Scan Data Host Reportendpoint_scan_data_host_reportThis rule will return information about the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine. Information includes autoruns, tasks, machine details, processes, services, DLLs and files. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher

CONFIGURATION
When the Endpoint Scan Data Host Report is scheduled to run, you must enter a hostname or configure and use a NetWitness List of hostnames to return this scan data information.

DEPENDENCIES
NetWitness Rules:
* Autoruns and Tasks on Host
* DLLs on Host
* Files on Host
* Machine Details on Host
* Processes on Host
* Services on Host
logassurance, compliance, corporate, risk, vulnerability management
ExecutablesExecutablesThis report presents instances of executables detected on wire. This report is broken into four sections: Executables by Domain, Country, Executables with abnormal characteristics - Suspicious and Warningpacketoperations, event analysis, file analysis
FERPA - Compliance ReportFERPA - Compliance ReportThis article introduces the Family Educational Rights and Privacy Act (FERPA) compliance report templates. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g, 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.logassurance, compliance, audit
FFIEC - Compliance ReportFFIEC - Compliance ReportThis article introduces the Federal Financial Institutions Examination Council (FFIEC) compliance templates. The Federal Financial Institutions Examination Council (FFIEC) is a body of the United States government empowered to prescribe principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), Mergers & Acquisitions International Clearing (MAIC), and the Consumer Financial Protection Bureau (CFPB).logassurance, compliance, audit
File Transport Over Uncommon ProtocolFile Transport Over Uncommon ProtocolDisplays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTP.packetoperations, event analysis, protocol analysis
FISMA - Compliance ReportFISMA - Compliance ReportThis article introduces the Federal Information Security Management Act (FISMA) compliance templates.. The Federal Information Security Management Act (FISMA) is designed to ensure appropriate security controls for government information systems.logassurance, audit, compliance
GLBA - Compliance ReportGLBA - Compliance ReportThis article introduces the Gramm-Leach-Bliley Act (GLBA) compliance templates. The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of this type of information. As part of its implementation of GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.logassurance, compliance, audit
Global Filtering Candidate ReportGlobal Filtering Candidate ReportShows an aggregated view of traffic that is being captured in your SA deployment.Use this view to determine candidates for filtering. For instance, if the entire company reads CNN throughout the day, this report will show that usage. You could then make a decision to filter the CNN traffic from view,so that suspicious traffic becomes more noticeable.Available rules and lists cover different browsing categories, such as Ad servers, streaming sites,social networks,and so on.log, packetoperations, event analysis, filters
GPG-13 - Compliance ReportGPG-13 - Compliance ReportGood Practice Guide 13 (GPG13) defines requirements for protective monitoring-for example, the use of intrusion detection and prevention systems(IDS/IPS)-with which local authorities must comply in order to prevent accidental or malicious data loss.logassurance, compliance, audit
HIPAA - Compliance ReportHIPAA - Compliance ReportThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that providers, health plans, clearinghouses, and their business associates establish appropriate administrative, technical, and physical safeguards to protect the privacy and security of sensitive health information.logassurance, compliance, audit
Hunting DetailHunting DetailThe Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the Hunting Guide, https://community.rsa.com/docs/DOC-62341, and the Hunting Feed, https://community.rsa.com/docs/DOC-62301, for more details about the contents of the pack and the suggested investigation techniques.

This report displays events that have been categorized according to the following meta keys with added contextual evidence to assist an analyst.

Note: This should be run as a daily report. The amount of meta values reported may be large depending on traffic volume and running over longer time frames may result in a query timeout.

- Indicators of Compromise: Possible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns
- Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection
- Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause
- Service Analysis: Core application protocols identification and inspection
- Session Analysis: Client-server communication deviations
- File Analysis: A large inspection library that highlights file characteristics and anomalies
log, packetapplication analysis, attack phase, event analysis, featured, file analysis, malware, operations, threat
Hunting SummaryHunting SummaryThe Hunting Pack is a set of content that derives indicators of compromise and anomalous events. See the Hunting Guide, https://community.rsa.com/docs/DOC-62341, and the Hunting Feed, https://community.rsa.com/docs/DOC-62301, for more details about the contents of the pack and the suggested investigation techniques.

This report displays a summary of the events that have been categorized according to the following meta keys:

- Indicators of Compromise: Possible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns
- Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection
- Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause
- Service Analysis: Core application protocols identification and inspection
- Session Analysis: Client-server communication deviations
- File Analysis: A large inspection library that highlights file characteristics and anomalies
log, packetapplication analysis, attack phase, event analysis, featured, file analysis, malware, operations, threat
Identity ManagementIdentity ManagementSummarizes user account activity (creates, deletions, disables, modifications), group modifications, password changes and access revocations.logidentity, accounting, operations, situation awareness
Inbound Network Traffic - Top 25Inbound Network Traffic - Top 25Compliance Report Template- Inbound Network Traffic - Top 25logoperations, event analysis, protocol analysis, flow analysis
IP ProfilingIP ProfilingSummarizes activity on your network based on a list of source IP addresses.The report includes bandwidth utilization, risk alerts, threats, top destinations, OS types, browsers and clients.To use the report, create and populate the report list with source IP addresses as noted in the dependencies.log, packetidentity, accounting, operations, situation awareness
ISO27002 - Compliance ReportISO27002 - Compliance ReportISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization. ISO 27002 is used as the foundation and technical guidelines for many international and industry compliance standards and are generally good practices for all organizations.logassurance, compliance, audit
Large Outbound Encrypted SessionsLarge Outbound Encrypted SessionsSummarizes instances of HTTPS or SSH on any port where the destination is to non-RFC1918 address space that have a session size of 5MB or greater. These connections are indicative of a file transfer.packetassurance, risk, organizational hazard, operations, event analysis, flow analysis
Large Outbound SessionsLarge Outbound SessionsSummarizes sessions which have a session size of 5MB or greater, those being indicative of a large file transfer from RFC 1918 to non RFC 1918 address.packetassurance, event analysis, flow analysis, operations, organizational hazard, risk
Lateral Movement Indicators - WindowsLateral Movement Indicators - WindowsReport displays possible indicators of lateral movement on Windows systems.logaction on objectives, attack phase, featured, lateral movement, threat
Malware Activity ReportMalware Activity ReportDisplays traffic that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network. The native NETWORK packet parser must be enabled. This parser is enabled by default.
You will also need to have at least one of the following feeds deployed.

Feeds
* Investigation
* RSA FirstWatch C2 Domains
* RSA FirstWatch C2 IPs
* RSA FirstWatch APT Domains
* RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least two of the related Lua parsers.

Lua Parsers
* HTTP_lua OR TLS_lua
* DNS_verbose_lua OR DynDNS

If collecting logs you will need at least one event source with device class of web logs. This includes web proxy and security products such as Cisco WSA and SQUID. And you will need at least one event source from the following device classes:
* Firewall
* IDS
* IPS
* Netflow (rsaflow)

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.
log, packetfeatured, malware, threat
NERC-CIP - Compliance ReportNERC-CIP - Compliance ReportThe NERC CIP compliance reports are based on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) program requirements. The CIP program coordinates NERCs efforts to improve physical and cyber security for the bulk power system of North America as it pertains to reliability. This includes standards development, compliance enforcement, assessments of risk and preparedness, disseminating critical information via alerts to industry, and raising awareness of key issues.logassurance, compliance, audit
Netflow - Excessive DNS ResponsesNetflow - Excessive DNS Responses10.4 or higher Log Collector required for Netflow collection protocol.Displays Excessive DNS Responses by Client and Server IP addresses. This could indicate that someone is collecting information for a possible attack.For this report to get populated, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-keys "direction" and "Source Port (ip.srcport) " are indexed in table-map.xml and index-concentrator-custom.xmllogoperations, event analysis, protocol analysis, flow analysis
Netflow - Filtering CandidatesNetflow - Filtering Candidates10.4 or higher Log Collector required for Netflow collection protocol.This report displays information about Network Traffic analysis. An overview of the network is presented by listing the Top Protocols, Top Applications and First Heard IPs.For this report to get populated, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xmllogoperations, event analysis, filters, flow analysis
Netflow - TCP Resets by Source IPNetflow - TCP Resets by Source IP10.4 or higher Log Collector required for Netflow collection protocol.This report displays TCP Resets by Source IP addresses.Useful for determining if any devices are behaving abnormally.For this report to get populated,ensure that "RSAFLOW" LogParser for 10.3 or "CEF" LogParser for 10.4 is enabled and meta key "direction" is indexed in table-map.xml and index-concentrator-custom.xml.Also ensure that the meta-key "TCP Flags Seen (tcp.flags.seen)" is indexed index-concentrator-custom.xmllogoperations, event analysis, protocol analysis, flow analysis
Netflow - Top CommunicantsNetflow - Top Communicants10.4 or higher Log Collector required for Netflow collection protocol.Displays different types of Top Talkers via Netflow. The data in the report can be used for identifying possible sources of DoS or disruption.It can also be used to identify sources for Data Ex-filtration.For this report to get populated, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xmllogoperations, event analysis, protocol analysis, flow analysis, situation awareness
NetWitness Administration ReportNetWitness Administration Report10.5 and higher. This gives a summary and detail view of the NetWitness Administration - Audit events. This Report uses non-indexed keys - result and msg. They need to be indexed on Log Decoder in table-map-custom.xml and should be added to Concentrator through index_concentrator_custom.xml.logassurance, compliance, audit
NetWitness RespondNetWitness RespondThe report displays a summary and detailed view of the incidents and alerts generated using NetWitness Respond.

REFERENCES
On RSA Link, see the NetWitness Respond Configuration and User Guides for details.

VERSIONS SUPPORTED
10.6.2 and higher

CONFIGURATION
You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate.

DEPENDENCIES
* Common Event Format Log Parser
log, packetassurance, audit, compliance
Network ActivityNetwork ActivityThis report displays summary data for top network activity for the following:Top Alias Host Destination by Session Count,Top Alias Host Destination by Source IP,Top Destination Country by Session Count,Top Destination Country by Session Size,Top Destination Country by Source IP,Top HTTPS Destination IP by Session Size,Top Network Service by Session Countlog, packetoperations, event analysis, protocol analysis, flow analysis, situation awareness
NISPOM - Compliance ReportNISPOM - Compliance ReportThis article introduces the National Industrial Security Program Operating Manual (NISPOM) templates. The National Industrial Security Program Operating Manual (NISPOM) developed by the Department of Defense, sets comprehensive standards for protecting classified data. All government agencies and commercial contractors who have access to classified data are required to implement system protection processes to ensure continued availability and integrity of this data, and prevent its unauthorized disclosure. These regulations apply to systems used in the capture, creation, storage, processing, or distribution of restricted information.logassurance, compliance, audit
Non-Standard TrafficNon-Standard TrafficThis report displays sessions which are categorized as unusual based on service and port usage. Sessions will either include session found on non standard port or unknown service on standard portpacketoperations, event analysis, protocol analysis
Outbound Network Traffic - Top 25Outbound Network Traffic - Top 25Compliance Report Template- Outbound Network Traffic - Top 25logoperations, event analysis, protocol analysis, flow analysis
PCI-Compliance ReportPCI - Compliance ReportThe Payment Card Industry (PCI) Data Security Standard applies to all payment card industry members, merchants, and service providers that store, process, or transmit payment cardholder data. Additionally, these security requirements apply to all "system components" - any network component, server, or application included in, or connected to, the cardholder data environment.logassurance, compliance, audit
Phishing ProfilePhishing ProfileThis report summarizes data relevant to phishing.In particular it summarizes HREF header mismatches, mail traffic from top countries by frequency, top email subjects, top email addresses by frequency, top file extension of attachments by frequency.log, packetthreat, attack phase, delivery, operations, event analysis, protocol analysis
RSA SecurID Authentication SummaryRSA SecurID Authentication SummaryThis report summarizes all RSA SecurID Authentications. An incident response analyst may want to review all two-factor authentication activity over a given period of time. Each authentication type is paired with associated user, event counts and a description of each outcome.

Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logfeatured, authentication, identity
Shadow IT UseShadow IT UseDetects shadow IT use within the organization. At least one of the dependent application rules - organized by category of shadow IT - must be deployed to the decoder in order to populate the report. This report is dependent on the following report rules: Shadow IT Use High Risk, Shadow IT Use by Category - Event Count, Shadow IT Use by Category - Session Size, Shadow IT Use by IP Source, Shadow IT Use by BYOD. It is dependent on the following List: Watchlist by IP (optional for High Risk report). It is dependent on the following RSA Application Rules: Stealth EmailUse, Voice Chat Apps, File Sharing Apps, BYOD Mobile Web Agent Detected, Large Outbound Session. It is dependent on the following RSA Lua Parsers: http_lua, tls_lua.log, packetassurance, risk, organizational hazard
SOX - Compliance ReportSOX - Compliance ReportSarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.logassurance, compliance, audit
SSAE 16 - Compliance ReportSSAE 16 - Compliance ReportStatement on Standards for Attestation Engagements (SSAE 16) is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) specifically geared towards addressing engagements conducted by service organizations to report on the design of controls and their operating effectiveness.logassurance, compliance, audit
SSH ActivitySSH ActivityReports 2 activities:ANY ssh going to external IP addresses and ANY ssh detected over a port other than 22.packetoperations, event analysis, protocol analysis, flow analysis
Top 10 Situational Awareness ReportTop 10 Situational Awareness ReportThis report summarizes a set of "top 10" data points to provide situational awareness of traffic in your network environment. These data points include: websites by category, destination countries, destination countries by service type, destination IP addresses, search engine queries, services, uncategorized sites, websites and countries with warning or suspicious level alerts.log, packetthreat, identity, assurance, operations, situation awareness
Top CommunicantsTop CommunicantsThis report summarizes top communicants on your network by foreign country, protocol, outbound protocol, outbound source IP and foreign domain.log, packetassurance, compliance, audit, operations, event analysis, situation awareness
User WatchUser WatchSummarizes observed activity associated with one or more users populated in a watchlist.Activity summaries include login, logout, cleartext authentication, email and activity categorized as risk.suspicious and risk.warning.To use the report, create and populate the report lists as noted in the dependencies.log, packetassurance, compliance, audit, identity, authorization, operations, situation awareness
Previous Topic:RSA NetWitness Lists
You are here
Table of Contents > RSA NetWitness Platform Content > Reports > RSA NetWitness Reports

Attachments

    Outcomes