RSA NetWitness Rules

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Aug 1, 2019
Version 182Show Document
  • View in full screen mode
 

This table lists all of the delivered RSA NetWitness Rules.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
Display NameFile NameDescriptionMediumTag
11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppData11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppDataCompliance Rule- Anti-Virus Signature Updateendpointassurance, compliance, audit, operations, event analysis, situation awareness
11.1-11.2 Autoruns and Scheduled Tasks from Root of ProgramData11.1-11.2 Autoruns and Scheduled Tasks from Root of ProgramDataAutoruns and Tasks details when accessed from or referencing AppData. Task name, Autorun type, Directory, Command, Launch Arguments and number of hosts associated will be reflected. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Scheduled Tasks Invoking Command Shell11.1-11.2 Autoruns and Scheduled Tasks Invoking Command ShellAttackers will often use registry autoruns and scheduled tssks to maintain persistence on a compromised machine. A common technique leverages %SYSTEMROOT%\\\\ProgramData as a storage location for malicious payloads set to run at a particular time or upon trigger (i.e. login). It is not common for executables to be launching from the root of ProgramData, so any instance should be considered suspicious.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Scheduled Tasks Invoking Windows Script Host11.1-11.2 Autoruns and Scheduled Tasks Invoking Windows Script HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke trusted system shells (cmd.exe and powershell.exe) to perform malicious activity in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Scheduled Tasks Running Scripts11.1-11.2 Autoruns and Scheduled Tasks Running ScriptsAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke Windows Script Host (cscript.exe and wscript.exe) to launch scripts in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Tasks on Host11.1-11.2 Autoruns and Tasks on HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will call and execute various scripts to provide further instructions for attack. Detecting arguments being passed to an executable that look like common script file formats can be a good indicator of compromise, particularly when attackers choose to obfuscate the name of the launching binary (e.g. create a copy of cmd.exe under a different name), While not all autoruns invoking these scripts are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 DLLs on Host11.1-11.2 DLLs on HostAggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.endpointoperations, event analysis, application analysis, situation awareness
11.1-11.2 Endpoint Operating Systems Summary11.1-11.2 Endpoint Operating Systems SummaryFor each Dynamic DNS hosts, associated IP Addresses, Ports and Module accessing domain name will be reflected. The dynamic DNS are maintained in a list which can be altered as per needs. DDNS provides flexibility to adversaries and help them in evasion and persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher

CONFIGURATION
If this rule is used with the Endpoint Network Activity Report or custom report, before the report is scheduled to run, you must enter a domain name or configure and use a NetWitness List of domain names to return this network data information.
endpointassurance, audit, compliance, operations, risk, threat
11.1-11.2 Endpoint Version Summary11.1-11.2 Endpoint Version SummaryOperating System Details associated with the host(s).

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, audit, compliance, operations, risk
11.1-11.2 Files on Host11.1-11.2 Files on HostDisplays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTPendpointoperations, event analysis, protocol analysis
11.1-11.2 Machine Details on Host11.1-11.2 Machine Details on HostDetects logouts for users on a watchlist by user name.endpointassurance, compliance, audit, identity, authentication
11.1-11.2 Processes on Host11.1-11.2 Processes on HostDetails related to external domain names accessed by PowerShell. Host associated, Source IP Address, Destination IP Address, domain name and Launch argument used with PowerShell are reflected. Connection to external domain can help adversary in executing remote script or fetching files or other useful information.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, attack phase, operations, risk, threat
11.1-11.2 Rarest Autorun Registry Keys11.1-11.2 Rarest Autorun Registry KeysThere are numerous registry autorun keys that allow for command execution without interaction by the end user. Two common keys used by attackers are the HKCU\\\\Sofware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run and \\\\RunOnce keys. Outliers in an enterprise environment should be inspected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Rarest Child Processes of Web Server Processes11.1-11.2 Rarest Child Processes of Web Server ProcessesFilename, Launch Arguments and number of hosts associated are reflected when registry contains autorun registry keys. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.1-11.2 Rarest Code Signing Certificate CNs11.1-11.2 Rarest Code Signing Certificate CNsDetails of Child Processes of web server. Web Shells can be used to run malicious tools, commands and scripts by adversaries. Parent Process, Checksum, Directory and number of hosts associated are reflected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, operations, risk, threat
11.1-11.2 Rarest Parent Processes of cmd11.1-11.2 Rarest Parent Processes of cmdList of Filenames with their checksum, directory and number of hosts associated with. This information can be helpful in investigations.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, operations, risk, threat
11.1-11.2 Rarest Parent Processes of powershell11.1-11.2 Rarest Parent Processes of powershellAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking cmd.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Rarest Processes Running from AppData11.1-11.2 Rarest Processes Running from AppDataAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking powershell.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Services on Host11.1-11.2 Services on HostDetects the meta key service generated through a network parser, which match a list of configured source IPs.endpointoperations, event analysis, protocol analysis, situation awareness
11.1-11.2 Windows Process Parent Child Mismatch11.1-11.2 Windows Process Parent Child MismatchIndicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $.endpointaction on objectives, attack phase, authentication, identity, lateral movement, threat
11.3 Autoruns and Scheduled Tasks from or referencing AppData11.3 Autoruns and Scheduled Tasks from or referencing AppDataCompliance Rule- Anti-Virus Signature Updateendpointassurance, compliance, audit, operations, event analysis, situation awareness
11.3 Autoruns and Scheduled Tasks from Root of ProgramData11.3 Autoruns and Scheduled Tasks from Root of ProgramDataAutoruns and Tasks details when accessed from or referencing AppData. Task name, Autorun type, Directory, Command, Launch Arguments and number of hosts associated will be reflected. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Scheduled Tasks Invoking Command Shell11.3 Autoruns and Scheduled Tasks Invoking Command ShellAttackers will often use registry autoruns and scheduled tssks to maintain persistence on a compromised machine. A common technique leverages %SYSTEMROOT%\\\\ProgramData as a storage location for malicious payloads set to run at a particular time or upon trigger (i.e. login). It is not common for executables to be launching from the root of ProgramData, so any instance should be considered suspicious.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Scheduled Tasks Invoking Windows Script Host11.3 Autoruns and Scheduled Tasks Invoking Windows Script HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke trusted system shells (cmd.exe and powershell.exe) to perform malicious activity in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Scheduled Tasks Running Scripts11.3 Autoruns and Scheduled Tasks Running ScriptsAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke Windows Script Host (cscript.exe and wscript.exe) to launch scripts in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Tasks on Host11.3 Autoruns and Tasks on HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will call and execute various scripts to provide further instructions for attack. Detecting arguments being passed to an executable that look like common script file formats can be a good indicator of compromise, particularly when attackers choose to obfuscate the name of the launching binary (e.g. create a copy of cmd.exe under a different name), While not all autoruns invoking these scripts are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 DLLs on Host11.3 DLLs on HostAggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.endpointoperations, event analysis, application analysis, situation awareness
11.3 Endpoint Host State11.3 Endpoint Host StateCompliance Rule- Encryption Key Generation and Changesendpointassurance, compliance, audit
11.3 Endpoint Indicators Analysis11.3 Endpoint Indicators AnalysisDetails of host state with the rarest occurring state on top.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk
11.3 Endpoint Indicators by Tactic11.3 Endpoint Indicators by TacticNumber of risk indicators associated with each host broken down in risk levels i.e. critical, high, medium and low.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Indicators by Tactic and Technique11.3 Endpoint Indicators by Tactic and TechniqueNumber of indicators associated with adversarial tactics described in MITRE ATT&CK™ Enterprise framework.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Indicators Summary11.3 Endpoint Indicators SummaryNumber of indicators associated with adversarial tactics and techniques described in MITRE ATT&CK™ Enterprise framework.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Module and Dynamic DNS11.3 Endpoint Module and Dynamic DNSNumber of risk indicators associated with each host.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Operating Systems Summary11.3 Endpoint Operating Systems SummaryFor each Dynamic DNS hosts, associated IP Addresses, Ports and Module accessing domain name will be reflected. The dynamic DNS are maintained in a list which can be altered as per needs. DDNS provides flexibility to adversaries and help them in evasion and persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher

CONFIGURATION
If this rule is used with the Endpoint Network Activity Report or custom report, before the report is scheduled to run, you must enter a domain name or configure and use a NetWitness List of domain names to return this network data information.
endpointassurance, audit, compliance, operations, risk, threat
11.3 Endpoint Version Summary11.3 Endpoint Version SummaryOperating System Details associated with the host(s).

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, audit, compliance, operations, risk
11.3 Files on Host11.3 Files on HostDisplays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTPendpointoperations, event analysis, protocol analysis
11.3 Machine Details on Host11.3 Machine Details on HostDetects logouts for users on a watchlist by user name.endpointassurance, compliance, audit, identity, authentication
11.3 Multiple Arguments for Same Task11.3 Multiple Arguments for Same TaskSummarizes a list of hosts with mismatched HREFsendpointoperations, event analysis, protocol analysis
11.3 Multiple Filename for Task Name11.3 Multiple Filename for Task NameFilename, number of parameters and parameters will be displayed for the tasks will all the supplied arguments.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Multiple Task Name for Filename11.3 Multiple Task Name for FilenameFilename, Directory and number of files will be displayed when the number of files associated with task is more then one.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Powershell to External Domain11.3 Powershell to External DomainCompliance Rule- Password Changesendpointassurance, compliance, audit, identity, authorization
11.3 Processes on Host11.3 Processes on HostDetails related to external domain names accessed by PowerShell. Host associated, Source IP Address, Destination IP Address, domain name and Launch argument used with PowerShell are reflected. Connection to external domain can help adversary in executing remote script or fetching files or other useful information.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, attack phase, operations, risk, threat
11.3 Rare Extension for Task11.3 Rare Extension for TaskList of vendors associated with unsigned files.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, malware, threat
11.3 Rarest Autorun Registry Keys11.3 Rarest Autorun Registry KeysThere are numerous registry autorun keys that allow for command execution without interaction by the end user. Two common keys used by attackers are the HKCU\\\\Sofware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run and \\\\RunOnce keys. Outliers in an enterprise environment should be inspected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.3 Rarest Child Processes of Web Server Processes11.3 Rarest Child Processes of Web Server ProcessesFilename, Launch Arguments and number of hosts associated are reflected when registry contains autorun registry keys. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Rarest Code Signing Certificate CNs11.3 Rarest Code Signing Certificate CNsDetails of Child Processes of web server. Web Shells can be used to run malicious tools, commands and scripts by adversaries. Parent Process, Checksum, Directory and number of hosts associated are reflected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Rarest File Names Across Endpoints11.3 Rarest File Names Across EndpointsLess careful malware authors may attempt to sign an executable with an untrusted CA to appear more legitimate to the untrained eye. In a corporate environment, looking for rarity of the common name assigned to the certificate can turn up unwanted applications. The analyst should investigate the rarest instances.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Rarest Parent Processes of cmd11.3 Rarest Parent Processes of cmdList of Filenames with their checksum, directory and number of hosts associated with. This information can be helpful in investigations.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Rarest Parent Processes of powershell11.3 Rarest Parent Processes of powershellAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking cmd.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Rarest Processes Running from AppData11.3 Rarest Processes Running from AppDataAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking powershell.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Rarest Unsigned Service Names Across Endpoints11.3 Rarest Unsigned Service Names Across EndpointsA common malware characteristic is to run out of temporary and low security folders. Rare processes running out of the AppData\\\\Local or AppData\\\\Roaming folders should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, malware, threat
11.3 Rarest Unsigned Task Names Across Endpoints11.3 Rarest Unsigned Task Names Across EndpointsServices which are unsigned will be reflected along with module details, directory, checksum and number of hosts associated with it.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Rarest Vendor of Unsigned Files Across Endpoints11.3 Rarest Vendor of Unsigned Files Across EndpointsTasks which are unsigned will be reflected along with module details, directory, checksum and number of hosts associated with it.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Same Arguments for Different Task Filename11.3 Same Arguments for Different Task FilenameReturns all usernames that have performed failed authentications as declared by RSA SecurID. This rule populates users who have entered an unregistered username within the SecurID Server database (invalid username). It has a limit of returning 5,000 users.

Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
endpointauthentication, identity
11.3 Services on Host11.3 Services on HostDetects the meta key service generated through a network parser, which match a list of configured source IPs.endpointoperations, event analysis, protocol analysis, situation awareness
11.3 Task Present on one Machine11.3 Task Present on one MachineCompliance Rule- System Clock Synchronizationendpointassurance, compliance, audit
11.3 Uncommon Directory for Task11.3 Uncommon Directory for TaskDisplays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access. This rule includes SSH and Tor tunneling protocols.endpointoperations, event analysis, protocol analysis, flow analysis, situation awareness
11.3 User Created Unique Task11.3 User Created Unique TaskCompliance Rule- User Session Terminated Summaryendpointidentity, authentication
11.3 User Defined Domain Name Analysis11.3 User Defined Domain Name AnalysisUnique Task that is created or authored by a user.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Windows Process Parent Child Mismatch11.3 Windows Process Parent Child MismatchIndicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $.endpointaction on objectives, attack phase, authentication, identity, lateral movement, threat
Access to Compliance Data DetailsAccess to Compliance Data DetailsAccess to Compliance Data Detailslogassurance, compliance, audit, identity, authorization
Access to Compliance Data SummaryAccess to Compliance Data SummaryCompliance Rule- Access to Compliance Data Summarylogassurance, compliance, audit, identity, authorization
Accounts CreatedAccounts CreatedCompliance Rule- Accounts Createdlogassurance, compliance, audit, identity, authorization
Accounts DeletedAccounts DeletedCompliance Rule- Accounts Deletedlogassurance, compliance, audit, identity, authorization
Accounts DisabledAccounts DisabledCompliance Rule- Accounts Disabledlogassurance, compliance, audit, identity, authorization
Accounts ModifiedAccounts ModifiedCompliance Rule- Accounts Modifiedlogassurance, compliance, audit, identity, authorization
Ad Servers by BandwidthAd Servers by BandwidthAggregates sessions that contain ad sites, which are listed in the Ad Servers List.Ad services consume a lot of disk space. If the traffic is acceptable, ad servers are a good candidate for filtering.This rule feeds data to the Global Filtering Candidate report.log, packetassurance, audit, compliance, operations, situation awareness
Admin Access to Compliance Systems DetailsAdmin Access to Compliance Systems DetailsCompliance Rule- Admin Access to Compliance Systems Detailslogassurance, audit, authorization, compliance, identity
Admin Access to Compliance Systems SummaryAdmin Access to Compliance Systems SummaryCompliance Rule- Admin Access to Compliance Systems Summarylogassurance, audit, authorization, compliance, identity
Alert IDs By Profiled Source IPAlert IDs by Profiled Source IPDetects the meta key alert.id generated through basic correlation rules, which match a list of configured source IPs.log, packetthreat, identity, assurance, operations, situation awareness
Alerts By Profiled Source IPAlerts by Profiled Source IPDetects the meta key alert generated through application rules, which match a list of configured source IPs.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Suspicious by Destination IPAll Risk Suspicious by Destination IPAggregates sessions by risk.suspicious and displays all results by ip.dst in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Suspicious by Session SizeAll Risk Suspicious by Session SizeAggregates sessions by risk.suspicious and displays all results by session size in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Suspicious by Source IPAll Risk Suspicious by Source IPAggregates sessions by risk.suspicious and displays all results by ip.src in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Warning by Destination IPAll Risk Warning by Destination IPAggregates sessions by risk.warning and displays all results by ip.dst in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Warning by Session SizeAll Risk Warning by Session SizeAggregates sessions by risk.warning and displays all results by session size in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Warning by Source IPAll Risk Warning by Source IPAggregates sessions by risk.warning and displays all results by ip.src in descending order.log, packetthreat, identity, assurance, operations, situation awareness
Amazon VPC Top Accepted Destination IPAmazon VPC Top Accepted Destination IPThe report rule fetches the top 10 accepted Destination IP addresses on the basis of the total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Accepted Destination PortsAmazon VPC Top Accepted Destination PortsThe report rule fetches the details of top accepted Destination Ports with their occurrences.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Accepted Source IPAmazon VPC Top Accepted Source IPThe report rule fetches the top 10 accepted Source IP addresses on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Rejected Destination IPAmazon VPC Top Rejected Destination IPThe report rule fetches the top 10 rejected Destination IP addresses on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Rejected Destination PortsAmazon VPC Top Rejected Destination PortsThe report rule fetches the details of top rejected Destination Ports with their occurrences.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Rejected Source IPAmazon VPC Top Rejected Source IPThe report rule fetches the top 10 rejected Source IP addresses on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Source and Destination IP PairAmazon VPC Top Source and Destination IP PairThe report rule fetch the top 10 accepted Source IP and Destination IP address pair on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Anonymous Access by Suspicious SourceAnonymous Access by Suspicious SourceDisplays when a user enters or exists through a suspected criminal SOCKS or VPN node.RSA FirstWatch feeds populate the meta keys used within the rule.The rule requires the following:threat.category equal to "anonymous access" AND threat.desc as any of the following:"suspicious-ip" or "criminal vpn service exit node" or "criminal vpn service entry node" or "criminal socks node".log, packetassurance, compliance, audit, operations, event analysis, situation awareness
Anonymous Proxy Service ConnectionAnonymous Proxy Service ConnectionDetects use of common proxy services. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.log, packetassurance, compliance, audit, operations, event analysis, situation awareness
Anti-Virus Signature UpdateAnti-Virus Signature UpdateCompliance Rule- Anti-Virus Signature Updatelogassurance, compliance, audit, operations, event analysis, situation awareness
AWS Access Permissions ModifiedAWS Access Permissions Modified10.5 and higher. Detects when Amazon Web Services (AWS) instance permissions are modified. The AWS CloudTrail log parser is a required dependency.logassurance, compliance, audit, identity, authorization
AWS Critical VM ModifiedAWS Critical VM Modified10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value "critical_vm". The AWS CloudTrail log parser is a required dependency.logassurance, compliance, audit, identity, authorization
Azure Monitor Operations by Resource GroupAzure Monitor Operations by Resource GroupThe report rule fetches the top 10 operations by Resource Groups with their occurrences monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml
logevent analysis, operations
Azure Monitor Operations by Resource ProviderAzure Monitor Operations by Resource ProviderThe report rule fetches the top 10 operations by Resource Providers with their occurrences monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logevent analysis, operations
Azure Monitor Resource Providers by Resource GroupAzure Monitor Resource Providers by Resource GroupThe report rule fetches the top 10 Resource Providers by Resource Group with their occurrences monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml
logevent analysis, operations
Azure Monitor Top IP AddressesAzure Monitor Top IP AddressesThe report rule fetches the top 10 caller IP addresses which would make an API call resulting in an operation monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logevent analysis, operations
Azure Monitor Top OperationsAzure Monitor Top OperationsThe report rule fetches the top 10 Operation names monitored by Azure Monitor.
VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logevent analysis, operations
Azure Monitor Top Resource GroupsAzure Monitor Top Resource GroupsThe report rule fetches the top 10 Resource Groups in the operations monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml
logevent analysis, operations
Azure Monitor Top Virtual Machines