RSA NetWitness Rules

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Oct 21, 2019
Version 192Show Document
  • View in full screen mode
 

This table lists all of the delivered RSA NetWitness Rules.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
Display NameFile NameDescriptionMediumTag
11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppData11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppDataCompliance Rule- Anti-Virus Signature Updateendpointassurance, compliance, audit, operations, event analysis, situation awareness
11.1-11.2 Autoruns and Scheduled Tasks from Root of ProgramData11.1-11.2 Autoruns and Scheduled Tasks from Root of ProgramDataAutoruns and Tasks details when accessed from or referencing AppData. Task name, Autorun type, Directory, Command, Launch Arguments and number of hosts associated will be reflected. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Scheduled Tasks Invoking Command Shell11.1-11.2 Autoruns and Scheduled Tasks Invoking Command ShellAttackers will often use registry autoruns and scheduled tssks to maintain persistence on a compromised machine. A common technique leverages %SYSTEMROOT%\\\\ProgramData as a storage location for malicious payloads set to run at a particular time or upon trigger (i.e. login). It is not common for executables to be launching from the root of ProgramData, so any instance should be considered suspicious.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Scheduled Tasks Invoking Windows Script Host11.1-11.2 Autoruns and Scheduled Tasks Invoking Windows Script HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke trusted system shells (cmd.exe and powershell.exe) to perform malicious activity in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Scheduled Tasks Running Scripts11.1-11.2 Autoruns and Scheduled Tasks Running ScriptsAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke Windows Script Host (cscript.exe and wscript.exe) to launch scripts in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Autoruns and Tasks on Host11.1-11.2 Autoruns and Tasks on HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will call and execute various scripts to provide further instructions for attack. Detecting arguments being passed to an executable that look like common script file formats can be a good indicator of compromise, particularly when attackers choose to obfuscate the name of the launching binary (e.g. create a copy of cmd.exe under a different name), While not all autoruns invoking these scripts are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 DLLs on Host11.1-11.2 DLLs on HostAggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.endpointoperations, event analysis, application analysis, situation awareness
11.1-11.2 Endpoint Operating Systems Summary11.1-11.2 Endpoint Operating Systems SummaryFor each Dynamic DNS hosts, associated IP Addresses, Ports and Module accessing domain name will be reflected. The dynamic DNS are maintained in a list which can be altered as per needs. DDNS provides flexibility to adversaries and help them in evasion and persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher

CONFIGURATION
If this rule is used with the Endpoint Network Activity Report or custom report, before the report is scheduled to run, you must enter a domain name or configure and use a NetWitness List of domain names to return this network data information.
endpointassurance, audit, compliance, operations, risk, threat
11.1-11.2 Endpoint Version Summary11.1-11.2 Endpoint Version SummaryOperating System Details associated with the host(s).

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, audit, compliance, operations, risk
11.1-11.2 Files on Host11.1-11.2 Files on HostDisplays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTPendpointoperations, event analysis, protocol analysis
11.1-11.2 Machine Details on Host11.1-11.2 Machine Details on HostDetects logouts for users on a watchlist by user name.endpointassurance, compliance, audit, identity, authentication
11.1-11.2 Processes on Host11.1-11.2 Processes on HostDetails related to external domain names accessed by PowerShell. Host associated, Source IP Address, Destination IP Address, domain name and Launch argument used with PowerShell are reflected. Connection to external domain can help adversary in executing remote script or fetching files or other useful information.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, attack phase, operations, risk, threat
11.1-11.2 Rarest Autorun Registry Keys11.1-11.2 Rarest Autorun Registry KeysThere are numerous registry autorun keys that allow for command execution without interaction by the end user. Two common keys used by attackers are the HKCU\\\\Sofware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run and \\\\RunOnce keys. Outliers in an enterprise environment should be inspected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Rarest Child Processes of Web Server Processes11.1-11.2 Rarest Child Processes of Web Server ProcessesFilename, Launch Arguments and number of hosts associated are reflected when registry contains autorun registry keys. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.1-11.2 Rarest Code Signing Certificate CNs11.1-11.2 Rarest Code Signing Certificate CNsDetails of Child Processes of web server. Web Shells can be used to run malicious tools, commands and scripts by adversaries. Parent Process, Checksum, Directory and number of hosts associated are reflected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, operations, risk, threat
11.1-11.2 Rarest Parent Processes of cmd11.1-11.2 Rarest Parent Processes of cmdList of Filenames with their checksum, directory and number of hosts associated with. This information can be helpful in investigations.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointassurance, operations, risk, threat
11.1-11.2 Rarest Parent Processes of powershell11.1-11.2 Rarest Parent Processes of powershellAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking cmd.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Rarest Processes Running from AppData11.1-11.2 Rarest Processes Running from AppDataAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking powershell.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.1-11.2 Services on Host11.1-11.2 Services on HostDetects the meta key service generated through a network parser, which match a list of configured source IPs.endpointoperations, event analysis, protocol analysis, situation awareness
11.1-11.2 Windows Process Parent Child Mismatch11.1-11.2 Windows Process Parent Child MismatchIndicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $.endpointaction on objectives, attack phase, authentication, identity, lateral movement, threat
11.3 Autoruns and Scheduled Tasks from or referencing AppData11.3 Autoruns and Scheduled Tasks from or referencing AppDataCompliance Rule- Anti-Virus Signature Updateendpointassurance, compliance, audit, operations, event analysis, situation awareness
11.3 Autoruns and Scheduled Tasks from Root of ProgramData11.3 Autoruns and Scheduled Tasks from Root of ProgramDataAutoruns and Tasks details when accessed from or referencing AppData. Task name, Autorun type, Directory, Command, Launch Arguments and number of hosts associated will be reflected. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Scheduled Tasks Invoking Command Shell11.3 Autoruns and Scheduled Tasks Invoking Command ShellAttackers will often use registry autoruns and scheduled tssks to maintain persistence on a compromised machine. A common technique leverages %SYSTEMROOT%\\\\ProgramData as a storage location for malicious payloads set to run at a particular time or upon trigger (i.e. login). It is not common for executables to be launching from the root of ProgramData, so any instance should be considered suspicious.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Scheduled Tasks Invoking Windows Script Host11.3 Autoruns and Scheduled Tasks Invoking Windows Script HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke trusted system shells (cmd.exe and powershell.exe) to perform malicious activity in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Scheduled Tasks Running Scripts11.3 Autoruns and Scheduled Tasks Running ScriptsAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke Windows Script Host (cscript.exe and wscript.exe) to launch scripts in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Autoruns and Tasks on Host11.3 Autoruns and Tasks on HostAttackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will call and execute various scripts to provide further instructions for attack. Detecting arguments being passed to an executable that look like common script file formats can be a good indicator of compromise, particularly when attackers choose to obfuscate the name of the launching binary (e.g. create a copy of cmd.exe under a different name), While not all autoruns invoking these scripts are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 DLLs on Host11.3 DLLs on HostAggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.endpointoperations, event analysis, application analysis, situation awareness
11.3 Endpoint Host State11.3 Endpoint Host StateCompliance Rule- Encryption Key Generation and Changesendpointassurance, compliance, audit
11.3 Endpoint Indicators Analysis11.3 Endpoint Indicators AnalysisDetails of host state with the rarest occurring state on top.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk
11.3 Endpoint Indicators by Tactic11.3 Endpoint Indicators by TacticNumber of risk indicators associated with each host broken down in risk levels i.e. critical, high, medium and low.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Indicators by Tactic and Technique11.3 Endpoint Indicators by Tactic and TechniqueNumber of indicators associated with adversarial tactics described in MITRE ATT&CK Enterprise framework.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Indicators Summary11.3 Endpoint Indicators SummaryNumber of indicators associated with adversarial tactics and techniques described in MITRE ATT&CK Enterprise framework.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Module and Dynamic DNS11.3 Endpoint Module and Dynamic DNSNumber of risk indicators associated with each host.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, compliance, operations, risk, threat
11.3 Endpoint Operating Systems Summary11.3 Endpoint Operating Systems SummaryFor each Dynamic DNS hosts, associated IP Addresses, Ports and Module accessing domain name will be reflected. The dynamic DNS are maintained in a list which can be altered as per needs. DDNS provides flexibility to adversaries and help them in evasion and persistence.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher

CONFIGURATION
If this rule is used with the Endpoint Network Activity Report or custom report, before the report is scheduled to run, you must enter a domain name or configure and use a NetWitness List of domain names to return this network data information.
endpointassurance, audit, compliance, operations, risk, threat
11.3 Endpoint Version Summary11.3 Endpoint Version SummaryOperating System Details associated with the host(s).

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, audit, compliance, operations, risk
11.3 Files on Host11.3 Files on HostDisplays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTPendpointoperations, event analysis, protocol analysis
11.3 Machine Details on Host11.3 Machine Details on HostDetects logouts for users on a watchlist by user name.endpointassurance, compliance, audit, identity, authentication
11.3 Multiple Arguments for Same Task11.3 Multiple Arguments for Same TaskSummarizes a list of hosts with mismatched HREFsendpointoperations, event analysis, protocol analysis
11.3 Multiple Filename for Task Name11.3 Multiple Filename for Task NameFilename, number of parameters and parameters will be displayed for the tasks will all the supplied arguments.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Multiple Task Name for Filename11.3 Multiple Task Name for FilenameFilename, Directory and number of files will be displayed when the number of files associated with task is more then one.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Powershell to External Domain11.3 Powershell to External DomainCompliance Rule- Password Changesendpointassurance, compliance, audit, identity, authorization
11.3 Processes on Host11.3 Processes on HostDetails related to external domain names accessed by PowerShell. Host associated, Source IP Address, Destination IP Address, domain name and Launch argument used with PowerShell are reflected. Connection to external domain can help adversary in executing remote script or fetching files or other useful information.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, attack phase, operations, risk, threat
11.3 Rare Extension for Task11.3 Rare Extension for TaskList of vendors associated with unsigned files.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, malware, threat
11.3 Rarest Autorun Registry Keys11.3 Rarest Autorun Registry KeysThere are numerous registry autorun keys that allow for command execution without interaction by the end user. Two common keys used by attackers are the HKCU\\\\Sofware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run and \\\\RunOnce keys. Outliers in an enterprise environment should be inspected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.1 and higher
endpointattack phase, exploit, threat
11.3 Rarest Child Processes of Web Server Processes11.3 Rarest Child Processes of Web Server ProcessesFilename, Launch Arguments and number of hosts associated are reflected when registry contains autorun registry keys. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Rarest Code Signing Certificate CNs11.3 Rarest Code Signing Certificate CNsDetails of Child Processes of web server. Web Shells can be used to run malicious tools, commands and scripts by adversaries. Parent Process, Checksum, Directory and number of hosts associated are reflected.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Rarest File Names Across Endpoints11.3 Rarest File Names Across EndpointsLess careful malware authors may attempt to sign an executable with an untrusted CA to appear more legitimate to the untrained eye. In a corporate environment, looking for rarity of the common name assigned to the certificate can turn up unwanted applications. The analyst should investigate the rarest instances.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Rarest Parent Processes of cmd11.3 Rarest Parent Processes of cmdList of Filenames with their checksum, directory and number of hosts associated with. This information can be helpful in investigations.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Rarest Parent Processes of powershell11.3 Rarest Parent Processes of powershellAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking cmd.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Rarest Processes Running from AppData11.3 Rarest Processes Running from AppDataAttackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking powershell.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, exploit, threat
11.3 Rarest Unsigned Service Names Across Endpoints11.3 Rarest Unsigned Service Names Across EndpointsA common malware characteristic is to run out of temporary and low security folders. Rare processes running out of the AppData\\\\Local or AppData\\\\Roaming folders should be investigated.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointattack phase, malware, threat
11.3 Rarest Unsigned Task Names Across Endpoints11.3 Rarest Unsigned Task Names Across EndpointsServices which are unsigned will be reflected along with module details, directory, checksum and number of hosts associated with it.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Rarest Vendor of Unsigned Files Across Endpoints11.3 Rarest Vendor of Unsigned Files Across EndpointsTasks which are unsigned will be reflected along with module details, directory, checksum and number of hosts associated with it.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, reconnaissance, risk, threat
11.3 Same Arguments for Different Task Filename11.3 Same Arguments for Different Task FilenameReturns all usernames that have performed failed authentications as declared by RSA SecurID. This rule populates users who have entered an unregistered username within the SecurID Server database (invalid username). It has a limit of returning 5,000 users.

Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
endpointauthentication, identity
11.3 Services on Host11.3 Services on HostDetects the meta key service generated through a network parser, which match a list of configured source IPs.endpointoperations, event analysis, protocol analysis, situation awareness
11.3 Task Present on one Machine11.3 Task Present on one MachineCompliance Rule- System Clock Synchronizationendpointassurance, compliance, audit
11.3 Uncommon Directory for Task11.3 Uncommon Directory for TaskDisplays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access. This rule includes SSH and Tor tunneling protocols.endpointoperations, event analysis, protocol analysis, flow analysis, situation awareness
11.3 User Created Unique Task11.3 User Created Unique TaskCompliance Rule- User Session Terminated Summaryendpointidentity, authentication
11.3 User Defined Domain Name Analysis11.3 User Defined Domain Name AnalysisUnique Task that is created or authored by a user.

VERSIONS SUPPORTED
* RSA NetWitness Endpoint 11.3 and higher
endpointassurance, operations, risk, threat
11.3 Windows Process Parent Child Mismatch11.3 Windows Process Parent Child MismatchIndicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $.endpointaction on objectives, attack phase, authentication, identity, lateral movement, threat
Access to Compliance Data DetailsAccess to Compliance Data DetailsAccess to Compliance Data Detailslogassurance, compliance, audit, identity, authorization
Access to Compliance Data SummaryAccess to Compliance Data SummaryCompliance Rule- Access to Compliance Data Summarylogassurance, compliance, audit, identity, authorization
Accounts CreatedAccounts CreatedCompliance Rule- Accounts Createdlogassurance, compliance, audit, identity, authorization
Accounts DeletedAccounts DeletedCompliance Rule- Accounts Deletedlogassurance, compliance, audit, identity, authorization
Accounts DisabledAccounts DisabledCompliance Rule- Accounts Disabledlogassurance, compliance, audit, identity, authorization
Accounts ModifiedAccounts ModifiedCompliance Rule- Accounts Modifiedlogassurance, compliance, audit, identity, authorization
Ad Servers by BandwidthAd Servers by BandwidthAggregates sessions that contain ad sites, which are listed in the Ad Servers List.Ad services consume a lot of disk space. If the traffic is acceptable, ad servers are a good candidate for filtering.This rule feeds data to the Global Filtering Candidate report.log, packetassurance, audit, compliance, operations, situation awareness
Admin Access to Compliance Systems DetailsAdmin Access to Compliance Systems DetailsCompliance Rule- Admin Access to Compliance Systems Detailslogassurance, audit, authorization, compliance, identity
Admin Access to Compliance Systems SummaryAdmin Access to Compliance Systems SummaryCompliance Rule- Admin Access to Compliance Systems Summarylogassurance, audit, authorization, compliance, identity
Alert IDs By Profiled Source IPAlert IDs by Profiled Source IPDetects the meta key alert.id generated through basic correlation rules, which match a list of configured source IPs.log, packetthreat, identity, assurance, operations, situation awareness
Alerts By Profiled Source IPAlerts by Profiled Source IPDetects the meta key alert generated through application rules, which match a list of configured source IPs.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Suspicious by Destination IPAll Risk Suspicious by Destination IPAggregates sessions by risk.suspicious and displays all results by ip.dst in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Suspicious by Session SizeAll Risk Suspicious by Session SizeAggregates sessions by risk.suspicious and displays all results by session size in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Suspicious by Source IPAll Risk Suspicious by Source IPAggregates sessions by risk.suspicious and displays all results by ip.src in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Warning by Destination IPAll Risk Warning by Destination IPAggregates sessions by risk.warning and displays all results by ip.dst in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Warning by Session SizeAll Risk Warning by Session SizeAggregates sessions by risk.warning and displays all results by session size in descending order.log, packetthreat, identity, assurance, operations, situation awareness
All Risk Warning by Source IPAll Risk Warning by Source IPAggregates sessions by risk.warning and displays all results by ip.src in descending order.log, packetthreat, identity, assurance, operations, situation awareness
Amazon VPC Top Accepted Destination IPAmazon VPC Top Accepted Destination IPThe report rule fetches the top 10 accepted Destination IP addresses on the basis of the total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Accepted Destination PortsAmazon VPC Top Accepted Destination PortsThe report rule fetches the details of top accepted Destination Ports with their occurrences.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Accepted Source IPAmazon VPC Top Accepted Source IPThe report rule fetches the top 10 accepted Source IP addresses on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Rejected Destination IPAmazon VPC Top Rejected Destination IPThe report rule fetches the top 10 rejected Destination IP addresses on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Rejected Destination PortsAmazon VPC Top Rejected Destination PortsThe report rule fetches the details of top rejected Destination Ports with their occurrences.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Rejected Source IPAmazon VPC Top Rejected Source IPThe report rule fetches the top 10 rejected Source IP addresses on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Amazon VPC Top Source and Destination IP PairAmazon VPC Top Source and Destination IP PairThe report rule fetch the top 10 accepted Source IP and Destination IP address pair on the basis of total bytes transferred.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Anonymous Access by Suspicious SourceAnonymous Access by Suspicious SourceDisplays when a user enters or exists through a suspected criminal SOCKS or VPN node.RSA FirstWatch feeds populate the meta keys used within the rule.The rule requires the following:threat.category equal to "anonymous access" AND threat.desc as any of the following:"suspicious-ip" or "criminal vpn service exit node" or "criminal vpn service entry node" or "criminal socks node".log, packetassurance, compliance, audit, operations, event analysis, situation awareness
Anonymous Proxy Service ConnectionAnonymous Proxy Service ConnectionDetects use of common proxy services. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.log, packetassurance, compliance, audit, operations, event analysis, situation awareness
Anti-Virus Signature UpdateAnti-Virus Signature UpdateCompliance Rule- Anti-Virus Signature Updatelogassurance, compliance, audit, operations, event analysis, situation awareness
AWS Access Permissions ModifiedAWS Access Permissions Modified10.5 and higher. Detects when Amazon Web Services (AWS) instance permissions are modified. The AWS CloudTrail log parser is a required dependency.logassurance, compliance, audit, identity, authorization
AWS Critical VM ModifiedAWS Critical VM Modified10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value "critical_vm". The AWS CloudTrail log parser is a required dependency.logassurance, compliance, audit, identity, authorization
Azure Monitor Operations by Resource GroupAzure Monitor Operations by Resource GroupThe report rule fetches the top 10 operations by Resource Groups with their occurrences monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml
logevent analysis, operations
Azure Monitor Operations by Resource ProviderAzure Monitor Operations by Resource ProviderThe report rule fetches the top 10 operations by Resource Providers with their occurrences monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logevent analysis, operations
Azure Monitor Resource Providers by Resource GroupAzure Monitor Resource Providers by Resource GroupThe report rule fetches the top 10 Resource Providers by Resource Group with their occurrences monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml
logevent analysis, operations
Azure Monitor Top IP AddressesAzure Monitor Top IP AddressesThe report rule fetches the top 10 caller IP addresses which would make an API call resulting in an operation monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logevent analysis, operations
Azure Monitor Top OperationsAzure Monitor Top OperationsThe report rule fetches the top 10 Operation names monitored by Azure Monitor.
VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logevent analysis, operations
Azure Monitor Top Resource GroupsAzure Monitor Top Resource GroupsThe report rule fetches the top 10 Resource Groups in the operations monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml
logevent analysis, operations
Azure Monitor Top Virtual MachinesAzure Monitor Top Virtual MachinesThe report rule fetches the top 10 Virtual Machine names monitored by Azure Monitor.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logevent analysis, operations
Bandwidth By Profiled Source IPBandwidth by Profiled Source IPDisplays aggregated session size of each source IP configured in the report list.log, packetoperations, event analysis, situation awareness
Behaviors of CompromiseBehaviors of CompromiseDesignated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated. The Hunting Pack is a required dependency.log, packetattack phase, threat
Behaviors of Compromise DetailBehaviors of Compromise DetailDesignated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type. The Hunting Pack is a required dependency.log, packetattack phase, threat
Browsers By Profiled Source IPBrowsers by Profiled Source IPDetects the meta key browser generated through a network parser, which match a list of configured source IPs.packetoperations, event analysis, application analysis, situation awareness
Bulk Data TransferBulk Data TransferDisplays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.packetassurance, compliance, audit
Change in Audit SettingsChange in Audit SettingsCompliance Rule- Change in Audit Settingslogassurance, compliance, audit
Cleartext AuthenticationsCleartext AuthenticationsThis rule displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.packetassurance, risk, organizational hazard, operations, event analysis, protocol analysis
Cleartext Authentications By ServiceCleartext Authentications By ServiceDisplays the top authentications detected in clear text by service through packet traffic.packetauthentication, identity
Cleartext Authentications By User WatchlistCleartext Authentications by User WatchlistDetects events for users on a watchlist in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.packetassurance, risk, organizational hazard, operations, event analysis, protocol analysis, identity, authentication
Cleartext Passwords By ServiceCleartext Passwords By ServiceDisplays the top passwords detected in clear text by service through packet traffic.packetauthentication, identity
Clients by Profiled Source IPClients by Profiled Source IPDetects the meta key client generated through a network parser, which match a list of configured source IPs.log, packetoperations, event analysis, application analysis, situation awareness
Content Delivery Networks by BandwidthContent Delivery Networks by BandwidthAggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.log, packetoperations, event analysis, application analysis, situation awareness
Email Address Activity By User WatchlistEmail Address Activity by User WatchlistDetects all email activity using the email.src meta key for users on a watchlist by email address.log, packetassurance, compliance, corporate, identity, operations, situation awareness
Email SendersEmail SendersDisplays the top email senders from packet traffic.packetidentity
Email User Activity By User WatchlistEmail User Activity by User WatchlistDetects all email activity using the email and username meta keys for users on a watchlist by user name.log, packetassurance, compliance, corporate, identity, operations, situation awareness
Enablers of CompromiseEnablers of CompromiseInstances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated. The Hunting Pack is a required dependency.log, packetattack phase, threat
Enablers of Compromise DetailEnablers of Compromise DetailInstances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type. The Hunting Pack is a required dependency.log, packetattack phase, threat
Encrypted Traffic over Non-Standard PortEncrypted Traffic over Non-Standard PortSummarizes sessions containing encrypted traffic that is not communicating on port 22, 993, 995 or 443.packetevent analysis, operations, protocol analysis
Encryption FailuresEncryption FailuresCompliance Rule- Encryption Failureslogassurance, compliance, audit
Encryption Key Generation and ChangesEncryption Key Generation and ChangesCompliance Rule- Encryption Key Generation and Changeslogassurance, compliance, audit
Executables by CountryExecutables by CountrySummarizes a list of executables by countrypacketoperations, event analysis, file analysis, situation awareness
Executables by DomainExecutables by DomainSummarizes a list of executables by domainpacketoperations, event analysis, file analysis, situation awareness
Executables with Abnormal Characteristics - SuspiciousExecutables with Abnormal Characteristics - SuspiciousSummarizes a list of executables with suspicious abnormal characteristicslog, packet operations, event analysis, file analysis, situation awareness
Executables with Abnormal Characteristics - WarningExecutables with Abnormal Characteristics - WarningSummarizes a list of executables with warning abnormal characteristicslog, packet operations, event analysis, file analysis, situation awareness
Failed Escalation of Privileges DetailsFailed Escalation of Privileges DetailsCompliance Rule- Failed Escalation of Privileges Detailslogassurance, compliance, audit, identity, authorization
Failed Escalation of Privileges SummaryFailed Escalation of Privileges SummaryCompliance Rule- Failed Escalation of Privileges Summarylogassurance, compliance, audit, identity, authorization
Failed Remote Access DetailsFailed Remote Access DetailsCompliance Rule- Failed Remote Access Detailslogassurance, compliance, audit, identity, authentication
Failed Remote Access SummaryFailed Remote Access SummaryCompliance Rule- Failed Remote Access Summarylogassurance, compliance, audit, identity, authentication
File AnalysisFile AnalysisA large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated. The Hunting Pack is a required dependency.log, packetevent analysis, file analysis, operations
File Analysis DetailFile Analysis DetailA large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated. Additional context is provided to an analyst by grouping with the additional meta key of Filename. The Hunting Pack is a required dependency.log, packetevent analysis, file analysis, operations
File Transport Over Uncommon ProtocolFile Transport Over Uncommon ProtocolDisplays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTPlog, packetoperations, event analysis, protocol analysis
Firewall Configuration ChangesFirewall Configuration ChangesCompliance Rule- Firewall Configuration Changeslogassurance, compliance, audit
Firewall Denied ConnectionsFirewall Denied ConnectionsDisplays destination IP addresses using the 'ip.dst' meta with an 'action' showing a denied connection as populated by event class of Firewall.logoperations, situation awareness
Firewall Destination IP AddressesFirewall Destination IP AddressesDisplays destination IP addresses using the 'ip.dst' meta as populated by event class of Firewall.logoperations, situation awareness
Firewall EventsFirewall EventsDisplays firewall events with the 'action' meta key as populated by event class of Firewall.logoperations, situation awareness
Firewall SystemsFirewall SystemsDisplays firewall systems by system IP using the 'ip.addr' meta key as populated by event class of Firewall.logoperations, situation awareness
Firewall UsersFirewall UsersDisplays the destination users using the 'user.dst' meta as populated by event class of Firewall.logoperations, situation awareness
Firmware Changes on Wireless DevicesFirmware Changes on Wireless DevicesCompliance Rule- Firmware Changes on Wireless Deviceslogassurance, compliance, audit
Group ManagementGroup ManagementCompliance Rule- Group Managementlogassurance, compliance, audit, identity, authorization
IDS SignaturesIDS SignaturesDisplays the possible intrusions through the meta key 'policy.name' as populated by event class of IDS, IPS or Intrusion.logoperations, situation awareness
Inbound Network TrafficInbound Network TrafficCompliance Rule- Inbound Network Trafficlogoperations, event analysis, protocol analysis, flow analysis
Indicators of CompromiseIndicators of CompromisePossible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated. The Hunting Pack is a required dependency.log, packetattack phase, malware, threat
Indicators of Compromise DetailIndicators of Compromise DetailPossible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type. The Hunting Pack is a required dependency.log, packetattack phase, malware, threat
Known Service detected over Non Standard Network PortKnown Service detected over Non Standard Network PortDisplays sessions whose service is detected on a non-standard network port. For example, DNS detected on port 555 when the default port is 53.packetoperations, event analysis, protocol analysis
Large Outbound Encrypted SessionsLarge Outbound Encrypted SessionsSummarizes a list of executables by country,Summarizes sessions containing encrypted traffic that has a session size of 5MB or greater, those being indicative of a large file transfer from RFC 1918 to non RFC 1918 address.packetassurance, event analysis, flow analysis, operations, organizational hazard, risk
Large Outbound SessionsLarge Outbound SessionsSummarizes sessions which have a session size of 5MB or greater, those being indicative of a large file transfer from RFC 1918 to non RFC 1918 addresspacketassurance, risk, organizational hazard, operations, event analysis, flow analysis
Log Destination PortsLog Destination PortsDisplays the destinations ports using the 'ip.dstport' meta as populated by log event traffic.logoperations, situation awareness
Log Event CategoriesLog Event CategoriesDisplays the log event categories using the 'event.category' meta as populated by log event traffic.logoperations, situation awareness
Log Event ClassesLog Event ClassesDisplays the log event classes using the 'device.class' meta as populated by log event source traffic.logoperations, situation awareness
Log Event TypesLog Event TypesDisplays the log event types using the 'device.type' meta as populated by the log event traffic.logoperations, situation awareness
Log Event UsersLog Event UsersDisplays the top 10 users as populated by log event traffic.logidentity
Login Failures By User WatchlistLogin Failures By User WatchlistDetects login failures for users on a watchlist by user name.logassurance, compliance, audit, identity, authentication
Login Success By User WatchlistLogin Success By User WatchlistDetects login successes for users on a watchlist by user name.logassurance, compliance, audit, identity, authentication
Logon Failures DetailsLogon Failures DetailsCompliance Rule- Logon Failures Detailslogassurance, compliance, audit, identity, authentication
Logon Failures SummaryLogon Failures SummaryDisplays the top logon failures as populated by log event traffic.logauthentication, identity
Logon Success SummaryLogon Success SummaryDisplays the top logon success as populated by log event traffic.logauthentication, identity
Logouts By User WatchlistLogouts By User WatchlistDetects logouts for users on a watchlist by user name.logassurance, compliance, audit, identity, authentication
Malware Activity DNSMalware Activity DNSDisplays DNS packet traffic that is going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making DNS queries. The native NETWORK packet parser must be enabled in order to identify the DNS service. This parser is enabled by default.

You will also need to have at least one of the following feeds deployed.

Feeds
* Investigation
* RSA FirstWatch C2 Domains
* RSA FirstWatch C2 IPs
* RSA FirstWatch APT Domains
* RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least one of the related Lua parsers.

Lua Parsers
* DNS_verbose_lua
* DynDNS

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.
packetmalware, threat
Malware Activity UnidentifiedMalware Activity UnidentifiedDisplays packet and log traffic other than DNS and Web that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network. The native NETWORK packet parser must be enabled. This parser is enabled by default.
You will also need to have at least one of the following feeds deployed.

Feeds
* Investigation
* RSA FirstWatch C2 Domains
* RSA FirstWatch C2 IPs
* RSA FirstWatch APT Domains
* RSA FirstWatch APT IPs

If collecting logs you need at least one of the following event source types:
* Firewall
* IDS
* IPS
* Netflow (rsaflow)

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.
log, packetmalware, threat
Malware Activity WebMalware Activity WebDisplays web-based packet and web logs traffic that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making web requests. The native NETWORK packet parser must be enabled in order to identify the web service. This parser is enabled by default.

You will also need to have at least one of the following feeds deployed.

Feeds
* Investigation
* RSA FirstWatch C2 Domains
* RSA FirstWatch C2 IPs
* RSA FirstWatch APT Domains
* RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least one of the related Lua parsers.

Lua Parsers
* HTTP_lua
* TLS_lua

If collecting logs you will need at least one event source with device class of web logs. This includes web proxy and security products such as Cisco WSA and SQUID.

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.
log, packetmalware, threat
Mismatched HREF HeaderMismatched HREF HeaderSummarizes a list of hosts with mismatched HREFspacketoperations, event analysis, protocol analysis
Netflow - Excesssive DNS Responses by Client IPNetflow - Excesssive DNS Responses by Client IP10.4 or higher Log Collector required for Netflow collection protocol.Displays Excesssive DNS Responses by Client IP. This could indicate someone collecting information for a possible attack.For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" and "Source Port (ip.srcport) " are indexed in table-map.xml and index-concentrator-custom.xmllogoperations, event analysis, protocol analysis, flow analysis
Netflow - Excesssive DNS Responses by Server IPNetflow - Excesssive DNS Responses by Server IP10.4 or higher Log Collector required for Netflow collection protocol.Displays Excesssive DNS Responses by Server IP. This could indicate someone collecting information for a possible attack. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" and "Source Port (ip.srcport) " are indexed in table-map.xml and index-concentrator-custom.xmllogoperations, event analysis, protocol analysis, flow analysis
Netflow - First Heard by Destination IPNetflow - First Heard by Destination IP10.4 or higher Log Collector required for Netflow collection protocol.Displays the Source IP address of any system not observed from previous flow data. It lists only the new IP addresses in the time range mentioned at the time of running of the rule. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml.This Rule is a part of the Report: Netflow - Filtering Candidates.logoperations, event analysis, protocol analysis, flow analysis
Netflow - First Heard by Source IPNetflow - First Heard by Source IP10.4 or higher Log Collector required for Netflow collection protocol.Displays the Source IP address of any system not observed from previous flow data. It lists only the new IP addresses in the time range mentioned at the time of running of the rule. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Filtering Candidates.logoperations, event analysis, protocol analysis, flow analysis
Netflow - TCP Resets by Source IPNetflow - TCP Resets by Source IP10.4 or higher Log Collector required for Netflow collection protocol.Displays TCP Resets by Source IP. Useful in determining devices that are behaving abnormally. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder and Feed - TCP Flags Seen are enabled. and meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. Also ensure that the meta-key "TCP Flags Seen (tcp.flags.seen)" is indexed index-concentrator-custom.xmllogoperations, event analysis, protocol analysis, flow analysis
Netflow - Top ApplicationsNetflow - Top Applications10.4 or higher Log Collector required for Netflow collection protocol.This rule displays the list of Top Applications in the network. Provides an overview of the network and helps to analyse the network traffic. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Filtering Candidates.logoperations, event analysis, application analysis, flow analysis, situation awareness
Netflow - Top ProtocolsNetflow - Top Protocols10.4 or higher Log Collector required for Netflow collection protocol.This rule displays the list of Top Protocols in the network. Provides an overview of the network and helps to analyse the network traffic. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Filtering Candidates.logoperations, event analysis, protocol analysis, flow analysis, situation awareness
Netflow - Top Talkers by Source IPNetflow - Top Talkers by Source IP10.4 or higher Log Collector required for Netflow collection protocol.Displays Top Talking IP pairs via Netflow summarized by the number of flows. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration.For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xmlThis Rule is a part of the Report: Netflow - Top Communicants.logoperations, event analysis, protocol analysis, flow analysis, situation awareness
Netflow - Volume - Top Talkers by Destination PortNetflow - Volume - Top Talkers by Destination Port10.4 or higher Log Collector required for Netflow collection protocol.This rule displays Top Talkers by Destination Port summarized by volume via Netflow. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Top Communicants.logoperations, event analysis, protocol analysis, flow analysis, situation awareness
Netflow - Volume - Top Talkers by Source IPNetflow - Volume - Top Talkers by Source IP10.4 or higher Log Collector required for Netflow collection protocol.This rule displays Top Talkers by Source IP summarized by volume via Netflow. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration.For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xml.This Rule is a part of the Report: Netflow - Top Communicants.logoperations, event analysis, protocol analysis, flow analysis, situation awareness
NetWitness Administration - Events Classification SummaryNetWitness Administration - Events Classification SummaryThis Rule gives a summary of event types and sub types with its count and the last time the event occurred.logthreat, identity, assurance, operations, situation awareness
NetWitness Administration - Hosts and Events SummaryNetWitness Administration - Hosts and Events SummaryThis rule gives a summary of all the events that occurred under each host along with its count.logthreat, identity, assurance, operations, situation awareness
NetWitness Administration - User Activity by Source IP SummaryNetWitness Administration - User Activity by Source IP SummaryThis rule gives a break-down of the user activity for each user along with its Source Address, Count and the last time the event occurred.logidentity, operations, situation awareness
NetWitness Administration - User Authentication Attempt DetailsNetWitness Administration - User Authentication Attempt DetailsThis rule gives a detailed list of authentication (success and failures) with Source IP address, Hostname, time and etc.logauthentication, identity, operations, situation awareness
NetWitness Administration - User Authentication Failure DetailsNetWitness Administration - User Authentication Failure DetailsThis rule gives a detailed list of authentication failures with Hostname, Source IP address, time and etc.logauthentication, identity, operations, situation awareness
NetWitness Administration - User Authentication Failure Reason SummaryNetWitness Administration - User Authentication Failure Reason SummaryThis rule gives a break-down of the reasons for authentication failures for each user along with its occurrence count and last time the event occurred.logauthentication, identity, operations, situation awareness
NetWitness Respond - Alert DetailsNetWitness Respond - Alert DetailsThe rule displays a detailed view of the alerts generated using NetWitness Respond.

REFERENCES
On RSA Link, see the NetWitness Respond Configuration and User Guides for details.

VERSIONS SUPPORTED
10.6.2 and higher

CONFIGURATION
You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate.

DEPENDENCIES
* Common Event Format Log Parser
log, packetassurance, audit, compliance
NetWitness Respond - Alert SummaryNetWitness Respond - Alert SummaryThe rule displays a summary view of the alerts generated using NetWitness Respond.

REFERENCES
On RSA Link, see the NetWitness Respond Configuration and User Guides for details.

VERSIONS SUPPORTED
10.6.2 and higher

CONFIGURATION
You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate.

DEPENDENCIES
* Common Event Format Log Parser
log, packetassurance, audit, compliance
NetWitness Respond - Incident SummaryNetWitness Respond - Incident SummaryThe rule displays a summary view of the incidents generated using NetWitness Respond.

REFERENCES
On RSA Link, see the NetWitness Respond Configuration and User Guides for details.

VERSIONS SUPPORTED
10.6.2 and higher

CONFIGURATION
You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate.

DEPENDENCIES
* Common Event Format Log Parser
log, packetassurance, audit, compliance
News Portals by BandwidthNews Portals by BandwidthAggregates sessions that contain news sites, which are listed in the News Portal List.If you are not worried about these sites, you should filter them from capture.log, packetoperations, event analysis, application analysis, situation awareness
OS By Profiled Source IPOS by Profiled Source IPDetects the meta key OS generated through a network parser, which match a list of configured source IPs.log, packetoperations, event analysis, application analysis, situation awareness
Outbound Network TrafficOutbound Network TrafficCompliance Rule- Outbound Network Trafficlogoperations, event analysis, protocol analysis, flow analysis
Password Change on Privileged AccountPassword Change on Privileged AccountDetects events that triggered an application rule for a password change, which match a list of configured administrative users.logassurance, compliance, audit, identity, authorization
Password ChangesPassword ChangesCompliance Rule- Password Changeslogassurance, compliance, audit, identity, authorization
Password Changes SummaryPassword Changes SummaryCompliance Rule- Password Changes Summarylogassurance, compliance, audit, identity, authorization
Remote Control Client SiteRemote Control Client SiteDetects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.log, packetassurance, compliance, corporate, operations, event analysis, protocol analysis
Remote Control or Proxy Client DownloadRemote Control or Proxy Client DownloadDetects proxy and remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.log, packetassurance, compliance, corporate, operations, event analysis, protocol analysis, file analysis
Risk Info By Profiled Source IPRisk Info by Profiled Source IPDetects all risks registered by the meta key risk.info through the Alert IDs Information feed, which match a list of configured source IPs.log, packetthreat, identity, assurance, operations, situation awareness
Risk Suspicious By Profiled Source IPRisk Suspicious by Profiled Source IPDetects all risks registered by the meta key risk.suspicious through the Alert IDs Suspicious feed, which match a list of configured source IPs.log, packetthreat, identity, assurance, operations, situation awareness
Risk Suspicious By User WatchlistRisk Suspicious by User WatchlistDetects all risks registered by the meta key risk.suspicious through the Alert IDs Suspicious feed on a watchlist by user name.log, packetthreat, identity, assurance, operations, situation awareness
Risk Warning By Profiled Source IPRisk Warning by Profiled Source IPDetects all risks registered by the meta key risk.warning through the Alert IDs Warning feed, which match a list of configured source IPs.log, packetthreat, identity, assurance, operations, situation awareness
Risk Warning By User WatchlistRisk Warning by User WatchlistDetects all risks registered by the meta key risk.warning through the Alert IDs Warning feed on a watchlist by user name.log, packetthreat, identity, assurance, operations, situation awareness
Router Configuration ChangesRouter Configuration ChangesCompliance Rule- Router Configuration Changeslogassurance, compliance, audit
RSA SecurID Cloud Latest Failed User AuthenticationsRSA SecurID Cloud Latest Failed User AuthenticationsThe report rule fetches the top 10 latest failed user authentication details.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logauthentication, identity
RSA SecurID Cloud Super Admin Logon SummaryRSA SecurID Cloud Super Admin Logon SummaryThe report rule fetches the Logon summary of Super Admin based on the occurrences.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: user.role. Please index user.role in the Concentrator and make it None in the table-map.xml
logauthentication, identity
RSA SecurID Cloud Top Failed User Event IP AddressesRSA SecurID Cloud Top Failed User Event IP AddressesThe report rule fetches the top 10 IP addresses of failed user events.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: severity. Please index severity meta in the Concentrator and make it None in the table-map.xml
logauthentication, identity
RSA SecurID Cloud Top Failed User Event ReasonsRSA SecurID Cloud Top Failed User Event ReasonsThe report rule fetches the top 10 failed user event reasons.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: severity. Please index severity meta in the Concentrator and make it None in the table-map.xml
logauthentication, identity
RSA SecurID Cloud Top Failed User EventsRSA SecurID Cloud Top Failed User EventsThe report rule fetches the top 10 failed user events.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Metas required: severity. Please index severity meta in the Concentrator and make it None in the table-map.xml
logauthentication, identity
RSA SecurID Cloud Top Successful User AuthenticationsRSA SecurID Cloud Top Successful User AuthenticationsThe report rule fetches the top 10 successful user authentications.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
logauthentication, identity
RSA SecurID-Account LockoutsRSA SecurID-Account LockoutsReturns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who attempt to login too many times without successfully logging in, and have locked their SecurID account. It has a limit of returning 5,000 users.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
RSA SecurID-Bad PIN Good Token CodeRSA SecurID-Bad PIN Good Token CodeReturns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered an incorrect PIN but are using a valid SecurID token code (hard or soft). It has a limit of returning 5,000 users.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
RSA SecurID-Bad PIN Previous Token CodeRSA SecurID-Bad PIN Previous Token CodeReturns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a previous token code. The token code reached the end of it's validity period (usually 60 seconds) and rolled out of the system before authentication completed. It has a limit of returning 5,000 users.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
RSA SecurID-Bad Token Code Bad PINRSA SecurID-Bad Token Code Bad PINReturns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have attempted to login with a valid username but have entered the SecurID Token Code and PIN incorrectly. It has a limit of returning 5,000 users.

Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
RSA SecurID-Bad Token Code Good PINRSA SecurID-Bad Token Code Good PINReturns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a valid pin for a given username, but the SecurID token code was typed incorrectly. It has a limit of returning 5,000 users.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
RSA SecurID-Static Passcode AuthenticationRSA SecurID-Static Passcode AuthenticationReturns users that have successfully authenticated using a static passcode and not with an RSA SecurID token. It has a limit of returning 5,000 users.

Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
RSA SecurID-Token Code ReuseRSA SecurID-Token Code ReuseReturns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a valid pin for a given username, but the SecurID token code was used previously. The user did not allow the token code to change prior to attempting a new logon. It has a limit of returning 5,000 users.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
RSA SecurID-Unknown User Failed LoginRSA SecurID-Unknown User Failed LoginReturns all usernames that have performed failed authentications as declared by RSA SecurID. This rule populates users who have entered an unregistered username within the SecurID Server database (invalid username). It has a limit of returning 5,000 users.

Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406.

DEPENDENCIES:
RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
logauthentication, identity
Service AnalysisService AnalysisCore application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated. The Hunting Pack is a required dependency.packetevent analysis, operations
Service Analysis DetailService Analysis DetailCore application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Alias Host. The Hunting Pack is a required dependency.packetevent analysis, operations
Services By Profiled Source IPServices by Profiled Source IPDetects the meta key service generated through a network parser, which match a list of configured source IPs.packetoperations, event analysis, protocol analysis, situation awareness
Session AnalysisSession AnalysisClient-server communication deviations. This rule displays output when the meta key, Session Analysis, is populated. The Hunting Pack is a required dependency.packetevent analysis, operations
Session Analysis DetailSession Analysis DetailClient-server communication deviations. This rule displays output when the meta key, Session Analysis, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Alias Host. The Hunting Pack is a required dependency.packetevent analysis, operations
Shadow IT Use by BYODShadow IT Use by BYODShadow IT by Bring Your Own Device (BYOD) is detected through the application rule, nw110125, for byod mobile web agent.log, packetassurance, risk, organizational hazard
Shadow IT Use by Category - Event CountShadow IT Use by Category - Event CountShadow IT use is detected through a set of application rules. The application rules have been divided by category: stealth email use (nw110105), voice chat apps (nw30050) and file sharing apps (nw110150). This rule summarizes the results in descending order by event count.log, packetassurance, risk, organizational hazard
Shadow IT Use by Category - Session SizeShadow IT Use by Category - Session SizeShadow IT use is detected through a set of application rules. The application rules have been divided by category: stealth email use (nw110105), voice chat apps (nw30050) and file sharing apps (nw110150). This rule summarizes the results in descending order by session size.log, packetassurance, risk, organizational hazard
Shadow IT Use by IP SourceShadow IT Use by IP SourceShadow IT use is detected through a set of application rules. The application rules have been divided by category: stealth email use (nw110105), voice chat apps (nw30050) and file sharing apps (nw110150). This rule aggregates the results by source IP.log, packetassurance, risk, organizational hazard
Shadow IT Use High RiskShadow IT Use High RiskDisplays high risk events based on detection of shadow IT. High risk events are defined as either a large outbound session size as detected with application rule, nw110060, or a match to a user-defined watchlist of source IPs.log, packetassurance, risk, organizational hazard
SSH Over Non Standard PortSSH over Non Standard PortFires when ssh traffic is detected over a port that is not typically used for ssh.packetoperations, event analysis, protocol analysis
SSH to External AddressSSH to External AddressDetects when an internal IP address initiates an SSH connection to an external IP address.An SSH connection is identified by the following service=22.An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.packetoperations, event analysis, protocol analysis, flow analysis
Streaming Media by BandwidthStreaming Media by BandwidthAggregates sessions that contain streaming media sites, which are listed in the Streaming Media List. Capturing streaming media is a huge problem for disk retention. These are good filtering candidates.log, packetassurance, compliance, corporate, operations, event analysis, application analysis
Successful Escalation of Privileges DetailsSuccessful Escalation of Privileges DetailsCompliance Rule- Successful Escalation of Privileges Detailslogassurance, compliance, audit, identity, authorization
Successful Escalation of Privileges SummarySuccessful Escalation of Privileges SummaryCompliance Rule- Successful Escalation of Privileges Summarylogassurance, compliance, audit, identity, authorization
Successful Remote Access DetailsSuccessful Remote Access DetailsCompliance Rule- Successful Remote Access Detailslogassurance, compliance, audit, identity, authentication
Successful Remote Access SummarySuccessful Remote Access SummaryCompliance Rule- Successful Remote Access Summarylogassurance, compliance, audit, identity, authentication
Successful Use of EncryptionSuccessful Use of EncryptionCompliance Rule- Successful Use of Encryptionlogassurance, compliance, audit, operations, event analysis, protocol analysis
System Clock SynchronizationSystem Clock SynchronizationCompliance Rule- System Clock Synchronizationlogassurance, compliance, audit
Threat CategoriesThreat CategoriesDisplays threat categories based on network traffic. The threat.category meta key is populated by feeds and LUA parsers.log, packetthreat
Threat Categories By Profiled Source IPThreat Categories by Profiled Source IPDetects events through the meta key threat.category, which match a list of configured source IPs. The meta key is generated through alert and threat feeds.log, packetthreat, identity, assurance, operations, situation awareness
Threat SourcesThreat SourcesDisplays threat sources based on network traffic. The threat.source meta key is populated by feeds and LUA parsers.log, packetthreat
Threat Sources By Profiled Source IPThreat Sources by Profiled Source IPDetects events through the meta key threat.source, which match a list of configured source IPs. The meta key is generated through alert and threat feeds.log, packetthreat, identity, assurance, operations, situation awareness
Top 10 Categorized SitesTop 10 Categorized SitesSummarizes a list of categorized sitespacketassurance, compliance, operations, situation awareness
Top 10 Destination CountriesTop 10 Destination CountriesSummarizes a list of destination countrieslog, packetoperations, event analysis, situation awareness
Top 10 Destination Countries by Service TypeTop 10 Destination Countries by Service TypeSummarizes a list of destination countries based on serviceslog, packetoperations, event analysis, protocol analysis, situation awareness
Top 10 Destination Countries with Warning and Suspicious Level AlertsTop 10 Destination Countries with Warning and Suspicious Level AlertsSummarizes a list of countries with warning and suspicious alertslog, packetthreat, identity, assurance, operations, event analysis, protocol analysis, situation awareness
Top 10 Destination IP AddressesTop 10 Destination IP AddressesSummarizes a list of destination IP addresseslog, packetoperations, event analysis, situation awareness
Top 10 Search Engine QueriesTop 10 Search Engine QueriesSummarizes a list of search engine queriespacketoperations, event analysis, application analysis, situation awareness
Top 10 ServicesTop 10 ServicesSummarizes a list of servicespacketoperations, event analysis, protocol analysis, situation awareness
Top 10 Uncategorized SitesTop 10 Uncategorized SitesSummarizes a list of uncategorized sitespacketoperations, event analysis, application analysis, situation awareness
Top 10 WebsitesTop 10 WebsitesSummarizes a list of most commonly accessed websitespacketoperations, event analysis, application analysis, situation awareness
Top Alias Host Destination by Session CountTop Alias Host Destination by Session CountAggregates sessions by alias.host and displays the top five results by session count in descending order.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Alias Host Destination by Source IPTop Alias Host Destination by Source IPAggregates sessions by alias.host and displays the top five results grouped by ip.src and summarized by session count in descending order.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Destination Country by Session CountTop Destination Country by Session CountAggregates sessions by country.dst and displays the top five results by session count in descending order.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Destination Country by Session SizeTop Destination Country by Session SizeAggregates sessions by country.dst and displays the top five results by session size in descending order.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Destination Country by Source IPTop Destination Country by Source IPAggregates sessions by country.dst and displays the top five results grouped by ip.src and summarized by session count in descending order.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Destinations By Profiled Source IP - BandwidthTop Destinations by Profiled Source IP - BandwidthDisplays events with the meta key of ip.dst aggregated by seesion size, which match a list of configured source IPs.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Destinations By Profiled Source IP - SessionsTop Destinations by Profiled Source IP - SessionsDisplays events with the meta key of ip.dst aggregated by number of sesssions, which match a list of configured source IPs.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Email Addresses by FrequencyTop Email Addresses by FrequencySummarizes a list of email addresses based on frequency of occurencepacketoperations, event analysis, protocol analysis, situation awareness
Top Email Destinations by FrequencyTop Email Destinations by FrequencySummarizes a list of email destination countriespacketoperations, event analysis, protocol analysis, situation awareness
Top Email SubjectsTop Email SubjectsSummarizes a list of email subjectspacketoperations, event analysis, protocol analysis, situation awareness
Top File Extensions by FrequencyTop File Extensions by FrequencySummarizes a list of file extensions based on frequency of occurence.log, packetoperations, event analysis, protocol analysis, file analysis, situation awareness
Top Foreign CountriesTop Foreign CountriesSummarizes a list of foreign countries from where network traffic is very high other than the local country.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Foreign DomainsTop Foreign DomainsSummarizes a list of foreign domains from where network traffic is very high other than the local domains.log, packetoperations, event analysis, protocol analysis, situation awareness
Top HTTPS Destination IP by Session SizeTop HTTPS Destination IP by Session SizeAggregates sessions by ip.dst and displays the top five results where the tcp.dstport equals 443 or the client equals HTTPS. The results are summarized by session count in descending order.log, packetoperations, event analysis, protocol analysis, situation awareness
Top Network Service by Session CountTop Network Service by Session CountAggregates sessions by service and displays the top five results by session count in descending order.packetoperations, event analysis, protocol analysis, situation awareness
Top Outbound ProtocolsTop Outbound ProtocolsSummarizes a list of outbound protocols in a network.packetoperations, event analysis, protocol analysis, flow analysis, situation awareness
Top Outbound Source IPTop Outbound Source IPSummarizes a list of outbound source IPs in a network.log, packetoperations, event analysis, protocol analysis, flow analysis, situation awareness
Top ProtocolsTop ProtocolsSummarizes a list of top protocols in a network.packetoperations, event analysis, protocol analysis, situation awareness
Top Social Sites by BandwidthTop Social Sites by BandwidthAggregates sessions that contain social sites, which are listed in the Social Sites List. If social media is not blocked or considered a risk, filter traffic to reduce amount of data captured.log, packetoperations, event analysis, protocol analysis, application analysis, situation awareness
Top Source CountriesTop Source CountriesDisplays the top source countries as populated by the country.src meta key. To populate this key, the GeoIP parser must be enabled on the network decoder and log decoder.log, packetoperations, situation awareness
Top Source IP AddressesTop Source IP AddressesDisplays the top source IP addresses as populated by the ip.src meta key.log, packetoperations, situation awareness
Top TCP Destination PortsTop TCP Destination PortsDisplays the top TCP destination ports as populated by the tcp.dstport meta key.packetoperations, situation awareness
Tox P2P ActivityTox P2P ActivityThe Tox protocol is used for P2P instant messaging and video calling. An actor may use as an encrypted communication channel for malicious purposes. This rule displays all IP sources that have been identified as communicating with a Tox supernode, so an analyst may conduct further investigation.

The feed, Tox Supernode, is a required dependency.
log, packetoperations, situation awareness
Traffic Flow DirectionTraffic Flow DirectionDisplays traffic flow as populated with the Traffic Flow LUA parser or as parsed from a log event source.log, packetflow analysis, operations
Traffic Flow in Azure NSG and Amazon VPCTraffic Flow in Azure NSG and Amazon VPCThe report rule fetches details of the traffic flow from Azure NSG and/or Amazon VPC.

VERSIONS SUPPORTED
10.6.5.x and higher

CONFIGURATION
Configure the Amazon VPC and Microsoft Azure NSG plugin with valid credentials as per the plugin configuration documents
Use the latest table-map.xml

DEPENDENCIES
CEF log parser
logevent analysis, flow analysis, operations
Tunneling Protocols OutboundTunneling Protocols OutboundDisplays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access. This rule includes SSH and Tor tunneling protocols.log, packetoperations, event analysis, protocol analysis, flow analysis, situation awareness
Unknown Service detected over Standard Network PortUnknown Service detected over Standard Network PortDisplays sessions where unknown service is detected on the standard network port. For example, unknown service detected on port 53, which is the standard DNS portpacketoperations, event analysis, protocol analysis
User Access RevokedUser Access RevokedCompliance Rule- User Access Revokedlogassurance, compliance, audit, identity, authorization
User Access to Compliance Systems DetailsUser Access to Compliance Systems DetailsCompliance Rule- User Access to Compliance Systems Detailslogassurance, compliance, audit, identity, authorization
User Access to Compliance Systems SummaryUser Access to Compliance Systems SummaryCompliance Rule- User Access to Compliance Systems Summarylogassurance, compliance, audit, identity, authorization
User Session Terminated SummaryUser Session Terminated SummaryCompliance Rule- User Session Terminated Summarylogidentity, authentication
Vendor Update Sites by BandwidthVendor Update Sites by BandwidthRule aggregates sessions that contain vendor update sites defined in Vendor Update SitesList. Traffic from most of vendor sites is considered normal and hence can act as good filtering candidates.log, packetoperations, event analysis, protocol analysis, application analysis, situation awareness
Virus DetectionVirus DetectionDisplays possible virus infections by name using the 'virusname' meta key as populated by event class of Anti Virus.logoperations, situation awareness
Windows Credential Harvesting ServicesWindows Credential Harvesting ServicesThis rule monitors the installation of Windows services known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump.logaction on objectives, application analysis, attack phase, event analysis, lateral movement, operations, threat
Windows Logon to High Value AssetsWindows Logon to High Value AssetsRule looks for logon types of 3, 8 or 10 to high value assets. It is required to set-up a High Value Assets custom feed. The feed should populate custom meta keys of High Value Asset Group, fd.hv.group, and Escalation Contact, fd.escalate. The feed may populate these keys based on a callback to the event computer or device IP.logassurance, audit, authentication, compliance, identity, lateral movement
Windows NTLM Network Logon SuccessfulWindows NTLM Network Logon SuccessfulIndicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $.logaction on objectives, attack phase, authentication, identity, lateral movement, threat

Previous Topic:RSA NetWitness Reports
Next Topic:Rules
You are here
Table of Contents > RSA NetWitness Platform Content > Reports > RSA NetWitness Rules

Attachments

    Outcomes