RSA Security Analytics Rules

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Jun 18, 2018
Version 153Show Document
  • View in full screen mode
 

This table lists all of the delivered RSA Security Analytics Rules.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 

Name

Description

Dependencies

Ad Servers by Bandwidth

Aggregates sessions that contain ad sites, which are listed in the Ad Servers List. Ad services consume a lot of disk space. If the traffic is acceptable, ad servers are a good candidate for filtering.

This rule feeds data to the Global Filtering Candidate report.

Dependent on the Ad Servers List

Alert IDs By Profiled Source IP

Detects the meta key alert.id, generated through basic correlation rules, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Alerts By Profiled Source IP

Detects the meta key alert, generated through application rules, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

All Risk Warning by Source IP

Aggregates sessions by risk.warning and displays the top ten results by ip.src in descending order.

Dependent on the following RSA Lua parsers:

  • fingerprint_javascript_lua
  • phishing_lua
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua

Uses metadata generated by the Alert IDs Warning feed.

All Risk Warning by Destination IP

Aggregates sessions by risk.warning and displays the top ten results by ip.dst in descending order.

All Risk Warning by Session Size

Aggregates sessions by risk.warning and displays the top ten results by session size in descending order

All Risk Suspicious by Source IP

Aggregates sessions by risk.suspicious and displays the top ten results by ip.src in descending order.

Dependent on the following RSA Lua parsers:

  • HTTP_SQL_Injection
  • fingerprint_javascript_lua
  • SMB_lua
  • fingerprint_zip
  • OCSP_lua
  • Signed_Executable
  • MAIL_lua
  • PACKERS
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua
  • fingerprint_flash
  • fingerprint_rar_lua

Uses metadata generated by the Alert IDs Suspicious feed.

All Risk Suspicious by Destination IP

Aggregates sessions by risk.suspicious and displays the top ten results by ip.dst in descending order.

All Risk Suspicious by Session Size

Aggregates sessions by risk.suspicious and displays the top ten results by session size in descending order.

Anonymous Access by Suspicious Source

Displays when a user enters or exists through a suspected criminal SOCKS or VPN node.

RSA FirstWatch feeds populate the meta keys used within the rule.

The rule requires the following:

  • threat.category equal to  'anonymous access'

AND

  • threat.desc as any of the following:
    • 'suspicious-ip' or
    • 'criminal vpn service exit node' or
    • 'criminal vpn service entry node' or
    • 'criminal socks node'.

Uses metadata from the following feeds:

  • RSA FirstWatch Criminal Socks User IPs
  • RSA FirstWatch Criminal SOCKS node IPs
  • RSA FirstWatch Criminal VPN Entry IPs
  • RSA FirstWatch Criminal VPN Entry Domains
  • RSA FirstWatch Criminal VPN Exit IPs
  • RSA FirstWatch Criminal VPN Exit Domains

Anonymous Proxy Service Connection

Detects use of common proxy services. It uses a list of domains matched against the alias host meta key. 

Dependent on the Proxy Anonymous Services RSA Application Rule.

Use of an HTTP network parser is required.

Autoruns and Scheduled Tasks from or referencing AppData

Attackers often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine.

A common technique leverages AppData\Local\Temp as a storage location for malicious payloads set to run at a particular time or upon trigger (for example at login).

Any automatic execution from this folder or sub-folders should be analyzed.

RSA NetWitness Endpoint 11.1 and higher

Autoruns and Scheduled Tasks from Root of ProgramData

Attackers often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine.

A common technique leverages %SYSTEMROOT%\ProgramData as a storage location for malicious payloads set to run at a particular time or upon trigger (for example at login).

It is not common for executables to be launching from the root of ProgramData, so any instance should be considered suspicious

RSA NetWitness Endpoint 11.1 and higher

Autoruns and Scheduled Tasks Invoking Command Shell

Attackers often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine.

A common technique invokes trusted system shells (cmd.exe and powershell.exe) to perform malicious activity in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others.

RSA NetWitness Endpoint 11.1 and higher

Autoruns and Scheduled Tasks Invoking Windows Script Host

Attackers often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine.

A common technique invokes Windows Script Host (cscript.exe and wscript.exe) to launch scripts in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others.

RSA NetWitness Endpoint 11.1 and higher

Autoruns and Scheduled Tasks Running Scripts

Attackers often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine.

A common technique calls and executes various scripts to provide further instructions for attack. Detecting arguments being passed to an executable that look like common script file formats can be a good indicator of compromise, particularly when attackers choose to obfuscate the name of the launching binary (for eample. create a copy of cmd.exe under a different name), While not all autoruns invoking these scripts are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others.

RSA NetWitness Endpoint 11.1 and higher

Autoruns and Tasks on Host

Attackers often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine.

This rule returns all autoruns and tasks at the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine.

CONFIGURATION

If this rule is used with the Endpoint Scan Data Host Report, before the report is scheduled to run, you must enter a hostname or configure and use a List of hostnames.

RSA NetWitness Endpoint 11.1 and higher

AWS Access Permissions Modified

10.5 and higher. Detects when Amazon Web Services (AWS) instance permissions are modified.

Dependent on the CEF log parser.

AWS Critical VM Modified

10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified.

Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status.

In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value "critical_vm".

Dependent on the CEF log parser.

Behaviors of Compromise

Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated.

Depends on the Hunting Pack

Behaviors of Compromise Detail

Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated.

Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type.

Depends on the Hunting Pack

Bandwidth By Profiled Source IP

Displays aggregated session size of each source IP configured in the report list.

Dependent on the Filtering Candidate/Profile by Source IP List.

Browsers By Profiled Source IP

Detects the meta key browser, generated through a network parser, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Dependent on the RSA Browser Detection Lua parser.

Bulk Data Transfer

Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.

 

Dependent on the following RSA Correlation Rules:

  • IPV4 Bulk Data Transfer 20 Mb
  • IPV4 Bulk Data Transfer 50 Mb
  • IPV6 Bulk Data Transfer 20 Mb
  • IPV6 Bulk Data Transfer 50 Mb

Cleartext Authentications

Displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.

Dependent on the following RSA Application Rules:

  •  TDSS Rootkit Variant Beaconing
  • TSONE Dorkbot Beaconing
  • Wikileaks Email Submission
  • File Transport over ICMP
  • File Transport over Unknown Protocol

Cleartext Authentications by Service

Displays the top authentications detected in clear text, by service, through packet traffic.

None

Cleartext Authentications By User Watchlist

Detects events for users on a watch list, in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP. 

Dependent on the following RSA Security Analytics Application Rules:

  • Passwords over HTTP
  • Passwords over FTP
  • Passwords over Pop3
  • Passwords over SMTP
  • Passwords over Other Protocols

Dependent on the User Activity / Watchlist by Name List.

Cleartext Passwords by Service

Displays the top passwords detected in clear text, by service, through packet traffic.

Requires at least one of the following Lua parsers:

  • mail.lua
  • sip.lua
  • smtp.lua
  • vcard_lua.lua

Clients by Profiled Source IP

Detects the meta key client, generated through a network parser, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Content Delivery Networks by Bandwidth

Aggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.

Filter these sites to reduce the amount of "noise" from non-dangerous traffic.

Dependent on the Content Delivery Networks List

DLLs on Host

Returns all DLLs at the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine.

CONFIGURATION

If this rule is used with the Endpoint Scan Data Host Report, before the report is scheduled to run, you must enter a hostname or configure and use a List of hostnames.

RSA NetWitness Endpoint 11.1 and higher

Email Address by User Watchlist

Detects all email activity using the email.src meta key for users on a watchlist, by email address.

Dependent on the User Activity / Watchlist by Email Address List.

Email Senders

Displays the top email senders from packet traffic.

None

Email User Activity by User Watchlist

Detects all email activity using the email and username meta keys for users on a watchlist, by user name.

Dependent on the User Activity / Watchlist by Name List.

Dependent on the following RSA Lua parsers:

  • POP3
  • IMAP_lua
  • SMTP_lua

Enablers of Compromise

Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated.

Depends on the Hunting Pack

Enablers of Compromise Detail

Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated.

Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type.

Depends on the Hunting Pack

Encrypted Traffic over Non-Standard Port

Summarizes sessions that contain encrypted traffic, and are not on port 22, 993, 995 or 443.

None

Endpoint Operating Systems Summary

Displays the operating system versions being monitored at the Endpoint. This information could be helpful in determining corporate compliance and management of vulnerabilities.

RSA NetWitness Endpoint 11.1 and higher

Endpoint Version Summary

Displays the versions of the RSA NetWitness Endpoint agent deployed on the machines. This information could be helpful in determining corporate compliance and management of vulnerabilities.

RSA NetWitness Endpoint 11.1 and higher

Executables By Country

Summarizes a list of executables by country.

Dependent on the windows_executable RSA Lua parser.

Executables By Domain

Summarizes a list of executables by domain.

Executables With Abnormal Characteristics - Suspicious

Summarizes a list of executables with suspicious-level, abnormal characteristics

Dependent on the following RSA Lua parsers:

  • HTTP_SQL_Injection
  • fingerprint_javascript_lua
  • SMB_lua
  • fingerprint_zip
  • OCSP_lua
  • Signed_Executable
  • MAIL_lua
  • PACKERS
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua
  • fingerprint_flash
  • fingerprint_rar_lua

Uses metadata generated by the Alert IDs Suspicious feed.

Executables With Abnormal Characteristics - Warning

Summarizes a list of executables with warning-level, abnormal characteristics.

Dependent on the following RSA Lua parsers:

  • fingerprint_javascript_lua
  • phishing_lua
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua
  •  fingerprint_flash
  • fingerprint_rar_lua

Uses metadata generated by the Alert IDs Warning feed.

File Analysis

A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.

Dependent on the Hunting Pack

File Analysis Detail

A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated.

Additional context is provided to an analyst by grouping with the additional meta key of Filename.

Dependent on the Hunting Pack

File Transfer Over Uncommon Protocol

Displays files transported over uncommon protocols such as ICMP, as well as protocols identified as unknown.

Ignores files that are transferred over these common protocols:

  • HTTP
  • FTP
  • SMTP
  • POP
  • RSYNC
  • TFTP

Dependent on the following RSA Application Rules:

  • File Transport of ICMP
  • File Transport over Unknown Protocol

Uses metadata generated by the Alert IDs Info feed.

Files on Host

Returns all files at the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine.

CONFIGURATION

If this rule is used with the Endpoint Scan Data Host Report, before the report is scheduled to run, you must enter a hostname or configure and use a List of hostnames.

RSA NetWitness Endpoint 11.1 and higher

Firewall Denied Connections

Displays destination IP addresses using the ip.dst meta with an action showing a denied connection as populated by event class of Firewall.

Requires at least one Firewall event source to be enabled.

Firewall Destination IP Addresses

Displays destination IP addresses using the ip.dst meta as populated by event class of Firewall.

Requires at least one Firewall event source to be enabled.

Firewall Events

Displays firewall events with the action meta key as populated by event class of Firewall.

Requires at least one Firewall event source to be enabled.

Firewall Systems

Displays firewall systems by system IP address, using the ip.addr meta key as populated by event class of Firewall.

Requires at least one Firewall event source to be enabled.

Firewall Users

Displays the destination users using the user.dst meta as populated by event class of Firewall.

Requires at least one Firewall event source to be enabled.

IDS Signatures

Displays the possible intrusions through the meta key policy.name as populated by event class of IDS, IPS or Intrusion.

Requires at least one IDS, IPS or Intrusion event source to be enabled.

Indicators of Compromise

Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated.

Depends on the Hunting Pack

Indicators of Compromise Detail

Possible intrusions into the network that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated.

Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type.

Depends on the Hunting Pack

IPv4 Horizontal Port Scans

Fires when either IPv4 Horizontal Port Scan 5, IPv4 Potential Web Sweep 10 or IPv4 Potential DB Server Sweep 5 has been generated within the report date range across network sessions.

Dependent on the following RSA Correlation Rules:

  • IPv4 Horizontal Port Scan 5
  • IPv4 Potential Web Sweep 10
  • IPv4 Potential DB Server Sweep 5

IPv4 Vertical Port Scans

Fires when either IPv4 Vertical TCP Port Scan 5 or IPv4 Vertical UDP Port Scan 5 has been generated within the report date range across network sessions.

Dependent on the following RSA Correlation Rules:

  • IPv4 Vertical TCP Port Scan 5
  • IPv4 Vertical UDP Port Scan 5

IPv6 Horizontal Port Scans

Fires when either IPv6 Horizontal Port Scan 5, IPv6 Potential Web Sweep 10 or IPv6 Potential DB Server Sweep 5 has been generated within the report date range across network sessions.

Dependent on the following RSA Correlation Rules:

  • Pv6 Horizontal Port Scan 5
  • IPv6 Potential Web Sweep 10
  • IPv6 Potential DB Server Sweep 5

IPv6 Vertical Port Scans

Fires when either IPv6 Vertical TCP Port Scan 5 or IPv6 Vertical UDP Port Scan has been generated within the report date range across network sessions.

Dependent on the following RSA Correlation Rules:

  • IPv6 Vertical TCP Port Scan 5
  • IPv6 Vertical UDP Port Scan 5

Known Service detected over Non Standard Network Port

Displays sessions whose service is detected on a non-standard network port. For example, DNS detected on port 555 when the default port is 53.

Dependent on the following RSA Application Rules:

  • DNS Over Non-Standard Port
  • Non-Standard Port Use - Telnet
  • Non-Standard Port Use - FTP
  • HTTP over Non-Standard Port
  • Non-Standard Port Use - SSH
  • Non-Standard Port Use - SMTP
  • Non-Standard Port Use - DHCP
  • Non-Standard Port Use - TFTP
  • Non-Standard Port Use - POP3
  • Non-Standard Port Use - NNTP
  • Non-Standard Port Use - RPC
  • Non-Standard Port Use - NetBios
  • Non-Standard Port Use - SMB
  • Non-Standard Port Use - SNMP
  • Non-Standard Port Use - SSL
  • Non-Standard Port Use - RIP
  • Non-Standard Port Use - TDS
  • Non-Standard Port Use - TNS
  • Non-Standard Port Use - H323
  • Non-Standard Port Use - RTP
  • Non-Standard Port Use - SIP
  • Non-Standard Port Use - IRC

Large Outbound Encrypted Sessions

Summarizes sessions that contain encrypted traffic, and have a session size of 5MB or greater. These sessions are indicative of a large file transfer from RFC 1918 to a non-RFC 1918 address.

Dependent on the Large Outbound Encrypted Session RSA Security Analytics Rule.

Large Outbound Sessions

Summarizes sessions that have a session size of 5MB or greater. These sessions are indicative of a large file transfer from RFC 1918 to a non-RFC 1918 address.

Dependent on the Large Outbound Session RSA Security Analytics Rule.

Log Destination Ports

Displays the destinations ports using the ip.dstport meta as populated by log event traffic.

Requires at least one log parser to be enabled.

Log Event Categories

Displays the log event categories using the event.cat.name meta as populated by log event traffic.

Requires at least one log parser to be enabled.

Log Event Classes

Displays the log event classes using the device.class meta as populated by log event source traffic.

Requires at least one log parser to be enabled.

Log Event Types

Displays the log event types using the device.type meta as populated by the log event traffic.

Requires at least one log parser to be enabled.

Log Event Users

Displays the top users as populated by the log event traffic.

Requires at least one log parser to be enabled.

Login Failures By User Watchlist

Detects login failures for users on a watchlist, by user name.

Dependent on the account:logon-failure RSA Application Rule.

Dependent on the User Activity / Watchlist by Name List.

Login Success By User Watchlist

Detects login successes for users on a watchlist, by user name.

Dependent on the account:logon-success RSA Application Rule.

Dependent on the User Activity / Watchlist by Name List.

Logon Failures Summary

Displays the top logon failures as populated by log event traffic.

Requires at least one log parser to be enabled.

Logon Success Summary

Displays the top logon successes as populated by log event traffic.

Requires at least one log parser to be enabled.

Logouts By User Watchlist

Detects log outs for users on a watchlist, by user name.

Dependent on the account:logout RSA Application Rule.

Dependent on the User Activity / Watchlist by Name List.

Machine Details on Host

Returns all machine details at the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine.

CONFIGURATION

If this rule is used with the Endpoint Scan Data Host Report, before the report is scheduled to run, you must enter a hostname or configure and use a List of hostnames.

RSA NetWitness Endpoint 11.1 and higher

Malware Activity Unidentified

Displays packet and log traffic other than DNS and Web that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network.

The native Network packet parser must be enabled in order to identify the DNS service. (This parser is enabled by default.)

You need at least one of these feeds deployed:

  • Investigation
  • RSA FirstWatch C2 Domains
  • RSA FirstWatch C2 IPs
  • RSA FirstWatch APT Domains
  • RSA FirstWatch APT IPs

If collecting logs, you need at least one of the following event source types:

  • Firewall,
  • IDS,
  • IPS,
  • Netflow (rsaflow)

Note: Note: For deployments prior to 10.6.2, you also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.

Malware Activity Web

Displays web-based packet and web logs traffic that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making web requests.

The native Network packet parser must be enabled in order to identify the DNS service. (This parser is enabled by default.)

You need at least one of these feeds deployed:

  • Investigation
  • RSA FirstWatch C2 Domains
  • RSA FirstWatch C2 IPs
  • RSA FirstWatch APT Domains
  • RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least one of the related Lua parsers:

  • HTTP_lua, or
  • TLS_lua

If collecting logs, you need at least one event source that has a type of web logs. This includes web proxy and security products such as Cisco WSA and SQUID.

Note: Note: For deployments prior to 10.6.2, you also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.

Malware DNS Activity

Displays DNS packet traffic that is going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making DNS queries.

The native Network packet parser must be enabled in order to identify the DNS service. (This parser is enabled by default.)

You need at least one of these feeds deployed:

  • Investigation
  • RSA FirstWatch C2 Domains
  • RSA FirstWatch C2 IPs
  • RSA FirstWatch APT Domains
  • RSA FirstWatch APT IPs

If deploying the Investigation feed, you will need at least one of the related Lua parsers:

  • DNS_verbose_lua, or
  • DynDNS

Note: Note: For deployments prior to 10.6.2, you also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.

Mismatched HREF Header

Summarizes a list of hosts with mismatched HREF's.

 

Dependent on the following RSA Lua parsers:

  • phishing_lua
  • HTTP_SQL_Injection
  • fingerprint_javascript_lua
  • SMB_lua
  • fingerprint_zip
  • OCSP_lua
  • Signed_Executable
  • MAIL_lua
  • PACKERS
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua
  • fingerprint_flash
  • fingerprint_rar_lua

 

Uses metadata generated by the Alert IDs Suspicious and Alert IDs Warning feeds.

Netflow - Excessive DNS Responses by Server IP

Displays Excessive DNS Responses by Server IP. This could indicate someone collecting information for a possible attack.

10.4 or higher Log Collector required for the Netflow collection protocol.

Ensure meta-keys direction and Source Port (ip.srcport) are indexed in table-map.xml and index-concentrator-custom.xml.

Dependent on the following RSA device parsers:

  • For Security Analytics version 10.3 and lower: rsaflow
  • For Security Analytics version 10.4 and higher: cef

Netflow - Excessive DNS Responses by Client IP

Displays Excessive DNS Responses by Client IP. This could indicate someone collecting information for a possible attack.

Netflow - First Heard by Destination IP

Displays the Source IP address of any system not observed from previous flow data. It lists only the new IP addresses in the time range mentioned at the time of running of the rule.

Netflow - First Heard by Source IP

Displays the Source IP address of any system not observed from previous flow data. It lists only the new IP addresses in the time range mentioned at the time of running of the rule.

Netflow - TCP Resets by Source IP

Displays TCP Resets by Source IP. Useful in determining devices that are behaving abnormally.

10.4 or higher Log Collector required for Netflow collection protocol.

Ensure meta-keys direction and Source Port (ip.srcport) are indexed in table-map.xml and index-concentrator-custom.xml.

Also ensure that the meta-key TCP Flags Seen (tcp.flags.seen) is indexed in index-concentrator-custom.xml.

Dependent on the following RSA  log parsers:

  • For Security Analytics version 10.3 and lower: rsaflow
  • For Security Analytics version 10.4 and higher: cef

Uses metadata generated by the TCP Flags Seen feed.

Netflow - Top Applications

Displays the list of Top Applications in the network. Provides an overview of the network and helps to analyze the network traffic.

 

10.4 or higher Log Collector required for Netflow collection protocol.

Ensure that the meta-key direction is indexed in table-map.xml and index-concentrator-custom.xml.

Dependent on the following RSA  log parsers:

  • For Security Analytics version 10.3 and lower: rsaflow
  • For Security Analytics version 10.4 and higher: cef

 

Netflow - Top Protocols

Displays the list of Top Protocols in the network. Provides an overview of the network and helps to analyze the network traffic.

Netflow - Top Talkers by Source IP

Displays Top Talking IP pairs via Netflow summarized by the number of flows. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration.

Netflow - Volume - Top Talker by Destination Port

Displays Top Talkers by Destination Port, summarized by volume, via Netflow. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration.

Netflow - Volume - Top Talker by Source IP

Displays Top Talkers by Source IP summarized by volume via Netflow. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration.

NetWitness Alert Details

Displays detailed information about the alerts generated using NetWitness Incident Management. See the Incident Management Guide on RSA Link for details.

VERSIONS SUPPORTED: 10.6.2 and higher

 

CONFIGURATION: You must configure the Incident Management service and database, alert data sources and aggregation rules for this report to populate.

NetWitness Alert Summary

Displays a summary of the alerts generated using NetWitness Incident Management. See the Incident Management Guide on RSA Link for details.

NetWitness Incident Summary

Displays a summary of the incidents generated using NetWitness Incident Management. See the Incident Management Guide on RSA Link for details.

News Portals by Bandwidth

Aggregates sessions that contain news sites, which are listed in the News Portal List.  If you are not worried about these sites, you should filter them from capture.

Dependent on the New Portals List

OS By Profiled Source IP

Detects the meta key OS, generated through a network parser, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Dependent on the RSA OS Types  Lua parser.

Password Change on Privileged Account

Detects events that triggered an application rule for a password change, which match a list of configured administrative users.

Dependent on the User Activity / Administrative Users  List.

Dependent on the account:password-change RSA Application Rule.

Processes on Host

Return all processes at the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine.

CONFIGURATION

If this rule is used with the Endpoint Scan Data Host Report, before the report is scheduled to run, you must enter a hostname or configure and use a List of hostnames.

RSA NetWitness Endpoint 11.1 and higher

Rarest Autorun Registry Keys

There are numerous registry autorun keys that allow for command execution without interaction by the end user. Two common keys used by attackers are the HKCU\\Sofware\\Microsoft\\Windows\\CurrentVersion\\Run and \\RunOnce keys. Outliers in an enterprise environment should be inspected.

RSA NetWitness Endpoint 11.1 and higher

Rarest Child Processes of Web Server Processes

Attackers often install webshells as part of their attack as a way to covertly interact with a compromised network. These can manifest as web server processes invoking command shells or other processes. While this may be expected behavior for specific web servers, any outliers should be inspected.

RSA NetWitness Endpoint 11.1 and higher

Rarest Code Signing Certificate CNs

Less careful malware authors may attempt to sign an executable with an untrusted CA, to appear more legitimate to the untrained eye. In a corporate environment, looking for rarity of the common name assigned to the certificate can turn up unwanted applications. The analyst should investigate the rarest instances.

RSA NetWitness Endpoint 11.1 and higher

Rarest Parent Processes of cmd.exe

Attackers often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking cmd.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers, and should be investigated.

RSA NetWitness Endpoint 11.1 and higher

Rarest Parent Processes of powershell.exe

Attackers often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking powershell.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers, and should be investigated.

RSA NetWitness Endpoint 11.1 and higher

Rarest Processes Running from AppData

A common malware characteristic is to run processes from temporary and low security folders. Rare processes running from the AppData\Local or AppData\Roaming folders should be investigated.

RSA NetWitness Endpoint 11.1 and higher

Remote Control or Proxy Client Download

Detects proxy and remote client file downloads by looking for the file name and extension within the filename meta key.

Dependent on following RSA Application Rules:

  • Proxy Client Download
  • Remote Control Client

Use of an HTTP network parser is required.

Remote Control Client Site

Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key.

Dependent on the Remote Control Client Website RSA Application Rule.

Use of an HTTP network parser is required.

Risk Info By Profiled Source IP

Detects all risks registered by the meta key risk.info through the Alert IDs Information feed, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Uses metadata generated by the Alert IDs Info feed.

Risk Suspicious By Profiled Source IP

Detects all risks registered by the meta key risk.suspicious through the Alert IDs Suspicious feed, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Uses metadata generated by the Alert IDs Suspicious feed.

Risk Warning By Profiled Source IP

Detects all risks registered by the meta key risk.warning through the Alert IDs Warning feed, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Uses metadata generated by the Alert IDs Warning feed.

Risk Suspicious By User Watchlist

Detects all risks registered by the meta key risk.suspicious through the Alert IDs Suspicious feed on a watchlist, by user name.

Dependent on the following Lists:

  • User Activity/Watchlist by Name
  • User Activity/User Watchlist by IP
  • User Activity/User Watchlist by Hostname
  • User Activity/User Watchlist by Email Address

Uses metadata generated by the Alert IDs Suspicious or Alert IDs Warning feeds.

Risk Warning By User Watchlist

Detects all risks registered by the meta key risk.warning through the Alert IDs Warning feed on a watchlist, by user name.

RSA SecurID-Account Lockouts

Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who attempt to login too many times without successfully logging in, and have locked their SecurID account. It has a limit of returning 5,000 users.

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

RSA SecurID-Bad PIN Good Token Code

Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered an incorrect PIN but are using a valid SecurID token code (hard or soft ). It has a limit of returning 5,000 users.

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

RSA SecurID-Bad PIN Previous Token Code

Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a previous token code. The token code reached the end of it's validity period (usually 60 seconds) and rolled out of the system before authentication completed. It has a limit of returning 5,000 users.

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

RSA SecurID-Bad Token Code Bad PIN

Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have attempted to login with a valid username but have entered the SecurID Token Code and PIN incorrectly. It has a limit of returning 5,000 users.

Note: You need to index the non-standard meta key result on the Log Decoder and Concentrator in order to fully populate this rule. The key needs to be added to the following files and services restarted.

 

To index-concentrator-custom.xml on the Concentrator, add:

<key description="Result" level="IndexValues"

name="result" format="Text" valueMax="10000"

defaultAction="Open"/>

To table-map-custom.xml on the Log Decoder, add:

<mapping envisionName="result" nwName="result"

flags="None" format="Text"

envisionDisplayName="Result|Volume|Information|Re

ason|Succeed/Failed"/>

 

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

RSA SecurID-Bad Token Code Good PIN

Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a valid pin for a given username, but the SecurID token code was typed incorrectly. It has a limit of returning 5,000 users.

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

RSA SecurID-Static Passcode Authentication

Returns users that have successfully authenticated using a static passcode and not with an RSA SecurID token. It has a limit of returning 5,000 users.

Note: You need to index the non-standard meta key result on the Log Decoder and Concentrator in order to fully populate this rule. The key needs to be added to the following files and services restarted.

To index-concentrator-custom.xml on the Concentrator, add:

<key description="Result" level="IndexValues"

name="result" format="Text" valueMax="10000"

defaultAction="Open"/>

To table-map-custom.xml on the Log Decoder, add:

<mapping envisionName="result" nwName="result"

flags="None" format="Text"

envisionDisplayName="Result|Volume|Information|Re

ason|Succeed/Failed"/>

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

RSA SecurID-Token Code Reuse

Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a valid pin for a given username, but the SecurID token code was used previously. The user did not allow the token code to change prior to attempting a new logon. It has a limit of returning 5,000 users

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

RSA SecurID-Unknown User Failed Login

Returns all usernames that have performed failed authentications as declared by RSA SecurID. This rule populates users who have entered an unregistered username within the SecurID Server database (invalid username). It has a limit of returning 5,000 users.

Note: You need to index the non-standard meta key

result on the Log Decoder and Concentrator in order to

fully populate this rule. The key needs to be added to

the following files and services restarted.

To index-concentrator-custom.xml on the Concentrator,

add:

<key description="Result" level="IndexValues"

name="result" format="Text" valueMax="10000"

defaultAction="Open"/>

To table-map-custom.xml on the Log Decoder, add:

<mapping envisionName="result" nwName="result"

flags="None" format="Text"

envisionDisplayName="Result|Volume|Information|Re

ason|Succeed/Failed"/>

Dependent on the RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv).

Services By Profiled Source IP

Detects the meta key service, generated through a network parser, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Dependent on the RSA Network Parser Lua parser.

Security Analytics Administration - Events Classification Summary

10.5 and higher. Summarizes event types and sub-types with the count and the last time the event occurred.

None

Security Analytics Administration - Hosts and Events Summary

10.5 and higher. Summarizes all the events that occurred under each host, along with the event counts.

None

Security Analytics Administration - User Activity by Source IP Summary

10.5 and higher. Returns a break down of the user activity for each user, along with its Source Address, Count and the last time the event occurred.

None

Security Analytics Administration - User Authentication Attempt Details

10.5 and higher. Returns a detailed list of authentication successes and failures, including Hostname, Source IP address and time.

None

Security Analytics Administration - User Authentication Failure Details

10.5 and higher. Returns a detailed list of authentication failures, including Hostname, Source IP address and time.

None

Security Analytics Administration - User Authentication Failure Reason Summary

10.5 and higher. Returns a break down of the reasons for authentication failures for each user, along with the occurrence count and the last time the event occurred.

None

Service Analysis

Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated.

Dependent on the Hunting Pack

Service Analysis Detail

Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated.

Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Alias Host.

Dependent on the Hunting Pack

Services on Host

Return all services at the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine.

CONFIGURATION

If this rule is used with the Endpoint Scan Data Host Report, before the report is scheduled to run, you must enter a hostname or configure and use a List of hostnames.

RSA NetWitness Endpoint 11.1 and higher

Session Analysis

Client-server communication deviations. This rule displays output when the meta key, Session Analysis, is populated.

Dependent on the Hunting Pack

Session Analysis Detail

Client-server communication deviations. This rule displays output when the meta key, Session Analysis, is populated.

Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Alias Host.

Dependent on the Hunting Pack

Shadow IT Use by Category - Event Count

Detects Shadow IT use through a set of application rules. The application rules have been divided by category:

  • stealth email use
  • voice chat apps
  • file sharing apps 

This rule summarizes the results in descending order by event count.

Dependent on the following RSA Application Rules:

  •  stealth email use (nw110105)
  • voice chat apps (nw30050)
  • file sharing apps (nw110150)

Dependent on the User Watchlist by IP list.

Shadow IT Use by Category - Session Size

Detects Shadow IT use through a set of application rules. The application rules have been divided by category:

  • stealth email use
  • voice chat apps
  • file sharing apps 

This rule summarizes the results by session size.

Dependent on the following RSA Application Rules:

  •  stealth email use (nw110105)
  • voice chat apps (nw30050)
  • file sharing apps (nw110150)

Shadow IT Use by IP Source

Detects Shadow IT use through a set of application rules. The application rules have been divided by category:

  • stealth email use
  • voice chat apps
  • file sharing apps 

This rule aggregates the results by source IP address.

Dependent on the following RSA Application Rules:

  •  stealth email use (nw110105)
  • voice chat apps (nw30050)
  • file sharing apps (nw110150)

Shadow IT Use by BYOD

Shadow IT by Bring Your Own Device (BYOD) is detected through the application rule nw110125, for a BYOD mobile web agent.

Dependent on the byod mobile web agent RSA Application Rule.

Shadow IT Use High Risk

Displays high risk events based on detection of shadow IT. High risk events are defined as either a large outbound session size as detected with application rule nw110060, or a match to a user-defined watchlist of source IP addresses.

Dependent on the following RSA Application Rules:

  •  stealth email use (nw110105)
  • voice chat apps (nw30050)
  • file sharing apps (nw110150)
  • large outbound data transfer (nw110060)

Dependent on the User Watchlist by IP list.

SSH to External Address

Fires when alert.id = 'ssh to external'.

The App rule appends alert.id ='ssh to external' when there is SSH traffic detected between internal-to-external IP address.

An SSH connection is identified by the following:

  • service = 22, and
  • tcp.dstport = 22

An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.

Indirectly dependent on the RSA Application rule, SSH to External.

SSH over Non Standard Port

Fires when SSH traffic is detected over a port that is not typically used for SSH.

Dependent on the RSA Application Rule Non-Standard Port Use - SSH.

Streaming Media by Bandwidth

Aggregates sessions that contain streaming media sites, which are listed in the Streaming Media List.

Capturing streaming media is a huge problem for disk retention, hence it makes a good candidate for filtering.

Dependent on the Streaming Media List.

Threat Categories

Displays threat categories based on network traffic. The threat.category meta key is populated by feeds.

At least one of the RSA Research feeds is required.

Threat Categories By Profiled Source IP

Detects the meta key service, generated through a network parser, which match a list of configured source IP addresses

Dependent on the Filtering Candidate/Profile by Source IP List.

Uses metadata generated by the following Warning feeds:

  • Alert IDs
  • RSA FirstWatch

Threat Sources

Displays threat sources based on network traffic. The threat.source meta key is populated by feeds.

At least one of the RSA Research feeds is required.

Threat Sources By Profiled Source IP

Detects events through the meta key threat.category, which match a list of configured source IP addresses. The meta key is generated through alert and threat feeds.

Dependent on the Filtering Candidate/Profile by Source IP List.

Uses metadata generated by the following Warning feeds:

  • Alert IDs
  • RSA FirstWatch

Top Alias Host Destination by Session Count

Aggregates sessions by alias.host and displays the top five results by session count in descending order.

None

Top Alias Host Destination by Source IP

Aggregates sessions by alias.host and displays the top five results grouped by ip.src and summarized by session count in descending order.

None

Top Destination Country by Session Count

Aggregates sessions by country.dst and displays the top five results by session count in descending order.

None

Top Destination Country by Session Size

Aggregates sessions by country.dst and displays the top five results by session size in descending order.

None

Top Destination Country by Source IP

Aggregates sessions by country.dst and displays the top five results grouped by ip.src and summarized by session count in descending order.

None

Top Destinations By Profiled Source IP - Bandwidth

Displays events with the meta key of ip.dst aggregated by seesion size, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Top Destinations By Profiled Source IP - Sessions

Displays events with the meta key of ip.dst aggregated by number of sesssions, which match a list of configured source IP addresses.

Dependent on the Filtering Candidate/Profile by Source IP List.

Top Email Addresses By Frequency

Summarizes a list of email addresses based on frequency of occurence.

Dependent on the following RSA Lua parsers:

  • imap
  • smtp

Dependent on the following RSA Lua parsers:

  • imap
  • smtp

Top Email Destinations By Frequency

Summarizes a list of email destination countries.

Top Email Subjects

Summarizes a list of email subjects.

Top File Extensions By Frequency

Summarizes a list of file extensions based on frequency of occurence.

None

Top Foreign Countries

Summarizes a list of foreign countries from where network traffic is very high, excluding the local country.

Dependent on the Local_Country list.

Top Foreign Domains

Summarizes a list of foreign domains from where network traffic is very high, excluding the local domain.

Dependent on the Local_Country list.

Top HTTPS Destination IP by Session Size

Aggregates sessions by ip.dst and displays the top five results where the tcp.dstport equals 443 or the client equals HTTPS.  The results are summarized by session count in descending order.

None

Top Network Service by Session Count

Aggregates sessions by service and displays the top five results by session count in descending order.

None

Top Outbound Protocols

Summarizes a list of outbound protocols in a network.

None

Top Outbound Source IP

Summarizes a list of outbound source IP addresses in a network.

None

Top  Protocols

Summarizes a list of protocols in a network.

None

Top 10 Categorized sites

 Summarizes a list of categorized sites.

Dependent on the proxy_block RSA Lua parser.

Top 10 Destination Countries

 Summarizes a list of destination countries

None

Top 10 Destination Countries by Service Type

 Summarizes a list of destination countries, based on services.

None

Top 10 Destination Countries with Warning and Suspicious Level Alerts

Summarizes a list of countries with warning and suspicious alerts.

Dependent on the following RSA Lua parsers:

  • phishing_lua
  • HTTP_SQL_Injection
  • fingerprint_javascript_lua
  • SMB_lua
  • fingerprint_zip
  • OCSP_lua
  • Signed_Executable
  • MAIL_lua
  • PACKERS
  • DNS_verbose_lua
  • ghost
  • fingerprint_chm_lua
  • fingerprint_pdf_lua
  • fingerprint_flash
  • fingerprint_rar_lua

Uses metadata generated by the Alert IDs Suspicious and Alert IDs Warning feeds.

Top 10 Destination IP Addresses

 Summarizes a list of destination IP addresses.

None

Top 10 Search Engine Queries 

 Summarizes a list of search engine queries.

Dependent on the search_query RSA Lua parser.

Top 10 Services 

 Summarizes a list of services.

None

Top 10 Uncategorized sites

 Summarizes a list of uncategorized sites.

Dependent on the proxy_block RSA Lua parser.

Top 10 Websites

Summarizes a list of most commonly accessed websites

None

Top Social Sites by Bandwidth

Aggregates sessions that contain social sites, which are listed in the Social Sites List. If social media is not blocked or considered a risk, filter traffic to reduce amount of data captured.

Dependent on the Social Sites List

Top Source Countries

Displays the top source countries as populated by the country.src meta key. To populate this key, the GeoIP parser must be enabled on the packet decoder and log decoder.

Dependent upon the GeoIP parser

Top Source IP Addresses

Displays the top source IP addresses as populated by the ip.src meta key.

Dependent upon the Network parser.

Top TCP Destination ports

Displays the top TCP destination ports as populated by the tcp.dstport meta key.

Dependent upon the Network parser.

Tox P2P Activity

The Tox protocol is used for P2P instant messaging and video calling. An actor may use the Tox protocol as an encrypted communication channel for malicious purposes.

This rule displays all IP sources that have been identified as communicating with a Tox supernode, so an analyst may conduct further investigation.

Dependent on the Tox Supernode Feed.

Traffic Flow Direction

Displays traffic flow as populated with the Traffic Flow Lua parser, or as parsed from a log event source

Dependent upon the Traffic Flow Lua parser.

Tunneling Protocols Outbound

Displays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access. This rule includes SSH and Tor tunneling protocols.

Dependent on following RSA Application Rules:

  • Tor Outbound
  • ssh to external

Dependent on the following Network Parsers:

  • HTTPS
  • SSH
  • TLS

Also dependent on the TLS_Lua parser.

Unknown Service detected over Standard Network Port

Displays sessions where unknown service is detected on the standard network port. For example, unknown service detected on port 53, which is the standard DNS port.

Dependent on the following RSA Application Rules:

  • Unknown Service Over DNS Port
  • Unknown Service Over FTP Port
  • Unknown Service Over HTTP Port
  • Unknown Service Over Telnet Port
  • Unknown Service Over SMTP Port
  • Unknown Service Over POP3 Port
  • Unknown Service Over IRC Port
  • Unknown Service Over NNTP Port
  • Unknown Service Over SMB Port
  • Unknown Service Over SSL Port

Vendor Update Sites by Bandwidth

Aggregates sessions that contain vendor update sites, which are defined in the Vendor Update Sites List.

Traffic from most of vendor sites is considered normal, it makes a good candidate for filtering.

Dependent on the Vendor Update Sites List

Virus Detection

Displays possible virus infections by name using the virusname meta key, as populated by event class of Antivirus.

Requires at least one antivirus event source to be enabled.

Windows Process Parent Child Mismatch

There are sets of trusted Windows processes that should always be invoked by specific parent processes. Variations in this should be considered suspicious.

REFERENCES

Know Abnormal...Find Evil

RSA NetWitness Endpoint 11.1 and higher

Next Topic:Rules
You are here
Table of Contents > RSA NetWitness Platform Content > Reports > RSA Security Analytics Rules

Attachments

    Outcomes