Discontinued Content

Document created by RSA Information Design and Development on Aug 8, 2016Last modified by RSA Information Design and Development on Apr 25, 2018
Version 133Show Document
  • View in full screen mode
 

In an ongoing effort to provide the best user experience, RSA periodically discontinues content (such as rules and reports). This is to keep pace with the ever evolving threat landscape, and to ensure our customers are not overwhelmed with stale information and ‘alert fatigue’. By tailoring content to current threats, we can help keep the systems performing efficiently. In addition, this is part of an effort to refocus to more threat- and data-driven approaches to detection.

Some reasons that a piece of content is discontinued:

  • Replaced by better, newer content
  • Offered little or no value
  • Threats that are no longer relevant

Note: Discontinued content still appears. In RSA Security Analytics 10.6.1 and newer, there is a checkbox to show discontinued content. With discontinued content there just won’t be any updates, and users won’t see these items when they search in Live.

RSA Application Rules

                                                                                                                                                                                                   
NameTitleDescriptionNotes
nw02605adware client

Detects known malware with a client header of "downloadmr"

This is an out-dated threat and detection method, thus no longer relevant.

nw132520

APT Domain Intelligence

Helper Rule for domain and IP list that were identified as possibly harboring APT.

The domains have expired, and the IP addresses have not been used in any recent campaigns.

nw45080

carberp botnet activity

Detects known Carberp botnet activity

The botnet is no longer active, and the indicators in this rule have gotten stale.

nw30025

Console Gaming

Detects user-agent strings associated with the Xbox, Playstation and Wii gaming consoles.

Provides very little enterprise security value.

nw10001

custom router firmware admin page

Detects connections to SOHO routers that have been upgraded using DD-WRT or Tomato firmware. This allows enhanced functionality from a home internet connection and is often a precursor or indicator for tunneling activity.

Description does not match what the rule detects. Additionally, the rule is dependent upon technology not updated since 2013.

nw45645

CryptoLocker Beaconing

Detects traffic indicative of the beaconing activity of the Russian CryptoLocker ransom-ware variants.

Returned too many false positives to be useful.

nw00025

Direct to IP HTTP Request

session with an HTTP request directly to an IP address with no corresponding alias.host meta.

Replaced by logic in the HTTP Lua parser.

nw30045

Escalation - Multiple Blacklist Feed Hits

Creates alert in risk.warning if a single session triggers 3 or more NetWitness Live feeds hits.

Provides very little enterprise security value.

nw30035

Escalation - Multiple Informational

Creates a risk.suspicious alert if 3 or more risk.info alerts exist in a single session.

Provides very little enterprise security value.

nw30040

Escalation - Multiple Suspicious

Creates alert in risk.warning if 3 or more risk.suspicious alerts exist in a single session.

Provides very little enterprise security value.

nw100005

Facebook Login

Identifies logins to Facebook.

Facebook works on full SSL now, so this rule never fires.

nw100010

Facebook Profile

Identifies visits to Facebook profile pages

Facebook works on full SSL now, so this rule never fires.

nw20045

Fake Antivirus Malware Indicators

Detects filenames and alias.hosts with the words antivirus, scan, or protect in them. If filenames are detected, they are tied to a forensic, executable fingerprint.

This rule generated thousands of false positives, and depended upon a deprecated flex parser.

nw20040Fake Codec Malware Indicatorsdetects domains and filenames with the word \codec\ in them.Excessively noisy.

nw110055

Large Outbound Session to File Upload Sites"Detects an Outbound session where the data size is greater than 5MB, and the destination is identified by the File Upload Sites feed.Relies on File Upload Sites feed, which is being deprecated due to the large number and distributed nature of cloud storage services.
nw30020loopback TrafficDetects references to 127.0.0.0/8 in sessions

Discontinued to reduce negative indicators.

NWFL_AuthFailureNWFL_account:auth-failureNWFL App Rule to support Informer Reports

This rule was never released to Live.

nw02595potential Chinese malware installerDetects when an HTTP transaction has a client header that begins "agent". This has been observed by RSA Research in malware incidentsStale and outdated TTP associated with malware.

nw20055

Potential Exploit Payload DeliveryDetects forensic file type content being delivered via a suspicious filename as identified by suspicious filename feeds.This is an outdated TTP associated with Exploit Kits no longer found in the wild.
nw70005Skype LoginDetects a Skype client checking for software updates.Logins are now encrypted, so this rule is no longer valid.
nw20115Small Executable From Black listed HostDetects a small executable from a host on a NetWitness Live Blacklist.Superseded by nw20065 (High Risk File From Blacklisted Host).

nw02610

suspicious client containsDetects suspicious clients (my toolbar, winhttprequest).Outdated signatures for clients no longer found in the wild.
nw02570suspicious server bannerDetects certain server banners that are suspicious in nature.Outdated signatures for servers no longer found in the wild.

nw02630

tax document in attachmentDetects attachments with the word tax in the filename.Prone to too many false positives creating increased noise in the product.
nw02590udp 16464 beaconingDetects UDP beaconing on port 16464. This has been observed by RSA Research in malware-related check-in trafficLimited number of Zero Access instances found in the wild

nw60160

Unknown Service Telnet PortDetects an unidentified service over a port typically used for telnet traffic.Duplicate of Unknown Service Over Telnet Port.
nw10005wikileaks domain hitHits or DNS lookups of domains known to be Wikileaks mirrors, compiled from the mirror list at wikileaks.chStale information based on the feed at wikileaks.ch that no longer exists.

nw110020

Wikileaks Email SubmissionDetects emails being sent to the Wikileaks domain, sun- shinepress.org.Due to the decentralized nature of Wikileaks and their use of TOR for submissions this rule is no longer valid.
nw40005Zeus Bot- net Activity10.4 or higher. Alerts if a session contains a ZeuS tracker feed hit and a post to a PHP page on port 80.Uses unsupported feeds in addition to looking for an outdated indicator, leading to little analytic value.

app000001

zusy_botnetDetects the beaconing activity of the Zusy botnet.An abandoned malware family. The last infection in the wild was last spotted 2 years ago.

RSA Event Stream Analysis Rules

                                                                                                                                                                                                                                                        
NameDescriptionNotes

Active Directory Policy Modified

An Active Directory service object was changed—created, deleted, modified, or moved— in a Windows-based Active Directory system.

This rule triggers false positives when non-security related configuration changes are made.

Adapter Entered Promiscuous Mode

10.4 or higher. Detects when packet meta has a source country not equal to the home country, followed by a log event indicating the interface entered promiscuous mode. The packet destination IP address must match the device IP address of the log event. Both the home country and time range parameters are configurable.

This rule would only trigger under ideal circumstances that were highly unlikely in the wild. They were removed in favor of making the system more efficient.

Adapter in Promiscuous mode after Multiple login attempts

Five or more consecutive failed root login events followed by a successful login event from the same user and, then, the adapter goes into promiscuous mode within a time window of 5 minutes. The time window is configurable.

This rule would only trigger under ideal circumstances that were highly unlikely in the wild. They were removed in favor of making the system more efficient.

Adapter in Promiscuous mode after User Creation and Login

Adapter goes into promiscuous mode after the same user has been created and logged on within 5 minutes. The time window is configurable.

This rule would only trigger under ideal circumstances that were highly unlikely in the wild. They were removed in favor of making the system more efficient.

Attempted Identity Abuse via Excessive Login Failures

Detects identity abuse when there are multiple failed logins from the same user to multiple destinations.

This rule is superseded by esa000111, Logins Across Multiple Servers.

Consecutive Login without Logout

Detects consecutive logins by the same user to the same system without a logout.

This rule creates a large number of false positives because, a user can be disconnected from the network without any log notifications or events.

Cybergate RAT Download

Detects an internal network session download of CyberGate RAT.

Replaced by an application rule.

Direct Login By A Guest Account

Detects a successful interactive logon or a successful remote interactive logon to a guest account on a Microsoft Windows host.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Direct Login to an Administrative Account

Detects a successful interactive or remote interactive logon using an administrative account for Windows. The list of administrative accounts is configurable.

This rule was merged into the Direct Login to Watchlist Account ESA rule.

DNS Lookups from the Same Host

Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and the number of lookups are configurable.

Provides no operational security value, as it just finds all DNS activity from client machines.

Failed logins Followed By Successful Login and a Password Change

Detects five or more failed logins for a user, followed by a successful login and a password change within a five-minute time period.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

File Transfer Using Non Standard Port

Detects when a file is transferred using a non-standard TCP destination port. Both the list of file extensions and list of standard TCP ports are configurable.

Does not solve a correlation-required use case, and adds to confusion and noise in customer environments.

Insider Threat Mass Audit Clearing

Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

jRAT Download

Detects an internal network session download of jRAT.

Replaced by an application rule.

krbtgt Account Modified on Domain Controller

Detects modification to the krbtgt account on a domain controller.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Lateral Movement Suspected Windows

Detects within a Windows environment a sequence of events in which an executable is copied to a file share, the executable is used to create a new service and the service is started within 5 minutes. The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Logins across multiple servers

Detects logins from the same user across 3 or more separate servers within 5 minutes.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Logins by same user to multiple servers

Identifies a user that attempts to log in to multiple hosts within one minute.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Low Orbit on Cannon DoS Tool Download

Detects Low Orbit Ion Cannon DoS tool download from sourceforge.net.

The rule logic was ineffective, and the threat is no longer relevant.

Multiple Account Lockouts From Same or Different Users

Detects multiple account lockouts reported for a single or multiple users within a time period of 10 minutes.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Multiple Failed logins Followed By Successful Login

Multiple failed logons followed by a successful logon by the same user within 5 minutes.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Multiple Failed Logins from Multiple Diff Sources to Same Dest

Detects log events that contain multiple failed logins from a single user from multiple different sources to same destination within 3600 seconds.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Multiple Failed Logins from Multiple Users to Same Destination

Detects log events that contain multiple failed logins from multiple different users from the same source to the same destination in 180 seconds.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Multiple Failed Logins from Same User Originating from Different Countries

Multiple failed logins from the same user, originating from multiple different countries. IP addresses are used to indicate that the attempted logins originated from different countries.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Multiple Failed Privilege Escalations by Same User

Fires after a user account fails privilege escalation 3 times within a 5 minute period. Both the time window and the number of privilege escalation failures are configurable.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Multiple Login Failures by Administrators to Domain Controller

This rule is triggered when a user enters Administrator credentials to log on to a domain controller and fails multiple times within a certain number of minutes. The default is 3 failures within 3 minutes.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Multiple Login Failures by Guest to Domain Controller

This rule is triggered when a user enters Guest credentials to log on to a domain controller and fails multiple times within a certain number of minutes. The default is 3 failures within 3 minutes.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Multiple Successful Logins from Multiple Diff Src to Diff Dest

Detects log events that contain multiple successful logins from a single user from multiple different sources to multiple different destinations in 180 seconds.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Multiple Successful Logins from Multiple Diff Src to Same Dest

Detects log events that contain multiple successful logins from a single user from multiple different sources to same destination in 3600 seconds.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Multiple Unique Logs from Msg ID Set with Same Source IP and Destination IP

Multiple unique log events from group of message IDs (each log has to have a unique message ID among the specified set of IDs) with same source IP and destination IP that take place within given time window.

This rule provides no operational security value.

Non DNS Traffic on UDP Port 53 Containing Executable

Detects non-DNS traffic over TCP or UDP destination port 53 containing an executable. You can configure the list of executable file extensions and ports for DNS traffic.

Replaced by an application rule.

Non HTTP Traffic on TCP Port 80 Containing Executable

Detects non-HTTP traffic on TCP destination port 80 containing an executable. You can configure the list of executable file extensions and TCP port for HTTP traffic.

Replaced by an application rule.

Non SMTP Traffic on TCP Port 25 Containing Executable

Detects non-SMTP traffic on TCP destination port 25 containing an executable file. You can configure the list of executable file extensions and TCP port for SMTP traffic.

Replaced by an application rule.

Port Scan Horizontal Log

Alerts when log events contain 200 unique IP destinations with the same source IP and destination port within 60 seconds, indicating a horizontal port scan.

Both the time window and number of unique IP destinations are configurable.

Replaced by Port Scan Horizontal, which merges the Logs rule and the Packets rule.

Port Scan Horizontal Packet

Alerts when network sessions contain 40 unique IP destinations with the same source IP and destination port within 180 seconds, indicating a horizontal port scan.

The time window, destination port range and number of unique IP destinations are configurable.

Replaced by Port Scan Horizontal, which merges the Logs rule and the Packets rule.

Privilege Escalation Detected

Detects an escalation in privileges for a Windows user or group.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Privilege User Account Password Change

Detects a logged modification of an administrative account password.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

RIG Decimal IP Campaign

This rule indicates the presence of decimal-IP (i.e. an IP address expressed in decimal format) redirectors in use with RIG Exploit Kit (EK) operations.

Functionality was added to RIG Exploit Kit ESA rule, making this rule unnecessary.

Suspicious Privileged User Access Activity

Triggers when a privileged user account is observed logging into 3 or more unique hosts within 5 minutes.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

User Account Created Logged in and Deleted Within an Hour

Detects when a user account is created, and then gets deleted within one hour.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

User added to admin group same user login OR same user su sudo

Detects when a user is upgraded to one of the admin groups (custom list of groups) and the same user logs in or performs a sudo operation.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

User added to Administrative Group + SIGHUP detected within 5 minutes

Detects when a user is upgraded to one of the admin groups (custom list of groups) and a SIGHUP is detected on a service on the same device.ip. This rule is specific to Unix devices.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

WebSploit Tool Download

Detects WebSploit tool download from sourceforge.net.

The rule no longer triggers, as the content it was referencing was retired.

Windows Suspicious Admin Activity: Audit Log Cleared

Detects when a user account is created, added to the Administrators group, and the audit logs are cleared within a five-minute period.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Windows Suspicious Admin Activity: Firewall Service Stopped

Detects when a user account is created, added to the Administrators group, and the firewall is stopped within a five-minute time period.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

Windows Suspicious Admin Activity: Network Share Created

Detects when a user account is created, added to the Administrators group, and a network share is created within a five-minute time period.

 

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

 

Windows Suspicious Admin Activity: Shared Object Accessed

Detects a when a Windows user account is created, a shared object is accessed, and the account is deleted within a five-minute time period.

Replaced with a rule of the same name due to integration of a Context Hub list into the rule logic (new feature for version 11.1). The new rule is supported in RSA NetWitness version 11.1 and higher.

RSA Feeds

The following feeds are being discontinued because RSA Research is no longer supporting them. Instead, they are focused on emerging, sophisticated threats around the globe.

                                                                                                                                                          
Name

Description

Notes
Arin Net Destination ASNs

Identifies the country in which a specific destination ASN resides, as identified by Arin Net.

MaxMind is no longer supporting this content.

Arin Net Source ASNs

Identifies the country in which a specific source ASN resides, as identified by Arin Net.

MaxMind is no longer supporting this content.

ASN Info Pack

Provides additional meta information for AS Networks, Organization names, Country codes, and country names as sourced from MaxMind and ArinNet.

MaxMind is no longer supporting this content.
File Upload SitesCreates meta when hits to known online file storage sites are detected.

Due to the distributed and constantly evolving infrastructure of cloud services, it is not beneficial to track all systems by their FQDNs.

High Risk FileDetects high-risk file types by extension.

Prone to false positives due to attackers mimicking legitimate download behaviors.

HijackedHijacked IP list source from www.bluetack.co.uk.

Outdated list of IP addresses that is are longer publicly updated and provided to the community.

hunting

The Hunting feed can be deployed to provide a baseline response framework that allows analysts to investigate collections with a modular approach to response.

Replaced by the Investigation Feed.

IDefense Threat Indicators Domains

Verisign idefense security intelligence services gives information security executives access to accurate and actionable cyber-intelligence related to vulnerabilities, malicious code, and global threats 24 hours a day, 7 days a week.

This feed is no longer available nor updated, due to an expired partnership with IDefense.

MaxMind ASN

List of AS Networks associated with IP address ranges regularly updated and sourced from MaxMind.

MaxMind is no longer supporting this content.

NetWitness Fraud Intelligence powered by Verisign

Verisign idefense security intelligence services gives information security executives access to accurate and actionable cyber-intelligence related to vulnerabilities, malicious code, and global threats 24 hours a day, 7 days a week.

This feed has been incorporated into the existing RSA Research feed.

Palevo Tracker Domains

Palevo Tracker offers three different blocklists, used to block the access to well known Palevo botnet Command & Control botnets.

The Palevo tracker feeds are no longer being updated by the community; the threat has diminished, and this content provides no operational security value.

Palevo Tracker IPs
RSA FirstWatch APT Attachments

Contains attachments that are known to be associated with APTs.

Due to rapid evolution of attacker TTP, these indicators were too varied to provide much operational value.
RSA FirstWatch Criminal Socks User IPs

Contains IPs that have been observed using criminal anonymization services.

The malware that this project leveraged has since gone dormant, and the data it provided has outlived its usefulness.

RSA FirstWatch Criminal VPN Entry Domains

Contains domains that represent known VPN entry nodes for criminal anonymization services.

The feeds associated with VPN IPs (RSA FirstWatch Criminal VPN Entry/Exit IPs) provide more value than the domain related ones. The only time the domain feeds would fire are on DNS lookup vs. the actual VPN traffic.

RSA FirstWatch Criminal VPN Exit Domains

Contains domains that represent known VPN exit nodes for criminal anonymization services.

RSA FirstWatch Exploit Domains

Contains Domains that are known to be associated with malware delivery.

Duplication of effort and value of the RSA Fraud Action Domain feed.

RSA FirstWatch Exploit IPs

Contains IPs that are known to be associated with malware delivery.

RSA FirstWatch IP Reputation

Contains IP that are known to be compromised.

RSA FirstWatch Insider Threat Domains

Contains domains known to be associated with insider threats.

Due to the distributed nature of cloud services and the number of new file sharing services that continue to appear this feed provided more noise than analytical value.

RSA FirstWatch Insider Threat IPs

Contains IPs known to be associated with insider threats.

SpyEye Domain Tracker

SpyEye domain tracker is a list of spyeye (also known as zbot, prg, wsnpoem, gorhax and kneber) command & control domain names. SpyEye tracker has tracked more than 2,800 malicious spyeye c&c servers. SpyEye is spread mainly through drive-by downloads and phishing schemes.

The SpyEye tracker feeds are no longer being updated by the community; the threat has diminished, and this content provides no operational security value.

SpyEye Tracker
SRI Attackers

Contains malicious ip addresses sourced from www.sri.com.

A change in licensing prevents RSA from redistributing the data feed

SSH IP Blacklist

The SSH blacklist, contains IP addresses of hosts which tried to bruteforce into any of currently 10 hosts (all running OpenBSD, FreeBSD or Linux) using the SSH protocol. The hosts are located in Germany, the United States, and Australia, and are setup to report and log those attempts to a central database.

The website that hosts this material has posted a notice that they will no longer be providing updates.

Tor Nodes

Contains IPs that are listed as active nodes in the Tor network.

This list contains all Tor nodes, and because other services are often hosted on the same IP address as the Tor node, this leads to false positives.

url-shortening-services.zip

Detects hits to known URL-shortening services.

Due to their adoption across social media and within organizations, this feed has limited analytic value due to increased noise.

WikiLeaks Domains

Wikileaks domain mirrors.

Wikileaks has adopted a TOR as a method of distribution instead of a wide network of WWW mirrors.

Zeus Domain Tracker

Zeus domain tracker is a list of zeus (also known as zbot, prg, wsnpoem, gorhax and kneber) command & control domain names. Zeus tracker has tracked more than 2,800 malicious zeus C&C servers. Zeus is spread mainly through drive-by downloads and phishing schemes.

The ZeuS feed is sporadically updated by the community, and the updates are prone to false positives because updates have shifted towards compromised sites rather than core ZeuS infrastructure.

Zeus Tracker

Zeus tracker is a list of IP addresses of zeus servers (hosts) around the world.

RSA Lua Parsers

                       
NameDescriptionNotes

AIM_lua

OSCAR protocol used by AIM (AOL Instant Messenger) and ICQ, and AIM-express web client.

As of December 15, 2017, AOL Instant Messenger products and services have been shut down and no longer work.

BITS

Identifies Microsoft BITS Protocol.

BITS was added to HTTP_lua, making the standalone BITS parser redundant. BITS parsing in HTTP_lua is also much more complete than it was in the standalone parser.

RSA Flex Parsers

                            
NameDescriptionNotes
Botnet Traffic Patterns

Detects patterns associated with many known botnets.

Command and control traffic may be detected using the Advanced Threat Detection module or through application rules for a specific signature.

CMS Windows Executable

Detects windows executable content and rates it based on risk (info, suspicious, warning, and so on) according to the level of obfuscation in the binary structure.

This is a duplicate of the Advanced Windows Executable Flex parser.

File Fingerprints

Forensically fingerprints various file types.

This parser was replaced with individual, fingerprint parsers.

Individual parsers allow for a more tailored analytic view for customers, vs. a single, monolithic parser.

So, no functionality is lost once it is removed.

RSA System Parsers

                                              
NameDescriptionNotes

AIM

AOL Instant Messenger

These native parsers were removed from Decoders because they no longer provide value.

LotusNotes

Lotus Notes Mail Protocol

MSN

Microsoft Instant Messenger

Net2Phone

Net2Phone Protocol

SAMETIME

Lotus Notes Sametime Instant Messenger Protocol

WEBMAIL

Webmail via HTTP

YCHAT

Yahoo! Web Chat Protocol

YMSG

Yahoo Messenger

RSA Security Analytics List

One list is being discontinued: admin users. This is a duplicate of the Administrative Users list.

RSA Security Analytics Reports

The following reports and report templates are being discontinued.

                                                                                                                                                                                 
NameDescriptionNotes
Access to Compliance Data - Detail

Compliance Report Template- Access to Compliance Data - Detail

The individual compliance reports have been superseded by the “Core Compliance” reports. The new reports allow customers to look in fewer places for the same information.

Access to Compliance Data - Top 25

Compliance Report Template- Access to Compliance Data - Top 25

Account Management

Compliance Report Template- Account Management

Accounts CreatedCompliance Report Template- Accounts Created
Accounts DeletedCompliance Report Template- Accounts Deleted
Accounts Disabled

Compliance Report Template- Accounts Disabled

Accounts Modified

Compliance Report Template- Accounts Modified

Admin Access to Compliance Systems - Detail

Compliance Report Template- Admin Access to Compliance Systems - Detail

Admin Access to Compliance Systems - Top 25

Compliance Report Template- Admin Access to Compliance Systems - Top 25

Antivirus Signature Update

Compliance Report Template- Antivirus Signature Update

Botnet Activity

Use this report to get the various Botnets activity within the network.

A more comprehensive Malware Activity report has replaced this and includes results for botnets as well as crimeware, apt, command and control and more.

Change in Audit SettingsCompliance Report Template- Change in Audit Settings

The individual compliance reports have been superseded by the “Core Compliance” reports. The new reports allow customers to look in fewer places for the same information.

Encryption FailuresCompliance Report Template- Encryption Failures
Escalation of Privileges - DetailCompliance Report Template- Escalation of Privileges - Detail
Escalation of Privileges - Top 25Compliance Report Template- Escalation of Privileges - Top 25
Failed Escalation of Privileges - DetailCompliance Report Template- Failed Escalation of Privileges - Detail
Failed Escalation of Privileges - Top 25Compliance Report Template- Failed Escalation of Privileges - Top 25
Failed Remote Access - DetailCompliance Report Template- Failed Remote Access - Detail
Failed Remote Access - Top 25Compliance Report Template- Failed Remote Access - Top 25
Firewall Configuration ChangesCompliance Report Template- Firewall Configuration Changes
Firmware Changes Wireless DevicesCompliance Report Template- Firmware Changes Wireless Devices
Group ManagementCompliance Report Template- Group Management
Key Generation and ChangesCompliance Report Template- Key Generation and Changes
Logon Failures - DetailCompliance Report Template- Logon Failures - Detail
Logon Failures - Top 25Compliance Report Template- Logon Failures - Top 25

Password Change on Privileged Account

Displays instances of privileged account passwords being changed. It includes a list that may be customized to include the privileged user accounts in your network environment. To use the report, create and populate the report list with user accounts as noted in the dependencies.

Prone to excessive noise depending on environment configuration. It’s also a direct mapping of functionality that exists in the product.

Password Changes - DetailCompliance Report Template- Password Changes - DetailThe individual compliance reports have been superseded by the “Core Compliance” reports. The new reports allow customers to look in fewer places for the same information.
Password Changes - Top 25Compliance Report Template- Password Changes - Top 25
Router Configuration ChangesCompliance Report Template- Router Configuration Changes

Successful Remote Access - Detail

Compliance Report Template- Successful Remote Access - Detail
Successful Remote Access - Top 25Compliance Report Template- Successful Remote Access - Top 25
Successful Use of Encryption

Compliance Report Template- Successful Use of Encryption

System Clock Synchronization

Compliance Report Template- System Clock Synchronization

Top 10 Risk Suspicious

Summarizes Top 10 Risk Suspicious by Source, Destination and Session Size.

Duplicate of the All Risk Suspicious report.

Top 10 Risk Warning

Summarizes Top 10 Risk Warning by Source, Destination and Session Size.

Duplicate of the All Risk Warning report.

User Access Revoked

Compliance Report Template- User Access Revoked

The individual compliance reports have been superseded by the “Core Compliance” reports. The new reports allow customers to look in fewer places for the same information.

User Access to Compliance Systems - Detail

Compliance Report Template- User Access to Compliance Systems - Detail

User Access To Compliance Systems - Top 25

Compliance Report Template- User Access To Compliance Systems - Top 25

User Session Terminated - Top 25

Compliance Report Template- User Session Terminated - Top 25

RSA Security Analytics Rules

                                                 
NameDetailsNotes

Botnet Activity

Fires when any one or more of 128 different Botnets have been detected.

A more comprehensive Malware Activity rule has replaced this.

Large Outbound Connections to 3rd Party Sites

Summarizes sessions that have a session size of 5MB or greater. These sessions are indicative of a large file transfer from RFC 1918 to 3rd party Storage sites, identified by the File Upload Sites feed.

Relies on File Upload Sites feed that is being deprecated.
Top 10 Risk Suspicious by Destination IP

Aggregates sessions by risk.suspicious and displays the top ten results by ip.dst in descending order.

Duplicate functionality to the All Risk Suspicious rule.
Top 10 Risk Suspicious by Source IP

Aggregates sessions by risk.suspicious and displays the top ten results by ip.dst in descending order.

Top 10 Risk Suspicious by Session Size

Aggregates sessions by risk.suspicious and displays the top ten results by session size in descending order.

Top 10 Risk Warning by Destination IP

Aggregates sessions by risk.warning and displays the top ten results by ip.dst in descending order.

  Duplicate functionality to the All Risk Warning rule.
Top 10 Risk Warning by Source IP

Aggregates sessions by risk.warning and displays the top ten results by ip.dst in descending order.

Top 10 Risk Warning by Session Size

Aggregates sessions by risk.warning and displays the top ten results by session size in descending order.

Previous Topic:Rules and Reports
You are here
Table of Contents > Rules and Reports > Discontinued Content

Attachments

    Outcomes