This table lists all of the delivered RSA Application Rules.
Note: For content that has been discontinued, see Discontinued Content.
| Display Name | Name | Description | ||
|---|---|---|---|---|
| app000002 | tdss_rootkit_variant_beaconing | Detects the beaconing activity of the TDSS Rootkit botnet. | ||
| app000003 | tsone dorkbot beaconing | Detects hosts infected with the TSONE Dorkbot. | ||
| nw00005 | Attachment Overload | Rule looks for more than 4 attachments in a single session. | ||
| nw00015 | IRC File Transfer | Rules looks for file transfers via IRC | ||
| nw00025 | Direct to IP HTTP Request | session with an HTTP request directly to an IP address with no corresponding alias.host meta. | ||
| nw00035 | Tor Outbound | Detects an encrypted network session to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access. The possible indicators of Tor are:
An encrypted network session is identified as service 443 (HTTPS), 22 (SSH) or IP protocol 50 (IPSec). A network parser for TLS is required. | ||
| nw00040 | Rogue DHCP Server Detected: Packets | Detects web traffic involving UDP/67 or 68 that is not a legitimate DHCP server. Note: Users must add legitimate DHCP servers to the RogueDHCPServerDetected feed. For details, see Create Feed for Rogue DHCP Server Rule. | ||
| nw00045 | Unusual Port Utilized by Domain Controller | Detects a domain controller or directory server engaged in port activity that is outside the expected ports. For Active Directory port requirements, see the following Microsoft Windows Server article: https://technet.microsoft.com/en-us/...(v=ws.10).aspx Note: This rule must be modified to include the IP address of the local Domain Controller or Directory Server. | ||
| nw02565 | strings decode download | Detects malware that uses "strings.txt" for command and control instructions | ||
| nw02575 | php put with 40x error | Detects PHP puts that create 4 series errors. This may indicate suspicoius or botnet check-in traffic. | ||
| nw02580 | php put to wordpress plugin dir | Detects PHP puts to WordPress plugin directoires. This behavior has been observed by RSA-FirstWatch as potential malware traffic. | ||
| nw02585 | suspicious php put long query | Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic | ||
| nw02615 | qq download client | detects download of the QQ chinese instant messaging client. | ||
| nw02620 | suspicious PHP url-encoded put | Detects PHP Puts that included URL-encoded data | ||
| nw02625 | suspicious long filename get request | Detects get requests that include extremely long flienames which is often a tactic used malware to encode information. | ||
| nw02635 | php botnet beaconing w | detects botnet beaconing with w=188 in the query string. | ||
| nw02645 | php ini checkin | Detects botnet traffic that uses PHP and .ini files for checkin traffic. | ||
| nw05415 | Windows Credential Harvesting Services | Monitors the installation of Windows services known to be used for pass-the-hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, and gsecdump. | ||
| nw20065 | High Risk File From Blacklisted Host | Detects download of an executable file from a host on a blacklist feed. | ||
| nw20080 | Archive Extension Mismatch | creates meta when a rar or zip file is detected without a rar or zip file extension | ||
| nw20085 | Archive From IP Address | archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established. | ||
| nw20090 | Small Executable No Host | Indicates a forensic executable detection with a small session size and no corresponding alias.host information. | ||
| nw20095 | Small Executable Extension Mismatch | Indicates a forensic executable detection with a file extension that is not .exe. | ||
| nw20100 | Small Executable No Directory | Indicates a forensic executable detection with no corresponding directory information. | ||
| nw20105 | Small Executable Root Directory | Forensic executable detection from the root directory of a host. | ||
| nw20110 | Small Executable | Forensic executable detection with a small session size. | ||
| nw22300 | Trojan BLT | Detects malicious outbound traffic due to installation of Trojan BLT variants. Either the HTTP_lua or HTTP native parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Trojan BLT Variants Using Security Analytics | ||
| nw22305 | Mirage Malware | Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Mirage Variants Using Security Analytics | ||
| nw22310 | Cmstar Malware | Detects malicious traffic between a command and control server and custom, downloader cmstar variants. Either the HTTP_lua or HTTP native parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Cmstar Variants Using Security Analytics | ||
| nw22315 | Daserf Malware | Detects malicious inbound and outbound traffic between backdoor / malware Daserf variants and a command and control server domain over HTTP. The HTTP_lua parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Daserf Variants Using Security Analytics | ||
| nw22320 | Tendrit Malware | Detects malicious traffic between backdoor/malware Tendrit variants and a command and control server. Either the HTTP_lua or HTTP native parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Tendrit Variants Using Security Analytics | ||
| nw22325 | HttpBrowser Malware | Detects malicious outbound traffic between HttpBrowser Malware variants and a command and control server. Either the HTTP_lua or HTTP native parser is a required dependency. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting HttpBrowser Variants Using Security Analytics | ||
| nw22330 | Spaeshill Malware | Detects malicious traffic between Spaeshill downloader/malware and a command and control server. Either the HTTP_lua or HTTP native parser is a required dependency. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Spaeshill Using Security Analytics | ||
| nw22335 | Taidoor Malware | Detects malicious outbound traffic between a Taidoor infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Taidoor Variants using Security Analytics | ||
| nw22340 | KeyBase Keylogger | Detects malicious outbound traffic between a KeyBase Keylogger infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting KeyBase Keylogger Variants Using Security Analytics | ||
| nw22345 | NetTraveler Malware | Detects malicious outbound traffic between a NetTraveler infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting NetTraveler Variants Using Security Analytics | ||
| nw22350 | Cerber Ransomare | Detects a set of pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim. This rule matches when alias.host (packet) or fqdn (web logs) begins with one of the identified pay-sites. For more details about this threat, reference these RSA Link blog posts from RSA Research: Dependencies:
Meta Keys:
| ||
| nw22355 | Locky Malware | Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server. This rule has the following dependencies:
Meta Key: alert.id - mapped to analysis meta. For more details about this threat, reference this RSA Link blog post from RSA Research: Nemucod and Locky. | ||
| nw22360 | SchoolBell Malware | The SchoolBell rule detects malware associated with ShellCrew's large scale infrastructure harvesting campaign. SchoolBell targets Windows servers running vulnerable versions of Java web containers such as JBoss and Jenkins. The associated SchoolBell rule can be used to detect the malware's callbacks from an infected host. Both the HTTP_lua and traffic_flow parsers are required. | ||
| nw22365 | Dyzap Malware | Dyzap has the ability to steal user names and passwords of email, banking and social media accounts. Once the malware infects a victim machine, it starts sending data to its command and control server via an HTTP POST request. This rule detects a variant seen spreading through phishing email messages. The HTTP_lua and traffic_flow parsers are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting a Dyzap variant using RSA NetWitness | ||
| nw22370 | RIG Exploit Kit | RIG exploit kit is suspected in the compromise of a vulnerable website due to patterns found within the query string. This rule has the following dependencies:
This rule generates the following meta keys:
| ||
| nw22375 | Dreambot Malware | The Dreambot is a banking Trojan spreading via exploit kits and spam e-mails with tor communication and peer-to-peer functionality. This rule detects outbound beaconing activity from the infected host. This rule has the following dependencies:
Generated Meta Keys:
| ||
| nw22380 | CryptoShield Ransomware | CryptoShield ransomware is being distributed through sites that have been compromised so that when a visitor goes to the site, they encounter the attack chain. Once the ransomware is executed on the victim's computer, it generates a unique ID for the victim and an encryption key. This rule detects the upload of this key to the command and control server. DEPENDENCIES: Lua Parsers:
Feeds:
Generated Meta Keys:
| ||
| nw30005 | Only ACK Flag Set in Session Containing Payload | Alerts when sessions containing payload have only ACK flag set. | ||
| nw30010 | DNS Hostnames Resolving Non-Routable IP | DNS names that resolve to non-routable IP address. Often used on parked domains. | ||
| nw30015 | NGINX HTTP Server | Detects web servers running nginx which is often used for malicious purposes. | ||
| nw30050 | Shadow IT: Voice Chat Apps | Detects some voice and chat applications' (e.g. Vonage, VOIPStudio, tinychat, and Yahoo Messenger) usage for potential shadow IT use. | ||
| nw30060 | Windows NTLM Network Logon Successful | Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. The rule reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. We recommend that within the rule logic, you exclude the domain for which the Domain Controller is responsible. Note: This rule detects both v1 and v2 NTLM logs. | ||
| nw45645 | CryptoLocker Beaconing | Detects traffic indicative of the beaconing activity of the Russian CryptoLocker ransom-ware variants. | ||
| nw50005 | Etc Password Get Request | Detects a get request for \/etc/passwd\ | ||
| nw50010 | Etc Shadow Get Request | Detects attempted get request for /etc/shadow | ||
| nw50020 | NTP DDoS Attack 50-byte Request: Packets | Detects UDP/123 traffic with a 50-byte payload. This is indicative of a potential NTP DDoS attack tool. | ||
| nw50021 | NTP DDoS Attack 60-byte Request: Packets | Detects UDP/123 traffic with a 60-byte payload. This is indicative of the NTP request size initiated by the ntpdos.py attack script. | ||
| nw50022 | NTP DDoS Attack 234-byte Request: Packets | Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command. | ||
| nw50030 | NTP DDoS Attack 50-byte Request: Netflow | 10.4 or higher. Detects UDP/123 traffic with a 50-byte payload over Netflow. This is indicative of a potential NTP DDoS attack tool. | ||
| nw50031 | NTP DDoS Attack 60-byte Request: Netflow | 10.4 or higher. Detects UDP/123 traffic with a 60-byte payload over NetFlow. This is indicative of the NTP request size initiated by the ntpdos.py attack script. | ||
| nw50032 | NTP DDoS Attack 234-byte Request: Netflow | 10.4 or higher. Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command. | ||
| nw60005 | DNS Over Non-Standard Port | DNS traffic over ports other than udp 53 | ||
| nw60010 | Non-Standard Port Use - Telnet | telnet over ports other than TCP 23 | ||
| nw60015 | Non-Standard Port Use - FTP | ftp over ports other than TCP 21 | ||
| nw60020 | HTTP over Non-Standard Port | http traffic over a port other than 80 | ||
| nw60025 | Non-Standard Port Use - SSH | Identifies ssh traffic over a port that is not typically used for ssh. | ||
| nw60030 | Non-Standard Port Use - SMTP | Identifies smtp traffic over a port that is not typically used for smtp. | ||
| nw60035 | Non-Standard Port Use - DHCP | Identifies dhcp traffic over a port that is not typically used for dhcp | ||
| nw60040 | Non-Standard Port Use - TFTP | Identifies tftp traffic over a port that is not typically used for tftp. | ||
| nw60045 | Non-Standard Port Use - POP3 | Identifies pop3 traffic over a port that is not typically used for pop3. | ||
| nw60050 | Non-Standard Port Use - NNTP | Identifies nntp traffic over a port that is not typically used for nntp. | ||
| nw60055 | Non-Standard Port Use - RPC | Identifies rpc traffic over a port that is not typically used for rpc. | ||
| nw60060 | Non-Standard Port Use - NetBios | Identifies netbios traffic over a port that is not typically used for netbios. | ||
| nw60065 | Non-Standard Port Use - SMB | Identifies smb traffic over a port that is not typically used for smb. | ||
| nw60070 | Non-Standard Port Use - SNMP | Identifies snmp traffic over a port that is not typically used for snmp. | ||
| nw60075 | Non-Standard Port Use - SSL | Identifies ssl traffic over a port that is not typically used for ssl. | ||
| nw60080 | Non-Standard Port Use - RIP | Identifies rip traffic over a port that is not typically used for rip. | ||
| nw60085 | Non-Standard Port Use - TDS | Identifies tds traffic over a port that is not typically used for tds. | ||
| nw60090 | Non-Standard Port Use - TNS | Identifies tns traffic over a port that is not typically used for tns. | ||
| nw60095 | Non-Standard Port Use - H323 | Identifies h323 traffic over a port that is not typically used for h323. | ||
| nw60100 | Non-Standard Port Use - RTP | Identifies rto traffic over a port that is not typically used for rtp. | ||
| nw60105 | Non-Standard Port Use - SIP | Identifies sip traffic over a port that is not typically used for sip | ||
| nw60110 | Non-Standard Port Use - IRC | Identifies irc traffic over a port that is not typically used for irc. | ||
| nw60115 | Unknown Service Over DNS Port | Detects an unidentified service over a port typically used for DNS traffic. | ||
| nw60120 | Unknown Service Over FTP Port | Detects an unidentified service over a port typically used for FTP traffic. | ||
| nw60125 | Unknown Service Over HTTP Port | Detects an unidentified service over a port typically used for HTTP traffic. | ||
| nw60130 | Unknown Service Over Telnet Port | Detects an unidentified service over a port typically used for telnet traffic. | ||
| nw60135 | Unknown Service Over SMTP Port | Detects an unidentified service over a port typically used for SMTP traffic. | ||
| nw60140 | Unknown Service Over POP3 Port | Detects an unidentified service over a port typically used for POP3 traffic. | ||
| nw60145 | Unknown Service Over IRC Port | Detects an unidentified service over a port typically used for IRC traffic. | ||
| nw60150 | Unknown Service Over NNTP Port | Detects an unidentified service over a port typically used for NNTP traffic. | ||
| nw60155 | Unknown Service Over SMB Port | Detects an unidentified service over a port typically used for SMB traffic. | ||
| nw60165 | Unknown Service Over SSL Port | Detects an unidentified service over a port typically used for SSL traffic. | ||
| nw70010 | Torrent File Download | Detects the download of a .torrent file. | ||
| nw90001 | Bozok RAT Aquisition | Detects web traffic from an internal IP address to the following URL: ss-rat.blogspot.com | ||
| nw90006 | NJRAT Acquisition | 10.4 or higher. Detects web traffic from an internal IP address to the following URL: ge.tt/85SH60t/v/0. | ||
| nw100010 | Facebook Profile | Identifies visits to Facebook profile pages | ||
| nw110015 | ScribD Document Upload | Detects document uploads to the site ScribD. | ||
| nw110025 | File Transport over ICMP | Detects files transported over ICMP. | ||
| nw110030 | File Transport over Unknown Protocol | Detects files transported over unknown protocols. | ||
| nw110035 | Web Access: Rghost | Detects the existence of "rghost.net" in a URL string. Rghost is a very common site for quickly distributing sensitive data and posting and retrieving malicious ( as well as benign) code snippets. It is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns, as well as focused attacks against servers hosting the data. Additionally, it is a large online repository for searchable malware executables. | ||
| nw110040 | Web Access: Pastebin | Detects the existence of "pastebin.com/post.php" in a URL string. Pastebin is a very common site for quickly distributing sensitive data, posting and retrieving malicious and benign code snippets, and is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns as well as focused attacks against servers hosting the data. | ||
| nw110045 | Large Outbound Encrypted session | Detects an Outbound encrypted session where the data size is greater than 5MB. | ||
| nw110050 | RDP over Non-Standard Port | Detects an RDP session over a non-standard port. | ||
| nw110060 | Large Outbound session | Detects Outbound session (encrypted or non-encrypted) where the data size is greater than 5MB. | ||
| nw110065 | Proxy Anonymous Services | Detects use of common proxy services using a list of domains matched against the alias host meta key. The following parsers are required:
| ||
| nw110070 | Proxy Client Download | Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required. | ||
| nw110075 | Remote Control Client Website | Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. | ||
| nw110080 | Remote Control Client Download | Detects remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required. | ||
| nw110085 | Outbound MS Outlook PFF File | Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).
| ||
| nw110095 | Stealth Email Use Large Session | Detects a session larger than 1 MB to the following stealth mail services:
| ||
| nw110105 | Stealth Email Use | Detects a user sign-up or sign-in event for the following stealth mail services:
| ||
| nw110125 | BYOD Mobile Web Agent | Detects use of a web browsing agent for a mobile device. The following is the list of strings looked for within the 'client' meta key to indicate mobile browsing: 'iPad', 'iPhone', 'iPod', 'Android', 'BlackBerry', 'Mobile', 'Opera Mobi', 'Opera Mini', 'Symbian', 'GoBrowser', 'Minimo', 'Netfront', 'Skyfire', 'SEMC-Browser'. | ||
| nw110130 | NTDSXTRACT Tool Download | Detects an internal network session download of NTDSXTRACT. NTDSXTRACT is a tool framework for extracting data from the active directory database file Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers. | ||
| nw110140 | jRAT Download | Detects an internal network session download of jRAT (Java Remote Administration Tool). Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers. | ||
| nw110145 | Cybergate RAT Download | Detects an internal network session download of the Cybergate RAT (Remote Administration Tool). Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers. | ||
| nw110150 | Shadow IT: File Sharing Apps | Detects file sharing application usage for Box, Dropbox, Github and iCloud for potential shadow IT use. | ||
| nw120005 | Passwords over HTTP | Identifies plaintext HTTP logins | ||
| nw120010 | Passwords over FTP | Identifies plaintext FTP logins | ||
| nw120015 | Passwords Over Telnet | Identifies plaintext telnet logins | ||
| nw120020 | Passwords Over Pop3 | Identifies plaintext pop3 logins | ||
| nw120025 | Passwords Over SMTP | Identifies plaintext SMTP logins | ||
| nw120030 | Passwords Over Other Protocols | Identifies plaintext logins with an unidentified service type. | ||
| nw125025 | Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow | Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow. SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1. | ||
| nw140005 | Filter Windows Updates | Filters executable downloads from Windows Update. | ||
| nw140010 | Filter Skype Updates | Filters Skype update executables. | ||
| nw140015 | Filter Java Updates | Filters executables involved with Java updates. | ||
| nw140020 | Filter Google Updates | Filters executable updates for Google tools. | ||
| nw140025 | Filter Symantec Updates | Filters Symantec update executables. | ||
| nw140030 | Filter Macromedia Updates | Filters Macromedia update executables. | ||
| nw140035 | Filter Intel Updates | Filters executables associated with Intel updates. | ||
| nw140040 | Filter VMware Updates | Filters executables associated with VMware updates. | ||
| nw140045 | Filter McAfee Updates | Filters executables associated with McAfee updates. | ||
| nw140050 | Filter Adobe Updates | Filters executables associated with Adobe updates. | ||
| NWFL_AccessCardholderData | NWFL_alm:cardholder-data | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountCreated | NWFL_account:created | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountDeleted | NWFL_account:deleted | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountDisabled | NWFL_account:account-disabled | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountModified | NWFL_account:modified | NWFL App Rule to support Informer Reports | ||
| NWFL_AuditSettingChange | NWFL_config:change-audit-setting | NWFL App Rule to support Informer Reports | ||
| NWFL_AuthFailure | NWFL_account:auth-failure | NWFL App Rule to support Informer Reports | ||
| NWFL_AuthSuccess | NWFL_account:auth-success | NWFL App Rule to support Informer Reports | ||
| NWFL_AVSignatureUpdate | NWFL_av:signature-update | NWFL App Rule to support Informer Reports | ||
| NWFL_AVSummary | NWFL_av:virus-summary | NWFL App Rule to support Informer Reports | ||
| NWFL_ClockSynch | NWFL_alm:system-clock-synch | NWFL App Rule to support Informer Reports | ||
| NWFL_ConfigChanges | NWFL_config:config-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_DataAccess | NWFL_access:data-access | NWFL App Rule to support Informer Reports | ||
| NWFL_EncryptFailures | NWFL_encryption:failures | NWFL App Rule to support Informer Reports | ||
| NWFL_EncryptKeyGenChanges | NWFL_encryption:key-gen-and-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_EncryptSuccess | NWFL_encryption:success | NWFL App Rule to support Informer Reports | ||
| NWFL_ErrorEventTypes | NWFL_alm:error-event-types | NWFL App Rule to support Informer Reports | ||
| NWFL_FirewallConfigChange | NWFL_config:fw-config-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_FirewallRuleCat | NWFL_fw:categories | NWFL App Rule to support Informer Reports | ||
| NWFL_FirmwareConfigChange | NWFL_alm:firmware-config-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_FWInboundTraffic | NWFL_fw:inbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_FWOutboundTraffic | NWFL_fw:outbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_GroupMgmt | NWFL_account:group-management | NWFL App Rule to support Informer Reports | ||
| NWFL_InboundTraffic | NWFL_alm:inbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_IntrusionAllActivity | NWFL_intrusion:all-activity | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginDirectAccessSuccess | NWFL_account:logon-success-direct-access | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginFailure | NWFL_account:logon-failure | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginLogout | NWFL_account:login-and-logout | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginSuccess | NWFL_account:logon-success | NWFL App Rule to support Informer Reports | ||
| NWFL_Logout | NWFL_account:logout | NWFL App Rule to support Informer Reports | ||
| NWFL_MailserverErrors | NWFL_ops:mailserver-errors | NWFL App Rule to support Informer Reports | ||
| NWFL_OutboundTraffic | NWFL_alm:outbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_PasswordChange | NWFL_account:password-change | NWFL App Rule to support Informer Reports | ||
| NWFL_PrivEscalateFail | NWFL_access:privilege-escalation-failure | NWFL App Rule to support Informer Reports | ||
| NWFL_PrivEscalateSuccess | NWFL_access:privilege-escalation-success | NWFL App Rule to support Informer Reports | ||
| NWFL_RemoteAccessFail | NWFL_access:remote-failure | NWFL App Rule to support Informer Reports | ||
| NWFL_RemoteAccessSuccess | NWFL_access:remote-success | NWFL App Rule to support Informer Reports | ||
| NWFL_RouterConfigChange | NWFL_config:router-change | NWFL App Rule to support Informer Reports | ||
| NWFL_URLBlock | NWFL_fw:url-block | NWFL App Rule to support Informer Reports | ||
| NWFL_URLFiletypes | NWFL_fw:url-filetypes | NWFL App Rule to support Informer Reports | ||
| NWFL_UserAccessFilesrv | NWFL_account:user-accessing-file-servers | NWFL App Rule to support Informer Reports | ||
| NWFL_UserAccessRevoke | NWFL_access:user-access-revoked | NWFL App Rule to support Informer Reports | ||
| NWFL_WinAcctDisabled | NWFL_host:windows:account-disabled | NWFL App Rule to support Informer Reports | ||
| NWFL_WinFileAccess | NWFL_host:windows:file-access | NWFL App Rule to support Informer Reports | ||
| NWFL_WinLocalGrpChange | NWFL_host:windows:local-group-account-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_WinUsrGroupChange | NWFL_host:windows:user-group-account-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_WirelessAdminOps | NWFL_wireless:AdminOperations | NWFL App Rule to support Informer Reports | ||
| spectrum_consume | spectrum_consume | Helper Rule for Spectrum | ||
| spectrum_consume11 | Spectrum Consume 1.1 App Rule | Application rule required for office document/pdf consumption | ||
| ssh to external | ssh to external | Detects when an internal IP address initiates an SSH connection to an external IP address.
An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external. | ||
| tdss_rootkit_variant_beaconing | tdss rootkit variant beaconing | Detects the beaconing activity of the TDSS Rootkit botnet. |