Content Bundles/Packs

Document created by RSA Information Design and Development on Jan 3, 2017Last modified by RSA Information Design and Development on Jun 18, 2018
Version 108Show Document
  • View in full screen mode

As part of the ongoing development of content to combat threats, RSA develops content bundles. These are grouped sets of content (rules, parsers, feeds) that can be deployed as a group from RSA Live.

  • Starter packs: these packs deliver a set of content that are useful as an entry point into threat tracking. RSA delivers the following starter packs:

    • Log Starter pack: this bundle helps organizations view and understand user behaviors (for example lateral movement).
    • Packet Starter pack: this bundle helps organizations view malware related traffic
  • Log Parser pack: this bundle contains all parser files and log collection files.
  • Hunting pack: this bundle helps organizations to quickly hunt for indicators of compromise or anomalous network activity. For details, see Hunting Pack.
  • UEBA Hunting pack: this bundle helps organizations perform UEBA hunting, so they can detect suspicious user and entity behavior. For details, see User and Entity Behavior Analytics (UEBA) Content Pack.
  • Known Threats pack: The Known Threats pack contains a set of content specific to known, identified threats such as malware, crimeware, RAT campaigns, and so on. For details, see Known Threats Pack.
  • Lateral Movement content pack: Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This package of content contains a set of rules that monitor Windows system for lateral movement.

    The Lateral Movement Content Pack:

    • Identifies suspicious Windows login activity to reveal lateral movement attempts

    • Leverages Windows log activity
    • Is delivered as combination of App rules, ESA, and Reports via Live

Deploying a Bundle

You can deploy all of the items in the bundles through Live.

Note: If you are in an environment where you cannot Deploy, you should create a resource package (select > Create) to download a ZIP archive that you can use. Do not use the button, as this does not work for bundles

To deploy a bundle:

  1. Depending on your version:

    • For NetWitness 11.x: Go to CONFIGURE > Live Content.
    • For Security Analytics 10.x: From the Security Analytics menu, select Live > Search.
  2. In the Resource Type field, select Bundle.
  3. Select the bundle you wish to deploy.
  4. Select Deploy, then follow the steps in the wizard.

Related Information 

For more details see the following:

You are here
Table of Contents > RSA NetWitness Platform Content > Bundles