As part of the ongoing development of content to combat threats, RSA develops content bundles. These are grouped sets of content (rules, parsers, feeds) that can be deployed as a group from RSA Live.
Starter packs: these packs deliver a set of content that are useful as an entry point into threat tracking. RSA delivers the following starter packs:
- Log Starter pack: this bundle helps organizations view and understand user behaviors (for example lateral movement).
- Packet Starter pack: this bundle helps organizations view malware related traffic
- Log Parser pack: this bundle contains all parser files and log collection files.
- Hunting pack: this bundle helps organizations to quickly hunt for indicators of compromise or anomalous network activity. For details, see Hunting Pack.
- UEBA Hunting pack: this bundle helps organizations perform UEBA hunting, so they can detect suspicious user and entity behavior. For details, see User and Entity Behavior Analytics (UEBA) Content Pack.
- Known Threats pack: The Known Threats pack contains a set of content specific to known, identified threats such as malware, crimeware, RAT campaigns, and so on. For details, see Known Threats Pack.
Lateral Movement content pack: Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This package of content contains a set of rules that monitor Windows system for lateral movement.
The Lateral Movement Content Pack:
Identifies suspicious Windows login activity to reveal lateral movement attempts
- Leverages Windows log activity
Is delivered as combination of App rules, ESA, and Reports via Live
You can deploy all of the items in the bundles through Live.
To deploy a bundle:
Depending on your version:
- For NetWitness 11.x: Go to CONFIGURE > Live Content.
- For Security Analytics 10.x: From the Security Analytics menu, select Live > Search.
- In the Resource Type field, select Bundle.
- Select the bundle you wish to deploy.
- Select Deploy, then follow the steps in the wizard.
For more details see the following:
Blog on Lateral Movement: https://community.rsa.com/community/products/netwitness/blog/2016/03/09/lateral-movement-windows
Lateral Movement details topic: https://community.rsa.com/docs/DOC-54594
- Announcement of the Hunting Pack: https://community.rsa.com/docs/DOC-63289
- RSA NetWitness Hunting Guide: https://community.rsa.com/docs/DOC-62341