Content Bundles or Packs

Document created by RSA Information Design and Development on Jan 3, 2017Last modified by RSA Information Design and Development on Aug 1, 2019
Version 137Show Document
  • View in full screen mode
 

As part of the ongoing development of content to combat threats, RSA develops content bundles. These are grouped sets of content (rules, parsers, feeds) that can be deployed as a group from RSA Live.

Deploying a Bundle

You can deploy all of the items in the bundles through Live.

Note: If you are in an environment where you cannot Deploy, you should create a resource package (select > Create) to download a ZIP archive that you can use. Do not use the button, as this does not work for bundles

To deploy a bundle:

  1. Depending on your version:

    • For NetWitness 11.x: Go to CONFIGURE > Live Content.
    • For Security Analytics 10.x: From the Security Analytics menu, select Live > Search.
  2. In the Resource Type field, select Bundle.
  3. Select the bundle you wish to deploy.
  4. Select Deploy, then follow the steps in the wizard.

Related Information 

For more details see the following:

Bundles Available in Live

This table lists all of the available bundles.

                                                           
Display NameFile NameDescriptionMediumTags
Endpoint Packendpoint_packDeploying this bundle will download all of the content and content dependencies for NetWitness Endpoint 11.3 and higher to the services appropriate for each content type.

Application Rules:
* Accesses Administrative Share Using Command Shell
* Activates BITS Job
* Adds Files To BITS Download Job
* Adds Firewall Rule
* Allocates Remote Memory
* Antivirus Disabled
* Archiving Software Reads Multiple Documents
* Autorun
* Autorun File Path Not Part Of RPM
* Autorun Key Contains Non-Printable Characters
* Autorun RPM Mismatch
* Autorun Unsigned Active Setup
* Autorun Unsigned AppInit_DLLs
* Autorun Unsigned BHO
* Autorun Unsigned BootExecute Registry Startup Method
* Autorun Unsigned Explorer Registry Startup Method
* Autorun Unsigned Hidden
* Autorun Unsigned IE Toolbar
* Autorun Unsigned In AppDataLocal Directory
* Autorun Unsigned In AppDataRoaming Directory
* Autorun Unsigned In ProgramData Directory
* Autorun Unsigned In Temp Directory
* Autorun Unsigned LogonType Registry Startup Method
* Autorun Unsigned LSA Provider
* Autorun Unsigned ServiceDLL
* Autorun Unsigned Winsock LSP
* Bad Certificate Warning Disabled
* Blacklisted File
* Browser Runs Mshta
* Browser Runs Powershell
* Builds Script Incrementally
* Clears Security Event Log
* Clears System Event Log
* Combines Binaries Using Command Prompt
* Command Line Usage Of Archiving Software
* Completes BITS Download Job
* Configures Image Hijacking
* Configures Port Redirection
* Copies Binary Over Administrative Share
* Created In Last Month
* Creates Browser Extension
* Creates Domain User Account
* Creates Executable In Startup Directory
* Creates Local Driver Service
* Creates Local Service
* Creates Local Task
* Creates Local User Account
* Creates Password-Protected Archive
* Creates Recursive Archive
* Creates Remote Process Using WMI Command-Line Tool
* Creates Remote Service
* Creates Remote Task
* Creates Shadow Volume For Logical Drive
* Creates Suspicious Service Running Command Prompt
* Deletes Backup Catalog
* Deletes Firewall Rule
* Deletes Shadow Volume Copies
* Deletes USN Change Journal
* Disables Firewall
* Disables Security Service
* Disables Startup Repair
* Disables UAC
* Disables UAC Remote Restrictions
* Disables Windows Defender Using Powershell
* Downloads Binary Using Certutil
* Drops Credential Dumping Tools
* Dumps DNS Cache
* Dyld Inserted
* Enables Cleartext Credential Storage
* Enables Login Bypass
* Enables RDP From Command-Line
* Enumerates ARP Table
* Enumerates Available Systems On Network
* Enumerates Domain Account Policy
* Enumerates Domain Administrators
* Enumerates Domain Computers
* Enumerates Domain Controllers
* Enumerates Domain Groups
* Enumerates Domain Users
* Enumerates Enterprise Administrators
* Enumerates Exchange Domain Servers
* Enumerates Exchange Servers
* Enumerates IP Configuration
* Enumerates Local Account Policy
* Enumerates Local Administrators
* Enumerates Local Administrators On Domain Controller
* Enumerates Local Groups
* Enumerates Local Services
* Enumerates Local Users
* Enumerates Logical Disk
* Enumerates Mapped Resources
* Enumerates Network Connections
* Enumerates Primary Domain Controller
* Enumerates Processes On Local System
* Enumerates Processes On Remote System
* Enumerates Remote Netbios Name Table
* Enumerates Remote Resources
* Enumerates Route Table
* Enumerates Services Hosted In Processes
* Enumerates System Info
* Enumerates Trusted Domains
* Event Viewer Executes Uncommon Binary
* Executable In ADS
* Exports Sensitive Registry Hive
* Extracts Password-Protected Archive
* File Encrypted
* File Hidden
* File Path Not Part Of RPM
* File Path Not Part Of RPM In Important System Directory
* File Vault Disabled
* Floating Module
* Floating Module And Hooking
* Floating Module In Browser Process
* Floating Module In OS Process
* Gatekeeper Disabled
* Gets Current User As SYSTEM
* Gets Current Username
* Gets Current Username And Group Information
* Gets Hostname
* Gets Remote Time
* GINA Replacement
* Graylisted File
* LD Preload
* Hidden In AppData
* Hidden Plist And Autorun
* Hidden Running As Root
* Hooks Audio Output Function
* Hooks Authentication Function
* Hooks Crypto Function
* Hooks DnsQuery Function
* Hooks GUI Function
* Hooks Network HTTP Function
* Hooks Network IO Function
* Hooks NtLdr Function
* Hooks Registry Access Function
* Hooks Registry Enumeration Function
* HTTP Daemon Runs Command Prompt
* HTTP Daemon Runs Powershell
* HTTP Daemon Runs Reconnaissance Tool
* HTTP Daemon Writes Executable
* IE DEP Disabled
* IE Enhanced Security Disabled
* In AppData Directory
* In Hidden Directory
* In Recycle Bin Directory
* In Root Of AppDataLocal Directory
* In Root Of AppDataRoaming Directory
* In Root Of Logical Drive
* In Root Of Program Directory
* In Root Of Users Directory
* In System Volume Information Directory
* In Temporary Directory
* In Uncommon Directory
* Installs Root Certificate
* Invalid Signature
* Kext Signature Validation Disabled
* Library Preferences Directory
* Lists Anti-Spyware Products
* Lists Antivirus Products
* Lists Firewall Products
* Login Bypass Configured
* LUA Disabled
* Mac Firewall Disabled
* Malicious File By Reputation Service
* Maps Administrative Share
* Maps IPC$ Share
* Misleading File Extension
* Modifies Registry Using Command-Line Registry Tool
* Modifies Run Key
* Modifies Shell-Open-Command File Association
* Mshta Runs Command Prompt
* Mshta Runs Powershell
* Mshta Runs Scripting Engine
* Mshta Writes Executable
* Network Access
* No Antivirus Notification Disabled
* No Firewall Notification Disabled
* No UAC Notification Disabled
* No Windows Update Notification Disabled
* Non-Microsoft Modifies Bad Certificate Warning Setting
* Non-Microsoft Modifies Firewall Policy
* Non-Microsoft Modifies Internet Zone Setting
* Non-Microsoft Modifies LUA Setting
* Non-Microsoft Modifies Registry Editor Setting
* Non-Microsoft Modifies Security Center Config
* Non-Microsoft Modifies Services ImagePath
* Non-Microsoft Modifies Task Manager Setting
* Non-Microsoft Modifies Windows System Policy
* Non-Microsoft Modifies Zone Crossing Warning Setting
* Office Application Crashed
* Office Application Injects Remote Process
* Office Application Runs BITS
* Office Application Runs Command Prompt
* Office Application Runs Powershell
* Office Application Runs Scripted FTP
* Office Application Runs Scripting Engine
* Office Application Runs Task Scheduler
* Office Application Runs WMI Scripting Engine
* Office Application Writes Executable
* Opens Browser Process
* Opens OS Process
* Opens Process
* Packed
* Packed And Autorun
* Packed And Network Access
* Performs Scripted File Transfer
* Possible Login Bypass
* Possible Mimikatz Activity
* Possible RDP Session Hijacking
* Possibly Configures UAC Bypass
* Possibly Renamed net.exe Detected
* PowerShell Command Using String Manipulation
* Powershell Injects Remote Process
* Powershell Opens LSASS Process
* Powershell Runs Command Prompt
* Powershell Runs Scripting Engine
* Process Authorized In Firewall
* Psexesvc Runs Powershell
* Psexesvc Runs Scripting Engine
* Psexesvc Runs Shell Commands
* Queries Cached Kerberos Tickets
* Queries Processes On Local System
* Queries Processes On Remote System
* Queries Registry Using Command-Line Registry Tool
* Queries Terminal Sessions
* Queries Users Logged On Local System
* Queries Users Logged On Remote System
* Record Screen Captures Using PSR Tool
* Registers Shim Database
* Registry Tools Disabled
* Regsvr32 Creates Windows Task
* Regsvr32 Runs Powershell
* Regsvr32 Runs Rundll32
* Regsvr32 Writes Executable
* RPM Hash Mismatch
* RPM Hash Mismatch In Important System Directory
* Rundll32 Creates Windows Task
* Rundll32 Runs Powershell
* Runs ACL Management Tool
* Runs Active Directory Service Query Tool
* Runs Binary Located In Recycle Bin Directory
* Runs Binary Located In Root Of Logical Drive
* Runs Binary Located In Root Of Program Directory
* Runs Binary Located In Root Of Users Directory
* Runs Binary Located In System Volume Information Directory
* Runs Blacklisted File
* Runs Certutil With Decode Arguments
* Runs Certutil With Encode Arguments
* Runs Certutil With Hashfile Arguments
* Runs Chained Command Shell
* Runs Chmod
* Runs Credential Dumping Tools
* Runs Curl
* Runs Ditto
* Runs DNS Lookup Tool
* Runs File Attributes Modification Tool
* Runs File Transfer Tool
* Runs forfiles.exe
* Runs Graylisted File
* Runs Ifconfig
* Runs Kextload
* Runs Kextstat
* Runs Launchctl
* Runs Malicious File By Reputation Service
* Runs Mshta With HTTP Argument
* Runs Mshta With Script Argument
* Runs Netstat
* Runs Network Configuration Tool
* Runs Network Connectivity Tool
* Runs One Letter Executable
* Runs One Letter Script
* Runs Ping
* Runs Powershell
* Runs Powershell Bypassing Execution Policy
* Runs Powershell Decoding Base64 String
* Runs Powershell Defining Function
* Runs Powershell Downloading Content
* Runs Powershell Invoke-Mimikatz Function
* Runs Powershell Memory Stream Function
* Runs Powershell ShellExecute Function
* Runs Powershell Using Encoded Command
* Runs Powershell Using Environment Variables
* Runs Powershell With Hidden Window
* Runs Powershell With HTTP Argument
* Runs Powershell With Long Arguments
* Runs Ps
* Runs PSEXEC On Remote System And Silently Accepts User License
* Runs Registry Tool
* Runs PSEXEC On Remote System As SYSTEM User
* Runs Regsvr32 COM Scriplets
* Runs Regsvr32 Using One Letter DLL
* Runs Regsvr32 With HTTP Argument
* Runs Regsvr32 Without Arguments
* Runs Remote Execution Tool
* Runs Remote Powershell Command
* Runs robocopy.exe
* Runs Rundll32 Using One Letter DLL
* Runs Rundll32 With HTTP Argument
* Runs Rundll32 With Javascript Argument
* Runs Rundll32 Without Arguments
* Runs Scripting Engine
* Runs Scripting Engine In Batch Mode Using Execution Engine Argument
* Runs Service Control Tool
* Runs Sh
* Runs Shim Database Installer
* Runs Suspicious File By Reputation Service
* Runs Tar
* Runs Tasks Management Tool
* Runs Unzip
* Runs waitfor.exe
* Runs WMI Command-Line Tool
* Runs WMI Scripting Engine
* Runs xcopy.exe
* Safari Fraud Website Warning Disabled
* Scripting Addition In Process
* Scripting Engine Injects Remote Process
* Scripting Engine Runs Powershell
* Scripting Engine Runs Regsvr32
* Scripting Engine Runs Rundll32
* Self Signed
* Services In ProgramData Directory
* Services Runs Command Shell
* Smartscreen Filter Disabled
* Starts Local Service
* Starts RDP Service
* Starts Remote Service
* Stops Error Reporting Service
* Stops Security Service
* Stops Windows Update Service
* Sudo No Password Prompt
* Suspicious File By Reputation Service
* Suspicious REGSVR32.EXE Task
* System Integrity Protection Disabled
* System Restore Disabled
* Task Manager Disabled
* Tasks In ProgramData Directory
* Terminates Process
* Transfers File Using BITS
* UAC Disabled
* Unexpected csrss.exe Parent
* Unexpected Explorer.exe Destination Location
* Unexpected explorer.exe Parent
* Unexpected Explorer.exe Source Location
* Unexpected lsass.exe Parent
* Unexpected lsm.exe Parent
* Unexpected msdtc.exe Parent
* Unexpected OS Process Destination Location
* Unexpected OS Process Source Location
* Unexpected runtimebroker.exe Parent
* Unexpected services.exe Parent
* Unexpected smss.exe Parent
* Unexpected svchost.exe Parent
* Unexpected Svchost Arguments
* Unexpected taskhostw.exe Parent
* Unexpected wininit.exe Parent
* Unexpected winlogon.exe Parent
* Unknown Segment
* Unsigned Copies Self
* Unsigned Creates Remote Thread
* Unsigned Cron Job
* Unsigned Deletes Self
* Unsigned Kext
* Unsigned Module In Signed Process
* Unsigned Reserved Name
* Unsigned Runs Python
* Unsigned Writes Executable
* Unsigned Writes Executable To AppDataLocal Directory
* Unsigned Writes Executable To AppDataRoaming Directory
* Unsigned Writes Executable To Library Application Support Directory
* Unsigned Writes Executable To Library Directory
* Unsigned Writes Executable To Library Preferences Directory
* Unsigned Writes Executable To Scripting Additions Directory
* Unsigned Writes Executable To System Directory
* Unsigned Writes Executable To Var Directory
* Unsigned Writes Executable To Windows Directory
* Unsigned Writes To Autorun
* Uses LibNSS
* Uses LibPCAP
* Uses Mach Injection
* Uses Mach Override
* Warning On Post Redirect Disabled
* Windows Firewall Disabled
* Windows Task Runs Powershell
* Windows Update Disabled
* Wmiprvse Runs Command Shell
* Wmiprvse Runs Powershell
* Wmiprvse Runs Scripting Engine
* Writes Blacklisted File
* Writes Executable To Recycle Bin Directory
* Writes Executable To Root Of Logical Drive
* Writes Executable To Root Of Program Directory
* Writes Executable To Root Of Users Directory
* Writes Executable To System Volume Information Directory
* Writes Graylisted File
* Writes Malicious File By Reputation Service
* Writes Suspicious File By Reputation Service

Feeds:
* Investigation

Lua Parsers:
* File Type Classification

Reports:
* 11.1-11.2 Endpoint Machine Summary Report
* 11.1-11.2 Endpoint Scan Data Autorun and Scheduled Task Report
* 11.1-11.2 Endpoint Scan Data File and Process Outliers Report
* 11.1-11.2 Endpoint Scan Data Host Report
* 11.3 Endpoint Machine Summary Report
* 11.3 Endpoint Network Activity
* 11.3 Endpoint Scan Data Autorun and Scheduled Task Report
* 11.3 Endpoint Scan Data File and Process Outliers Report
* 11.3 Endpoint Scan Data Host Report
endpointthreat, operations, assurance, identity, featured
Hunting Packhunting packThe Hunting Pack is a set of content that derives indicators of compromise and anomalous events. For more details about the contents of the pack and the suggested investigation techniques refer the Hunting Guide, https://community.rsa.com/docs/DOC-62341. Deploying this bundle will download all of the content and content dependencies of the Hunting Pack including the associated feed, Lua parsers and reports.

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: netname, direction, ioc, boc, eoc, analysis.service, analysis.session, analysis.file. In the Hunting Guide, see the section Hunting Pack > Meta Keys for more information. The traffic_flow Lua parser may be deployed to a Log Decoder, but this is not currently supported through Live. In the Traffic Flow Lua parser documentation, https://community.rsa.com/docs/DOC-44948, see the section Deploy to Log Decoders.
packetapplication analysis, attack phase, event analysis, featured, file analysis, malware, operations, protocol analysis, threat
Known Threats PackKnown Threats PackThis pack contains a set of content specific to known identified threats such as known malware, crimeware, RAT campaigns etc. See the dependencies for a full list of bundled content. For more detailed documentation : https://community.rsa.com/docs/DOC-76524packetcommand and control, crimeware, exploit, featured, malware, remote access trojans, threat
Log Starter PackLog Starter PackThis pack contains a set of starter content specific to log deployments that will help organizations view and understand user behaviors. See the dependencies for a full list of bundled content.logassurance, featured, identity, operations, threat
Packet Starter PackPacket Starter PackThis pack contains a set of starter content specific to packet deployments that will help organizations view malware related traffic. See the dependencies for a full list of bundled content.packetassurance, featured, identity, operations, threat
UEBA EssentialsUEBA PackThe purpose of UEBA Essentials and user-hunting is to detect or bring focus to suspicious user and entity behavior to find potential insider threats, lateral movement by external attackers, or general abuse/misuse of user accounts. Deploying this bundle will download all of the content and content dependencies of UEBA Essentials to the services appropriate for each content type.

REFERENCES
See the UEBA Essentials Hunting Guide at https://community.rsa.com/docs/DOC-86470

VERSIONS SUPPORTED
NetWitness 11.1 and higher

DEPENDENCIES
Application Rules:
* NWFL_access:privilege-escalation-failure
* NWFL_access:privilege-escalation-success
* NWFL_access:remote-failure
* NWFL_access:remote-success
* NWFL_access:user-access-revoked
* NWFL_account:account-disabled
* NWFL_account:auth-success
* NWFL_account:created
* NWFL_account:deleted
* NWFL_account:group-management
* NWFL_account:login-and-logout
* NWFL_account:logon-failure
* NWFL_account:logon-success
* NWFL_account:logon-success-direct-access
* NWFL_account:logout
* NWFL_account:modified
* NWFL_account:password-change
* NWFL_account:user-accessing-file-servers
* NWFL_host:windows:account-disabled
* NWFL_host:windows:local-group-account-changes
* NWFL_host:windows:user-group-account-changes
* RDP over Non-Standard Port
* Windows Credential Harvesting Services
* Windows NTLM Network Logon Successful

Context Hub Lists:
* Admin_Accounts
* Domain_Controllers
* Guest_Accounts
* Host_Blacklist
* Host_Whitelist
* IP_Blacklist
* IP_Whitelist
* Service_Accounts
* User_Blacklist
* User_Whitelist

ESA Rules:
* Account Added to Administrators Group and Removed
* Direct Login By A Watchlist Account
* Failed logins Followed By Successful Login and a Password Change
* Failed Logins Outside Business Hours
* Insider Threat Mass Audit Clearing
* krbtgt Account Modified on Domain Controller
* Lateral Movement Suspected Windows
* Logins across multiple servers
* Malicious Account Creation Followed by Failed Authorization to Neighboring Devices
* Malware Dropper
* Multiple Account Lockouts From Same or Different Users
* Multiple Failed logins Followed By Successful Login
* Multiple Failed Logins from Multiple Diff Sources to Same Dest
* Multiple Failed Logins from Multiple Users to Same Destination
* Multiple Failed Logins from Same User Originating from Different Countries
* Multiple Failed Privilege Escalations by Same User
* Multiple Login Failures by Administrators to Domain Controller
* Multiple Login Failures by Guest to Domain Controller
* Multiple Login Failures from Same Source IP with Unique Usernames
* Multiple Successful Logins from Multiple Diff Src to Diff Dest
* Multiple Successful Logins from Multiple Diff Src to Same Dest
* Privilege Escalation Detected
* Privilege User Account Password Change
* Punycode Phishing Attempt
* RDP Inbound Traffic
* RDP traffic from Same source to Multiple different destinations
* RIG Exploit Kit
* Suspicious Account Removal
* Suspicious Privileged User Access Activity
* User Account Created and Deleted within an Hour
* User Added to Admin Group Same User Login OR Same User su sudo
* User Added to Administrative Group + SIGHUP Detected
* User Login Baseline
* Windows Suspicious Admin Activity: Audit Log Cleared
* Windows Suspicious Admin Activity: Firewall Service Stopped
* Windows Suspicious Admin Activity: Network Share Created
* Windows Suspicious Admin Activity: Shared Object Accessed

Lua Parsers:
* ein_detection_lua
* Kerberos
* LDAP
* NetBIOS_lua
* NTLMSSP_lua
* radius

Reports:
* AWS Access Permissions Modified
* AWS Critical VM Modified
* Identity Management
* Lateral Movement Indicators
* RSA SecurID Authentication Summary
* NetWitness Administration Report
* User Watch
log, packetaction on objectives, attack phase, authentication, authorization, featured, identity, lateral movement, threat

You are here
Table of Contents > RSA NetWitness Platform Content > Bundles

Attachments

    Outcomes