Content Bundles or Packs

Document created by RSA Information Design and Development on Jan 3, 2017Last modified by RSA Information Design and Development on Jan 22, 2019
Version 126Show Document
  • View in full screen mode

As part of the ongoing development of content to combat threats, RSA develops content bundles. These are grouped sets of content (rules, parsers, feeds) that can be deployed as a group from RSA Live.

Deploying a Bundle

You can deploy all of the items in the bundles through Live.

Note: If you are in an environment where you cannot Deploy, you should create a resource package (select > Create) to download a ZIP archive that you can use. Do not use the button, as this does not work for bundles

To deploy a bundle:

  1. Depending on your version:

    • For NetWitness 11.x: Go to CONFIGURE > Live Content.
    • For Security Analytics 10.x: From the Security Analytics menu, select Live > Search.
  2. In the Resource Type field, select Bundle.
  3. Select the bundle you wish to deploy.
  4. Select Deploy, then follow the steps in the wizard.

Related Information 

For more details see the following:

Bundles Available in Live

This table lists all of the available bundles.

Display NameFile NameDescriptionMediumTags
Hunting Packhunting packThe Hunting Pack is a set of content that derives indicators of compromise and anomalous events. For more details about the contents of the pack and the suggested investigation techniques refer the Hunting Guide, Deploying this bundle will download all of the content and content dependencies of the Hunting Pack including the associated feed, Lua parsers and reports.

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: netname, direction, ioc, boc, eoc, analysis.service, analysis.session, analysis.file. In the Hunting Guide, see the section Hunting Pack > Meta Keys for more information. The traffic_flow Lua parser may be deployed to a Log Decoder, but this is not currently supported through Live. In the Traffic Flow Lua parser documentation,, see the section Deploy to Log Decoders.
packetapplication analysis, attack phase, event analysis, featured, file analysis, malware, operations, protocol analysis, threat
Known Threats PackKnown Threats PackThis pack contains a set of content specific to known identified threats such as known malware, crimeware, RAT campaigns etc. See the dependencies for a full list of bundled content. For more detailed documentation : and control, crimeware, exploit, featured, malware, remote access trojans, threat
Log Starter PackLog Starter PackThis pack contains a set of starter content specific to log deployments that will help organizations view and understand user behaviors. See the dependencies for a full list of bundled content.logassurance, featured, identity, operations, threat
Packet Starter PackPacket Starter PackThis pack contains a set of starter content specific to packet deployments that will help organizations view malware related traffic. See the dependencies for a full list of bundled content.packetassurance, featured, identity, operations, threat
UEBA EssentialsUEBA PackThe purpose of UEBA Essentials and user-hunting is to detect or bring focus to suspicious user and entity behavior to find potential insider threats, lateral movement by external attackers, or general abuse/misuse of user accounts. Deploying this bundle will download all of the content and content dependencies of UEBA Essentials to the services appropriate for each content type.

See the UEBA Essentials Hunting Guide at

NetWitness 11.1 and higher

Application Rules:
* NWFL_access:privilege-escalation-failure
* NWFL_access:privilege-escalation-success
* NWFL_access:remote-failure
* NWFL_access:remote-success
* NWFL_access:user-access-revoked
* NWFL_account:account-disabled
* NWFL_account:auth-success
* NWFL_account:created
* NWFL_account:deleted
* NWFL_account:group-management
* NWFL_account:login-and-logout
* NWFL_account:logon-failure
* NWFL_account:logon-success
* NWFL_account:logon-success-direct-access
* NWFL_account:logout
* NWFL_account:modified
* NWFL_account:password-change
* NWFL_account:user-accessing-file-servers
* NWFL_host:windows:account-disabled
* NWFL_host:windows:local-group-account-changes
* NWFL_host:windows:user-group-account-changes
* RDP over Non-Standard Port
* Windows Credential Harvesting Services
* Windows NTLM Network Logon Successful

Context Hub Lists:
* Admin_Accounts
* Domain_Controllers
* Guest_Accounts
* Host_Blacklist
* Host_Whitelist
* IP_Blacklist
* IP_Whitelist
* Service_Accounts
* User_Blacklist
* User_Whitelist

ESA Rules:
* Account Added to Administrators Group and Removed
* Direct Login By A Watchlist Account
* Failed logins Followed By Successful Login and a Password Change
* Failed Logins Outside Business Hours
* Insider Threat Mass Audit Clearing
* krbtgt Account Modified on Domain Controller
* Lateral Movement Suspected Windows
* Logins across multiple servers
* Malicious Account Creation Followed by Failed Authorization to Neighboring Devices
* Malware Dropper
* Multiple Account Lockouts From Same or Different Users
* Multiple Failed logins Followed By Successful Login
* Multiple Failed Logins from Multiple Diff Sources to Same Dest
* Multiple Failed Logins from Multiple Users to Same Destination
* Multiple Failed Logins from Same User Originating from Different Countries
* Multiple Failed Privilege Escalations by Same User
* Multiple Login Failures by Administrators to Domain Controller
* Multiple Login Failures by Guest to Domain Controller
* Multiple Login Failures from Same Source IP with Unique Usernames
* Multiple Successful Logins from Multiple Diff Src to Diff Dest
* Multiple Successful Logins from Multiple Diff Src to Same Dest
* Privilege Escalation Detected
* Privilege User Account Password Change
* Punycode Phishing Attempt
* RDP Inbound Traffic
* RDP traffic from Same source to Multiple different destinations
* RIG Exploit Kit
* Suspicious Account Removal
* Suspicious Privileged User Access Activity
* User Account Created and Deleted within an Hour
* User Added to Admin Group Same User Login OR Same User su sudo
* User Added to Administrative Group + SIGHUP Detected
* User Login Baseline
* Windows Suspicious Admin Activity: Audit Log Cleared
* Windows Suspicious Admin Activity: Firewall Service Stopped
* Windows Suspicious Admin Activity: Network Share Created
* Windows Suspicious Admin Activity: Shared Object Accessed

Lua Parsers:
* ein_detection_lua
* Kerberos
* NetBIOS_lua
* radius

* AWS Access Permissions Modified
* AWS Critical VM Modified
* Identity Management
* Lateral Movement Indicators
* RSA SecurID Authentication Summary
* NetWitness Administration Report
* User Watch
log, packetaction on objectives, attack phase, authentication, authorization, featured, identity, lateral movement, threat
Previous Topic:Application Rules
You are here
Table of Contents > RSA NetWitness Platform Content > Bundles