Threat Detection Content Update - August 2017

Document created by RSA Product Team Employee on Sep 5, 2017Last modified by RSA Product Team Employee on Sep 5, 2017
Version 2Show Document
  • View in full screen mode


Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.



  • Carbanak Sekur Lua Parser - This parser detects the initial handshake of the Sekur trojan used by the Carbanak/Fin 7 threat actor. Sekur uses a custom binary protocol, generally over port 443, to communicate. You'll see the text 'sekur handshake' appear in the 'Indicators of Compromise' meta-key. 
  • Incident Management Report - This report highlights both Incidents and Alerts in the Incident Management Database (IMDB) in 10.6.2 and higher. There is a summary viewing of both Incidents and Alerts, and a detailed view of Alert data. This report can help you keep track of what's in the IMDB to understand what incidents are being worked as well as what alerts could benefit from tuning.

Other bug fixes and changes

  • Traffic Flow Lua Parser - The parser was updated with 'medium = Log' in Live. This enables newer installations that can use medium for content deployment to deploy this parser (and the related options file) to a Log Decoder via Live.

EOPS Policy

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.