Threat Detection Content Update - September 2017

Document created by RSA Product Team Employee on Oct 5, 2017Last modified by RSA Link Team on Oct 5, 2017
Version 3Show Document
  • View in full screen mode


Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.



  • CVE-2017-12611 & CVE-2017-9805 - These are two recent Apache Struts vulnerabilities that allow arbitrary code execution. Detection for these have been added to both HTTP_lua and the newly released struts_exploit.lua. They create the meta values 'apache struts exploit attempt' and 'apache struts CVE-2017-9085' in Indicators of Compromise (ioc) respectively. Presence of either of these meta values indicate a possible exploit attempt against a web server. The logic does not know if your web server is vulnerable, that will require your organization to investigate the activity.
  • SSL Blacklist feed - This feed contains SSL/TLS certs that have been associated with malware. If you see these on your network you might have malicious software on your network. In addition this feed includes expanded information in it as well, including but not limited to why the cert was blacklisted, as well as the md5 of a sample that lead to discovery of the certificate.
  • CCleaner - The malicious SSL certificate has been added to the SSL Blacklist feed (above).


We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
  • File Transfer Using Non Standard Port - While the logic behind this rule can be useful in specific scenario we're currently restructuring some of our ESA content and attempting to limit as much duplication between ESA rules and App rules in order to make sure the right set of ESA rules are consuming resources on your system(s).

Other bug fixes and changes

  • RSA Fraudaction Intelligence Feeds - We made some backend changes to update the FRI feeds to their new data sources. This resulted in better data quality as better stability.



For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.