Threat Detection Content Update - October 2017

Document created by RSA Product Team Employee on Nov 1, 2017Last modified by RSA Product Team Employee on Nov 1, 2017
Version 2Show Document
  • View in full screen mode


Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.


  • Optionsbleed Detection - This functionality was added to HTTP_lua. You'll see 'http invalid allow methods' in the Service Analysis (analysis.service) meta-key. The meta value appears when the 'Allow' and 'Access-Control-Allow-Methods' headers contain characters other than letters, commas, asterisks, and spaces. 
  • Data Exfiltration - Two different App Rules were added to live that can help show suspicious outbound connections based on size. One rule will flag sessions that are between 500MB and 1GB, and the other will flag sessions that are greater than 1GB. They work by leveraging the 'session.split' and direction meta to find sessions with a large amount of outbound transferred data.Data Exfil
  • JSON RPC (Stratum) protocol - A new protocol (service) was added in addition to how that service is used for cryptomining. The protocol will show up as service '49152', and the mining notification will appear in 'Indicators of Compromise' (ioc). JSONRPC
  • HTTP Decompression - For customers on 11.0+ HTTP_lua has an update that allows you to specific what kinds of HTTP payloads to decompress. By decompressing the payload (request/response) it makes the data available to other parsers on the system. For mRore information on how to leverage this feature please see our documentation on Link.


  • Rig Exploit Kit ESA Rule - Updated to include 'HTML hidden elements' meta in the 'Enablers of Compromise' (eoc) meta key.
  • XOR parser - It now registers 'filetype' directly in addition to ''. This shouldn't have any impact on any other content in the NetWitness Suite.


We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
  • DNS lookups from the same source ESA Rule - This rule is being retired in favor of other research that is being conducted, as well as it being prone to being noisy. Stay tuned for some enhanced DNS Tunneling content.


Other bug fixes and changes

  • SSL Blacklist feed - Now available in the following bundles in Live: Start Pack Packets, Known Threats, and Hunting Pack.
  • Traffic flow - Meta is now registered for IP addresses in the 'alias.ip', and 'orig_ip' meta keys.
  • LDAP parser - Bug fixed around uninitialized global variables.
  • NFS parser - Bug fixed around uninitialized global variables.
  • nwll.lua - Various bug fixes


For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.