Hunting Pack

Document created by RSA Information Design and Development on May 11, 2018Last modified by RSA Information Design and Development on May 21, 2018
Version 2Show Document
  • View in full screen mode
 

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. Deploying this bundle will download all of the content and content dependencies of the Hunting Pack including the associated feed, Lua parsers and reports.

For more details about the suggested investigation techniques refer the RSA NetWitness Hunting Guide

  • ESA Rule: Webshell Detected
  • Feed: RSA FirstWatch SSL Blacklist
  • Lua parsers:

    • CustomTCP
    • JSON-RPC
    • MSU_rat
    • apt_artifacts
    • china_chopper
    • dns_verbose
    • dyndns
    • fingerprint_java
    • fingerprint_rtf
    • http
    • icmp
    • idn_homograph
    • mail
    • plugx
    • poison_ivy
    • pvid
    • rdp
    • rekaf
    • session_analysis
    • smb
    • struts_exploit
    • supercmd
    • tld
    • tls
    • traffic_flow
    • windows_command_shell
    • windows_executable
    • xor_executable
  • Reports:

    • Hunting Detail
    • Hunting Summary
    • Malware Activity Report
You are here
Table of Contents > RSA NetWitness Suite Content > Bundles > Hunting Pack

Attachments

    Outcomes