Threat Detection Content Update - June 2018

Document created by RSA Product Team Employee on Jul 31, 2018Last modified by RSA Product Team Employee on Jul 31, 2018
Version 2Show Document
  • View in full screen mode


Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.




  • Major updates were made in Kerberos, SMB_lua, DCERPC parsers to aid in detection Lateral Movement. Updates were made to extract useful information from Kerberos requests and reposes to detect possible skeleton key attacks. Function names are now pulled out of DCERPC (this can help with detecting mimikatz on your network), and more thorough SMB parsing increases visibility. 
    • Kerberos:
    • SMB_lua:
    • DCERPC:
  • DNS_verbose_lua – This parser was updated to better detect base64 encoded (key type RR) text for further analysis by analyst to identify potential source and attack vectors related to amplifications attacks eventually leading to a DDoS.
  • HTTP_lua - Updated with the improved functionality of detecting HTTP requests with path and host header mismatched. Detection is more fine-tuned by excluding examining port numbers and some other values to avoid potential false positives. Additionally a mismatch between the request path specified a host and the value of the HOST:header indicates possible domain fronting.
  • MAIL_lua – Functionally has been added into MAIL_lua parser to register meta for the presence of base64 encoded email attachments. This will give an analyst more visibility into emails that have base64 encoded attachments, and can better detect incoming attacks vectors like malicious command strings which might download malware executables or malicious scripts.
  • Content QuickStart Guide is updated to reference the Unified Data Model (UDM) for content creation. UDM is available on Link:
  • RSA Content space has been reorganized to help customers by allowing for better readability and understanding of content for solving issues. All informational content documents are linked to this page to allow easy access to different content guides, tools and content documentations. 


We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.

  • Multiple ESA rules have been marked discontinued due to various reasons. The logic and deploy-able RSA Live packages are published on RSA NetWitness public GitHub Repository. Customers, Analysts and others can access it via this link: Access has been removed via the RSA NetWitness Live.
  • The following ESA rules are discontinued after careful consideration of changed attack vectors and new techniques. New content has been developed which replaces or improves detection over following discontinued ESA rules:
    • Brute Force Login to Same Destination
    • Brute Force Login From Same Source
    • Multi Service Connection Attempt Pckt
    • Multi Service Connection Attempt Log
    • System Configuration Changes by a Non Admin User
    • Port Scan Message Log
    • Detection of High Volume of TCP Resets using NetFlow
    • UDP DoS Tool Use Detection
    • Dos Logged and Service Shutdown
  • Following ESA Rules are discontinued because threat is no longer relevant and existing logic is not effective:
    • WebSploit Tool Download
    • Low Orbit Ion Cannon
  • Following ESA rules are discontinued and replaced by logic in app rules:
    • Non DNS Traffic on TCP or UDP Port 53 Containing Executable
    • Non HTTP Traffic on TCP Port 80 Containing Executable
    • Non SMTP Traffic on TCP Port 25 Containing Executable
    • Cybergate RAT
    • jRAT
  • Follwing ECAT ESA rules are discontinued as these are outdated with the new Endpoint integration starting in version 11.1:
    • ECAT alert with botnet
    • ECAT alert with beaconing
    • ECAT Alert With Audit Log Cleared
    • ECAT alert with suspicious encrypted traffic
    • ECAT alert with SSH Traffic on same source
    • Reception of executable file followed by ECAT alert
    • File Transfer followed by ECAT alert from same source
    • IPS alert target generates an ECAT alert
    • Intrusion alert source generates an ECAT alert
    • Third Party IOC IP and Domain Feed Hit and an ECAT alert
    • Malware Domains feed hit followed by an ECAT alert
    • Malware IP List feed hit followed by an ECAT alert
  • Following correlation rules and related content has been discontinued as they provide less investigative value and limited correlation options with new and improved attack vectors. New content has been developed which replaces or improves detection over following discontinued ESA rules:
    • Bulk_Data_transfer_Scan
    • Database_Scan
    • port_scan
    • web_scan
    • windows_automated_explicit_logon 
  • Discontinued Report Rules. These leveraged the above retired correlation rules:
    • IPv4 Horizontal Port Scans
    • IPv4 Vertical Port Scans
    • IPv6 Horizontal Port Scans
    • IPv6 Vertical Port Scans
    • Windows Automated Explicit Logon
  • Discontinued Reports. This report contained the retired report rules:
    • Scanning Activity
  • App Rule ‘Facebook Profile’ is discontinued as Facebook traffic is all encrypted now. So the rule will no longer trigger.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.


For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.