Threat Detection Content Update - October 2018

Document created by Rajas Save Employee on Oct 8, 2018
Version 1Show Document
  • View in full screen mode

Summary:

Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.

 

Additions:

fingerprint_windows_registry Lua Parser – New parser is released to detect Windows Registry Hive files on the wire. A registry hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. These files hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections, and printers. Adversaries can use this information to their advantage and craft specific attacks against specific systems according to registry state. With fingerprint_windows_registry parser, analysts can now detect Windows Registry Hive files on the network which will help in investigation of different windows-based incidents.

 

 

 

Amazon VPC Traffic Flow Report – New Report is released to provide insights on the Amazon VPC traffic flow.

Detailed Configuration Guide can be found here: Amazon VPC 

Following are NetWitness Rules released which are required for Amazon VPC Traffic Flow Report:

  • Amazon VPC Top Accepted Destination IP - The report rule fetches the top 10 accepted Destination IP addresses based on the total bytes transferred.
  • Amazon VPC Top Accepted Destination Ports - The report rule fetches the details of top accepted Destination Ports with their occurrences.
  • Amazon VPC Top Accepted Source IP - The report rule fetches the top 10 accepted Source IP addresses based on total bytes transferred.
  • Amazon VPC Top Rejected Destination IP - The report rule fetches the top 10 rejected Destination IP addresses based on total bytes transferred.
  • Amazon VPC Top Rejected Destination Ports - The report rule fetches the details of top rejected Destination Ports with their occurrences.
  • Amazon VPC Top Rejected Source IP - The report rule fetches the top 10 rejected Source IP addresses based on total bytes transferred.
  • Amazon VPC Top Source and Destination IP Pair - The report rule fetch the top 10 accepted Source IP and Destination IP address pair based on total bytes transferred.

 

 

 

Traffic Flow in Azure NSG and Amazon VPC – New Report is released to provide insights on the Azure NSG and Amazon VPC traffic flow.

Detailed information about in Azure NSG Traffic Flow and integration can be found here: Microsoft Azure NSG & NetWitness Integration  

Detailed Configuration Guide can be found here: Microsoft Azure NSG Event Source Configuration Guide  

 

 

 

Changes:

RDP_lua parser – Functionality has been added to extract screen resolution and usernames from RDP sessions to better identify attacks like ICS attacks. Username is now extracted to the key 'username' and Screen resolution is now extracted to the key 'analysis.service'.

 

phishing_lua parser - This parser is updated for efficiency improvements as well as added parsing capability to parse URL's that don't begin with http(s)://

 

traffic_flow lua parser -  Functionally has been added to provide directionality information to other parsers without using meta-callbacks for better efficiency.

 

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes