NetWitness announces the release of the following threat content and publications:
At NetWitness we understand how devastating it can be to find yourself impacted by a ransomware attack. This primer was created to provide a ransomware FAQ on basic ransomware concepts and equip IT and non-IT professionals with a greater understanding of this growing threat.
- RSA Netwitness Threat Content Coverage Breakdown for Top MITRE ATT&CK® Techniques
- MITRE ATT&CK® Coverage Breakdown for RSA Netwitness Threat Content
OPSWAT rules (Endpoint)
OPSWAT (MetaDefender Core) provides advanced malware detection capabilities by scanning files with multiple anti-malware engines simultaneously. OPSWAT is integrated into the endpoint servers.
The following OPSWAT app rules are now available on RSA Live:
- opswat reported infected
- opswat reported suspicious
- process with opswat reported infected
- process with opswat reported suspicious
See the following article for details on how to configure OPSWAT scans:
AWS CloudTrail – Anomalous Activity Detection App Rules
AWS CloudTrail is an AWS service that helps in governance, compliance and operational risk auditing of an AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. We have used CloudTrail Events to create Log based App Rules and ESA Rules which will be effective in detecting Anomalous Behavioral Activity across multiple AWS services and will be helpful in maintaining security monitoring.
- EC2 - Multiple instances created
- EC2 - Multiple large instances created
- EC2 - Multiple instances terminated
- Critical changes to logging
Event Streaming Analytics (ESA) Rules
AWS CloudTrail - Anomalous Activity Detection ESA Rules
- IAM - Multiple failed API calls from a single user (Unauthorized Access)
- IAM - Multiple users created within a short period of time
- IAM - Multiple users deleted within a short period of time
- IAM - Multiple worldwide successful console logins were observed
- EC2 - Multiple instances created within a short period of time
- EC2 - Multiple large instances created within a short period of time
- EC2 - Multiple instances terminated within a short period of time
- EC2 - Multiple instances created in multiple regions within a short period of time
- S3 - Mass copy objects
- S3 - Mass delete objects
- S3 - Buckets enumerated
Threat Intel Feeds
OSINT (open-source intelligence) IP Threat Intel Feed
This feed contains IP Address (IPv4 and IPv6) indicators that are suspected to be malicious. These indicators are extracted from multiple openly available sources (OSINT) and aggregated and scored through a partnership with ThreatConnect. The score (ThreatAssess) combines the severity and confidence of an indicator into a single value to help analysts understand the potential risk when that indicator is observed in their environment. This feed will trigger when one of the feed indicators is observed in network, log, and/or endpoint event data.
OSINT Non-IP Threat Intel Feed
This feed contains Non-IP Address, text-based indicators like Host, URL, File Hashes etc. that are suspected to be malicious. These indicators are extracted from multiple openly available sources (OSINT) and aggregated and scored through a partnership with ThreatConnect. The score (ThreatAssess) combines the severity and confidence of an indicator into a single value to help analysts understand the potential risk when that indicator is observed in their environment. This feed will trigger when one of the feed indicators is observed in network, log, and/or endpoint event data.
More details can be found on RSA Link at https://community.rsa.com/t5/netwitness-blog/introducing-the-new-rsa-osint-threat-feeds/ba-p/521129
The Investigation feed generates metadata based upon the Investigation Model and MITRE ATT&CK® framework to assist an analyst with threat hunting and content generation. This is useful for front-line analysts as it minimizes the time dedicated to mining logs or sessions in support of their findings. To trigger the feed, a match to an application rule or part of a Lua parser logic is required.
More details can be found on RSA Link at https://community.rsa.com/docs/DOC-62303
The following Investigate Profiles, Meta Groups and Column Groups for the UI
- ATT&CK Tactics
- ATT&CK Techniques
- Device classes
- UEBA models
- MS Azure Graph Plugin
New plugin that can be used to collect any type of events/alerts from MS Graph API
Updated cloud integration:
- Amazon CloudWatch Plugin
Added support for AWS Windows AD and Windows VM logs
- S3 Universal Connector
Added support for AWS Windows AD and Windows VM logs
- MS Azure Monitor
Added support for Azure Sentinel Incidents
- MS Azure NSG
Added support for Gov cloud endpoint
- MS Office 365
- Google Cloud
Protocol (Lua) Parsers
Identifies Oracle TNS database protocol. Extracts database, client host, client program, and username.
Added specific meta for v1 negotiate and setup commands and responses.
Expanded support for Unicode character encodings.
Added extraction of action meta from EFSRPC
Expanded support for character encodings.
Added specific meta for authentication mechanisms.
Expanded plaintext credential detection and extraction.
Added support for decompression of brotli encoded responses (11.6+ only)
Added extraction of credentials from PLAIN and LOGIN authentication mechanisms
Added extraction of credentials from LOGIN authentication mechanism.
Improved identification of IMAP sessions.
Added detection of hex-encoded TXT records.
Improved identification of DNS sessions.
- Symantec Antivirus/Endpoint Protection
- Tenable Network Security Nessus
- Cisco IOS
- Pulse Secure
- Windows Events (Snare)
- Aruba ClearPass Policy Manager
- Trend Micro IMSS
- Rapid7 NeXpose
- Palo Alto Networks Firewall
- Astaro Security Gateway
- Fortinet FortiGate
- Microsoft Windows
- Big-IP Access Policy Manager
- Windows Events (NIC)
- Symantec CEP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.