Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.
RSA NetWitness Endpoint 11.3
For RSA NetWitness Platform 11.3, a new content pack was delivered, the Endpoint Content bundle. Additionally, new Endpoint content is being delivered out-of-the-box with 11.3:
Endpoint Content bundle:
Approximately 400 application rules
File Category Lua parser
OOTB Content delivered with NetWitness 11.3:
ESA Endpoint Risk Scoring Rule bundle
Risk Score Configuration
In Live, select the drop-down menu for Medium, and select endpoint to search for Endpoint specific content. You can also deploy the Endpoint bundle to get all of the Endpoint content at once. For more information on the content and deployment, please see the topic for Endpoint Content.
RSA NetWitness Lua Parsers:
fingerprint_deb - Detects Debian package files. Meta will be output as filetype = ‘deb’.
eicar - Detects the EICAR test string (useful for proving visibility). Meta will be output as analysis.session = ‘eicar test string’.
RSA NetWitness Log-Based Application Rules:
Application rules were developed to detect credential dumping and pass the hash Mitre ATT&CK techniques. All rules will populate the Indicators of Compromise meta key as named below.
Pass the Hash - Indicates a possible pass-the-hash attack on a Windows system configured to use the NTLM authentication protocol. The rule reduces false positives by excluding anonymous logons, domain controller and machine logons and those that are not local accounts. It is recommended to exclude the domain for which the domain controller is responsible within the rule logic, since an attacker would typically not have this information and it could increase rule accuracy.
Remote Thread into LSASS – Detects when a process creates remote thread into target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.
LSASS Access - Detects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping.
Named Pipe into LSASS - Detects when a suspicious Named Pipe is created or connected to target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.
TLS_lua parser – Now identifies TLS 1.3. Certificate meta accuracy was increased. Certificate validation is now extracted (in many cases), e.g. extended validation, domain validation.
xor_executable_lua - Hex encoded executables are now detected .
phishing_lua - Updated for accuracy and efficiency.
http_sql_injection – Updated for accuracy and efficiency.
HTTP_lua – Increased accuracy for username and password extraction. Identifies increased number of sessions.
SMB_lua - Identifies increased number of sessions.
Ghost lua – Updated for ZEGOST detection
Archive Extension Mismatch app rule – Extended compressed file types and modified to reduce false positives to Office file types
ESA rules: These ESA rules were updated due to changes in 11.3 or mutli-valued meta. See ESA Alerting Guide for more information.
RIG Exploit Kit
AWS Critical VM Modified
Multiple Successful Logins from Multiple Diff Src to Same Dest
Multiple Successful Logins from Multiple Diff Src to Diff Dest
Multiple Failed Logins from Multiple Diff Sources to Same Dest
Multiple Failed Logins from Multiple Users to Same Destination
User Login Baseline
ESA Rules – Did not provide customer value due to number of alerts or implementation.