This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NeWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

Visit the Known Issues dashboard if you are experiencing issues on RSA Link

View Dashboard

RSA NetWitness® Platform Product Advisories

Read and subscribe to the latest announcements and advisories relating to the RSA NetWitness Platform product.
  • RSA Link
  • :
  • Products
  • :
  • RSA NetWitness Platform
  • :
  • Advisories
  • :
  • Product Advisories
  • :
  • Threat Detection Content Update - June 2018
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Email to a Friend
    • Printer Friendly Page
    • Report Inappropriate Content
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Threat Detection Content Update - June 2018

Summary:

Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.

 

Changes

Hunting

  • Major updates were made in Kerberos, SMB_lua, DCERPC parsers to aid in detection Lateral Movement. Updates were made to extract useful information from Kerberos requests and reposes to detect possible skeleton key attacks. Function names are now pulled out of DCERPC (this can help with detecting mimikatz on your network), and more thorough SMB parsing increases visibility. 
    • Kerberos:
      kerb.png
    • SMB_lua:
      smb_lua.png
    • DCERPC:
      dcerpc.png
  • DNS_verbose_lua – This parser was updated to better detect base64 encoded (key type RR) text for further analysis by analyst to identify potential source and attack vectors related to amplifications attacks eventually leading to a DDoS.
    dns.png
  • HTTP_lua - Updated with the improved functionality of detecting HTTP requests with path and host header mismatched. Detection is more fine-tuned by excluding examining port numbers and some other values to avoid potential false positives. Additionally a mismatch between the request path specified a host and the value of the HOST:header indicates possible domain fronting.
    https.PNG
  • MAIL_lua – Functionally has been added into MAIL_lua parser to register meta for the presence of base64 encoded email attachments. This will give an analyst more visibility into emails that have base64 encoded attachments, and can better detect incoming attacks vectors like malicious command strings which might download malware executables or malicious scripts.
    maillua.PNG 
  • Content QuickStart Guide is updated to reference the Unified Data Model (UDM) for content creation. UDM is available on Link: https://community.rsa.com/community/products/netwitness/rsa-content/udm
  • RSA Content space has been reorganized to help customers by allowing for better readability and understanding of content for solving issues. All informational content documents are linked to this page to allow easy access to different content guides, tools and content documentations. 

Retired

We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.

  • Multiple ESA rules have been marked discontinued due to various reasons. The logic and deploy-able RSA Live packages are published on RSA NetWitness public GitHub Repository. Customers, Analysts and others can access it via this link: https://github.com/netwitness/nw-esa. Access has been removed via the RSA NetWitness Live.
  • The following ESA rules are discontinued after careful consideration of changed attack vectors and new techniques. New content has been developed which replaces or improves detection over following discontinued ESA rules:
    • Brute Force Login to Same Destination
    • Brute Force Login From Same Source
    • Multi Service Connection Attempt Pckt
    • Multi Service Connection Attempt Log
    • System Configuration Changes by a Non Admin User
    • Port Scan Message Log
    • Detection of High Volume of TCP Resets using NetFlow
    • UDP DoS Tool Use Detection
    • Dos Logged and Service Shutdown
  • Following ESA Rules are discontinued because threat is no longer relevant and existing logic is not effective:
    • WebSploit Tool Download
    • Low Orbit Ion Cannon
  • Following ESA rules are discontinued and replaced by logic in app rules:
    • Non DNS Traffic on TCP or UDP Port 53 Containing Executable
    • Non HTTP Traffic on TCP Port 80 Containing Executable
    • Non SMTP Traffic on TCP Port 25 Containing Executable
    • Cybergate RAT
    • jRAT
  • Follwing ECAT ESA rules are discontinued as these are outdated with the new Endpoint integration starting in version 11.1:
    • ECAT alert with botnet
    • ECAT alert with beaconing
    • ECAT Alert With Audit Log Cleared
    • ECAT alert with suspicious encrypted traffic
    • ECAT alert with SSH Traffic on same source
    • Reception of executable file followed by ECAT alert
    • File Transfer followed by ECAT alert from same source
    • IPS alert target generates an ECAT alert
    • Intrusion alert source generates an ECAT alert
    • Third Party IOC IP and Domain Feed Hit and an ECAT alert
    • Malware Domains feed hit followed by an ECAT alert
    • Malware IP List feed hit followed by an ECAT alert
  • Following correlation rules and related content has been discontinued as they provide less investigative value and limited correlation options with new and improved attack vectors. New content has been developed which replaces or improves detection over following discontinued ESA rules:
    • Bulk_Data_transfer_Scan
    • Database_Scan
    • port_scan
    • web_scan
    • windows_automated_explicit_logon 
  • Discontinued Report Rules. These leveraged the above retired correlation rules:
    • IPv4 Horizontal Port Scans
    • IPv4 Vertical Port Scans
    • IPv6 Horizontal Port Scans
    • IPv6 Vertical Port Scans
    • Windows Automated Explicit Logon
  • Discontinued Reports. This report contained the retired report rules:
    • Scanning Activity
  • App Rule ‘Facebook Profile’ is discontinued as Facebook traffic is all encrypted now. So the rule will no longer trigger.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

  

For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Labels (2)
Labels:
  • Product Advisories

  • RSA NetWitness Platform

Tags (27)
  • Advisory
  • Announcement
  • Live Content
  • logs & network
  • logs and network
  • NetWitness
  • netwitness logs
  • netwitness logs & network
  • netwitness logs & packets
  • netwitness logs and network
  • netwitness logs and packets
  • netwitness network
  • netwitness packets
  • netwitness suite
  • NW
  • NWP
  • Product Advisory
  • product announcement
  • Product Communication
  • Product Notification
  • release announcement
  • RSA Live Content
  • RSA NetWitness
  • RSA NetWitness Platform
  • sa
  • SCOL Note
  • Security Analytics
0 Likes
Was this article helpful? Yes No
Share
No ratings

In this article

Version history
Last update:
‎2018-07-31 11:26 AM
Updated by:
Employee NetWitnessTeam

Related Content

Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2020 RSA Security LLC or its affiliates.
All rights reserved.