Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.
Major updates were made in Kerberos, SMB_lua, DCERPC parsers to aid in detection Lateral Movement. Updates were made to extract useful information from Kerberos requests and reposes to detect possible skeleton key attacks. Function names are now pulled out of DCERPC (this can help with detecting mimikatz on your network), and more thorough SMB parsing increases visibility.
DNS_verbose_lua – This parser was updated to better detect base64 encoded (key type RR) text for further analysis by analyst to identify potential source and attack vectors related to amplifications attacks eventually leading to a DDoS.
HTTP_lua - Updated with the improved functionality of detecting HTTP requests with path and host header mismatched. Detection is more fine-tuned by excluding examining port numbers and some other values to avoid potential false positives. Additionally a mismatch between the request path specified a host and the value of the HOST:header indicates possible domain fronting.
MAIL_lua – Functionally has been added into MAIL_lua parser to register meta for the presence of base64 encoded email attachments. This will give an analyst more visibility into emails that have base64 encoded attachments, and can better detect incoming attacks vectors like malicious command strings which might download malware executables or malicious scripts.
RSA Content space has been reorganized to help customers by allowing for better readability and understanding of content for solving issues. All informational content documents are linked to this page to allow easy access to different content guides, tools and content documentations.
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
Multiple ESA rules have been marked discontinued due to various reasons. The logic and deploy-able RSA Live packages are published on RSA NetWitness public GitHub Repository. Customers, Analysts and others can access it via this link: https://github.com/netwitness/nw-esa. Access has been removed via the RSA NetWitness Live.
The following ESA rules are discontinued after careful consideration of changed attack vectors and new techniques. New content has been developed which replaces or improves detection over following discontinued ESA rules:
Brute Force Login to Same Destination
Brute Force Login From Same Source
Multi Service Connection Attempt Pckt
Multi Service Connection Attempt Log
System Configuration Changes by a Non Admin User
Port Scan Message Log
Detection of High Volume of TCP Resets using NetFlow
UDP DoS Tool Use Detection
Dos Logged and Service Shutdown
Following ESA Rules are discontinued because threat is no longer relevant and existing logic is not effective:
WebSploit Tool Download
Low Orbit Ion Cannon
Following ESA rules are discontinued and replaced by logic in app rules:
Non DNS Traffic on TCP or UDP Port 53 Containing Executable
Non HTTP Traffic on TCP Port 80 Containing Executable
Non SMTP Traffic on TCP Port 25 Containing Executable
Follwing ECAT ESA rules are discontinued as these are outdated with the new Endpoint integration starting in version 11.1:
ECAT alert with botnet
ECAT alert with beaconing
ECAT Alert With Audit Log Cleared
ECAT alert with suspicious encrypted traffic
ECAT alert with SSH Traffic on same source
Reception of executable file followed by ECAT alert
File Transfer followed by ECAT alert from same source
IPS alert target generates an ECAT alert
Intrusion alert source generates an ECAT alert
Third Party IOC IP and Domain Feed Hit and an ECAT alert
Malware Domains feed hit followed by an ECAT alert
Malware IP List feed hit followed by an ECAT alert
Following correlation rules and related content has been discontinued as they provide less investigative value and limited correlation options with new and improved attack vectors. New content has been developed which replaces or improves detection over following discontinued ESA rules:
Discontinued Report Rules. These leveraged the above retired correlation rules:
IPv4 Horizontal Port Scans
IPv4 Vertical Port Scans
IPv6 Horizontal Port Scans
IPv6 Vertical Port Scans
Windows Automated Explicit Logon
Discontinued Reports. This report contained the retired report rules:
App Rule ‘Facebook Profile’ is discontinued as Facebook traffic is all encrypted now. So the rule will no longer trigger.
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.