Are there any documents or information somewhere on the Threat Descriptions? The one in question, is showing up as "184.108.40.206:6667" This is one that is generated by Security Analytics. I have not sure what I should be looking for. Any information would be greatly appreciated.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
So here's a screen shot of what we are seeing. Let me know if you are looking for additional/different information. Is there any document that has the information about these threats that gives more detail as to what to look for?
Deciphering the trigger for meta generated based off of repackaged community feeds is (IMO) one of the key headaches of working with NW/SA.
About the only useful hint I have found is that threat.src may contain an indicator on what the trigger was based on the name of the threat.src meta value - if threat.src ends with -domain (as in your example), it was triggered off of a host or domain name, -file triggered on a file name, -ip triggered on an IP address. Unfortunately this still doesn't tell you which value in a session, if there are multiples, were the actual trigger, it just gets you in the neighborhood.
Now as to why the threat.desc meta gives an IP and port when it actually triggered on a domain name ... that likely had some meaning to whoever put that entry in the feed at some time in the past, but that meaning is likely lost to the sands of time.