This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
StephaniePaider
Beginner
Beginner
‎2014-09-19 10:28 AM

Threat Descriptions

Are there any documents or information somewhere on the Threat Descriptions?  The one in question, is showing up as "94.75.193.48:6667"  This is one that is generated by Security Analytics.  I have not sure what I should be looking for.  Any information would be greatly appreciated.

Reply
5 Replies
SethGeftic
Beginner
Beginner
‎2014-09-22 02:38 PM

i asked our product manager but he needed more info.  Do you have a screen shot?  That might help clarify what's going on.

0 Likes
Reply
SeanKoniarz
Beginner
Beginner
‎2014-09-23 08:28 AM

Yeah the threat.desc you are going to need to look at threat.category.  I believe the one above is a shadowserver ip. 

0 Likes
Reply
StephaniePaider
Beginner
Beginner
In response to SethGeftic
‎2014-09-23 10:43 AM

So here's a screen shot of what we are seeing.  Let me know if you are looking for additional/different information.  Is there any document that has the information about these threats that gives more detail as to what to look for?

threat.JPG.jpg

0 Likes
Reply
SeanKoniarz
Beginner
Beginner
In response to StephaniePaider
‎2014-09-23 10:50 AM

The threat.source links to a live feed that has been deployed on your decoder or concentrator. 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2014-09-23 11:35 AM

Deciphering the trigger for meta generated based off of repackaged community feeds is (IMO) one of the key headaches of working with NW/SA.

 

About the only useful hint I have found is that threat.src may contain an indicator on what the trigger was based on the name of the threat.src meta value - if threat.src ends with -domain (as in your example), it was triggered off of a host or domain name, -file triggered on a file name, -ip triggered on an IP address.  Unfortunately this still doesn't tell you which value in a session, if there are multiples, were the actual trigger, it just gets you in the neighborhood.

 

Now as to why the threat.desc meta gives an IP and port when it actually triggered on a domain name ... that likely had some meaning to whoever put that entry in the feed at some time in the past, but that meaning is likely lost to the sands of time.

Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.