Is it too early to start asking about Wannacry IOCs being incorporated into RSA Live content for Netwitness?
Absolutely not to early! Obviously very relevant right now. I can tell you we're is working on that now. In the mean time, I'd suggest keeping an eye out for any network traffic headed outbound to TOR nodes on ports >9000. Are you running packets logs or both?
Thank you for the reply! We're just running packets here. Have already deployed the 6 or so ET Pro Snort rules and have correlation rules looking for SMB scanning, but was just curious what other IOCs were being aggregated.
Is there any use cases are there which can detect the WannaCry Ransomware or Latest feeds are updated on RSA live which can help us to detect the Ransomware from Events.
As per my research till now, i could find below information which could help in at least detection of any variants, which should be enough for you to isolate the machine quickly on your network and then perform investigations:
Although this is not directly targeting Wannacry I find that it is very useful. We did see one Wannacry get launched and this is where I found the data from it.
analysis.service = 'hostname consecutive consonants'&& risk.suspicious ='tunneling outbound tor'
Assuming you do not allow anything over the ports using a hostname with consecutive consonants you should get pretty good data. If anything it is something you should be running daily to see if you have any connections like that to odd hostnames.
Retrieving data ...