Rajas Save

Threat Detection Content Update - June 2020

Blog Post created by Rajas Save Employee on Jun 23, 2020

Summary:

Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.

Detailed configuration procedures for getting RSA NetWitness Platform setup - Content Quick Start Guide 

 

Additions:

RSA NetWitness Lua Parsers:

  • WireGuard – New Lua parser has been introduced to identify WireGuard VPN sessions. WireGuard open-source is a security-focused virtual private network (VPN) known for its simplicity and ease of use.

Read more about Identifying WireGuard (VPN) Traffic Using RSA NetWitness Network 

 

 

More information about Packet Parsers 

 

RSA NetWitness Application Rules:

More information about NetWitness 11.4 New Features andAlerting: ESA Rule Types 

 

Changes:

RSA NetWitness Lua Parsers:

  • SMB_lua – This parser is updated for significant detection improvements with named pipe parsing capabilities. Detection is expanded to track parent-child relationships to recognize operations performed on child named pipes.

Read more about SMB_lua in action -

Detecting Lateral Movement in RSA NetWitness: Winexe 

Around the Fire With Old Friends (CVE-2019–0604, and CVE-2017-0144)

Keeping an eye on your Hounds...  

 

  • DCERPC – This parser is updated for similar detection improvements with named pipe parsing capabilities.

Read more about Using the RSA NetWitness Platform to Detect Lateral Movement: SCShell (DCE/RPC) 

 

  • TLS_lua - New detections are added in TLS parser to detect suspicious cipher suites for both client and server. This will give analysts added insight into what TLS connections based on suspicious client/server setup which will help detect and analyze malicious activity.

Read more about SSL and NetWitness 

 

  • rtmp_lua – rtmp parser is updated for accuracy and efficiency.
  • HTTP_lua – This parser has been updated with added detection and better accuracy

 

 

Discontinued:

We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.

Discontinued Content 

 

For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Outcomes