Skip navigationLog in to follow, share, and participate in this community. 
When working with RSA Live ESA or the ESA Rule Builder, you should not need to know the EPL syntax used within the rules. However, if your use case exceeds the capabilities of either of these, you should become familiar with at least the basics of the EsperTech EPL language used with ESA. Note: NetWitness Platform 11.3 uses Esper 7.1. Earlier…
In an ongoing effort to provide the best user experience, RSA periodically discontinues content (such as rules and reports). This is to keep pace with the ever evolving threat landscape, and to ensure our customers are not overwhelmed with stale information and ‘alert fatigue’. By tailoring content to current threats, we can help keep the systems…
This table lists all of the delivered RSA NetWitness Rules. Note: For content that has been discontinued, see Discontinued Content. Display Name File Name Description Medium Tag 11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppData 11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppData Compliance Rule- Anti-Virus Signature…
This topic lists the RSA NetWitness Reports. The reports are built upon rules and lists. When you download a report, all necessary RSA NetWitness Rules and RSA NetWitness Lists are also downloaded. You may, however, need to download supporting RSA Application Rules and parsers. Note: For content that has been discontinued, see Discontinued…
This topic discusses and describes the packet (Lua) parsers available in RSA NetWitness Platform. If you need a parser that does not already exist, you can Request a Parser. Note: More information on each of these parsers is available in Live. Navigate to Live search, and select RSA Lua Parser in the Resource Types field. From the results, select…
RSA NetWitness Investigation MetaThis table lists all of the delivered RSA NetWitness Investigation meta. Meta Key Details analysis.file: autorun Registered by: autorun.nwr analysis.file: autorun debian package mismatch Registered by: autorun_debian_package_mismatch.nwr analysis.file: autorun file path not part of debian package…
Pivot to Investigate > Navigate from Respond May Not WorkIn ESA rules that do not select every piece of meta from the session (that is, rules that do not use select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work. For…
As part of the ongoing development of content to combat threats, RSA develops content bundles. These are grouped sets of content (rules, parsers, feeds) that can be deployed as a group from RSA Live. Deploying a Bundle You can deploy all of the items in the bundles through Live. Note: If you are in an environment where you cannot Deploy, you…
The following table lists the RSA Application Rules for NetWitness Endpoint. Display Name File Name Description Tag Accesses Administrative Share Using Command Shell accesses_administrative_share_using_command_shell Accessing administrative share using command shell can be an indicator of someone trying for lateral movement or privilege escalation…
Loading...
in 