In Depth Feeds Information

Document created by RSA Information Design and Development Employee on May 4, 2017Last modified by RSA Information Design and Development Employee on Feb 14, 2020
Version 133Show Document
  • Comment0
  • View in full screen mode
 

The RSA FirstWatch feeds are updated periodically, so please check back regularly to get the latest information.

Note: For content that has been discontinued, see Discontinued Content.

List of Feeds

Use this table to navigate directly to the feed in which you are interested.

                                                   
Alert IDs Info (alertids_info) Alert IDs Suspicious (alertids_suspicious) Alert IDs Warning (alertids_warning)
Common Doc Extensions (common-doc-extensions) Dynamic DNS Domains (dynamic_dns) Investigation (investigation)
Malware Domain List (nwmalwaredomainlist) Malware IP List (nwmalwareiplist) RSA FirstWatch APT Threat Domains (nwconst_apt_domain)
RSA FirstWatch APT Threat IPs (nwconst_apt_ip) RSA FirstWatch Command and Control Domains (nwconst_c2_domains) RSA FirstWatch Command and Control IPs (nwconst_c2_ips)
RSA FirstWatch Criminal SOCKS node IPs (nwconst_socks_proxies_ip_recent) RSA FirstWatch Criminal VPN Entry IPs (nwconst_vpn_entry_ip_recent) RSA FirstWatch Criminal VPN Exit IPs (nwconst_vpn_exit_ip_recent)
RSA FirstWatch SSL Blacklist (ssl_blacklist) RSA Fraud Action Domains (nwrsafraudactiondomain) RSA Fraud Action IPs (nwrsafraudactionip)
Spamhaus DROP List IP Ranges (nwspamhaus_drop_list_ip) Spamhaus EDROP List IP Ranges (nwspamhaus_edrop_list_ip) spectrum_whitelist.zip (spectrum_whitelist)
TCP Flags Seen (tcp_flags_seen) Third Party IOC Domains (nwrsa_third_party_ioc_domain) Third Party IOC IPs (nwrsa_third_party_ioc_ip)
Tor Exit Nodes (nwtor_exit_nodes_ip_recent) Tox Supernode (tox_supernode)  

 

 

 

 

Alert IDs Info (alertids_info)

Description: Alert ID-to-name mappings for informational alerts.

Medium: log, packet

Live Tags: none

Index/Trigger Meta Key: alert.id

Registered Meta Keys: risk.info, threat.category, threat.source

                       
Meta KeyRegistered Values (Unique)
risk.info

Name of application rule or Lua parser logic

threat.category

netwitness

threat.source
  • spectrum
  • insider
  • informational
  • nonstandard
  • p2p
  • social networking
  • data leakage
  • vulnerability
  • filter

Alert IDs Suspicious (alertids_suspicious)

Description: Alert ID-to-name mappings for suspicious alerts.

Medium: log, packet

Live Tags: none

Index/Trigger Meta Key: alert.id

Registered Meta Keys: risk.suspicious, threat.category, threat.source

                       
Meta KeyRegistered Values (Unique)
risk.suspicious

Name of application rule or Lua parser logic

threat.category

netwitness

threat.source
  • spectrum
  • suspicious
  • malware
  • botnet
  • nonstandard
  • security tools
  • data leakage
  • vulnerability
  • apt

Alert IDs Warning (alertids_warning)

Description: Alert ID-to-name mappings for warning alerts.

Medium: log, packet

Live Tags: none

Index/Trigger Meta Key: alert.id

Registered Meta Keys: risk.warning, threat.category, threat.source

                       
Meta KeyRegistered Values (Unique)
risk.warning

Name of application rule or Lua parser logic

threat.category

netwitness

threat.source
  • spectrum
  • suspicious
  • malware
  • botnet
  • attacks
  • nonstandard
  • inappropriate
  • vulnerability
  • apt

Common Doc Extensions (common-doc-extensions)

Description: Alerts on extensions as follows: doc, xls, ppt, pdf, txt, xml.

Medium: log, packet

Live Tags: operations, event analysis

Index/Trigger Meta Keys: extension, alert.id

Registered Meta Keys: risk info

               
Meta KeyRegistered Values (Unique)
risk.info

common document formats

Dynamic DNS Domains (dynamic_dns)

Description: Identifies many commonly seen dynamic DNS-related domains.

Medium: log, packet

Live Tags: operations, event analysis

Index/Trigger Meta Key: alias.host

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc

dynamic dns domain

threat.category

suspicious

threat.source

netwitness

Investigation (investigation)

Description: The investigation keys (inv.category, inv.context) assist in categorizing collections based off common practice response scenarios. These keys provide reasoning as to why a given session or log may have been highlighted. For more details, see the Investigation Feed documentation.

Medium: log, packet

Live Tags: assurance, identity, operations, threat

Index/Trigger Meta Key: alert.id

Registered Meta Keys: inv.category, inv.context, feed.name

                       
Meta KeyRegistered Values (Unique)
inv.category
  • assurance
  • identity
  • operations
  • threat
inv.context
  • action on objectives
  • application analysis
  • attack phase
  • audit
  • authentication
  • authorization
  • command and control
  • compliance
  • corporate
  • crimeware
  • delivery
  • event analysis
  • exploit
  • file analysis
  • flow analysis
  • installation
  • malware
  • organizational hazard
  • protocol analysis
  • remote access trojans
  • risk
  • vulnerability management
feed.name

investigation

Malware Domain List (nwmalwaredomainlist)

Description: List of domains commonly associated with malware sourced from www.malwaredomainlist.com.

Medium: log, packet

Live Tags: threat, malware

Index/Trigger Meta Key: alias.host

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • -
  • Adware.Cracksearch.A
  • Adware.Fusenet
  • Android/Trojan.SMS.FakeInst
  • Android.Trojan.SMSStealer
  • at cope.it-templates-webstat-finanzgruppe_volksbanken_ne.htm Trojan.Email.FakeDoc
  • backdoor
  • Backdoor.Bot.MSIL
  • Backdoor.IRCBot
  • Bot
  • Bot.C2
  • "Browlock
  • Browlock.FakeInfection
  • Browlock.Fake.TechSupport
  • Browlock.Malvertising
  • Browser Ransomware
  • Cerber ransomware
  • compromised server with nginx at port 8080
  • "Compromised site
  • "Compromised site (DHL malspam campaign)
  • compromised site directs to exploits
  • Compromised site leading to exploit
  • Compromised site leading to fake AV
  • compromised site leads to exploit kit
  • compromised site leads to Java exploit
  • "Compromised site (Natwest malspam campaign)
  • "Compromised site (Sage malspam campaign)
  • compromised sites leads to exploit kit
  • compromized site loads external script with exploits
  • control panel of Eleonore Exploits pack v1.4.1
  • Cool exploit kit
  • CrimePack exploit kit
  • CritXPack exploit kit
  • Cryptowall ransomware C&C
  • Destination of banking phishing
  • directs to exploits
  • directs to Exploits
  • Directs to exploits
  • directs to rogue
  • Directs to rogue
  • directs to sites with exploits
  • Directs to sites with exploits
  • directs to trojan
  • Document.zip Trojan.Email.Gen
  • Document.zip Trojan.Kryptic
  • DOS service
  • Drive-by
  • ESET phishing
  • exploit
  • Exploit
  • exploit kit
  • exploit kit / requires Google referrer
  • exploits
  • Exploits
  • fake alert page
  • Fake Antivirus
  • fake av
  • FakeAV
  • fake crack site directs to trojan
  • fake Flash player
  • Fake.FlashPlayer.Trojan
  • fake infection page
  • Gateway for Sweet Orange EK
  • gateway to EK
  • Google Chrome
  • Hosteurope phishing
  • IE exploit
  • iframe directs to exploit
  • iframe directs to LuckySploit
  • iframe directs to redirector/exploits
  • iFrame.Exploit
  • "iFrame.Exploit (injected into compromised sites
  • iframe leads to CritXPack exploit kit
  • iframe leads to exploit kit
  • iframe on compromised site leads EK
  • iframe on compromised site leads to EK
  • iframe on compromised site leads to exploit kit
  • iFrames to Exploit
  • irc backdoor
  • java exploit
  • Java exploit
  • Java installation abused for installing Java malware
  • JS.Exploit
  • Keybase keylogger web panel
  • Koobface
  • leads to CryptoLocker
  • Leads to exploit
  • Leads to exploit at jolygoestobeinvester.ru
  • leads to exploit kit
  • Leads to exploit kits
  • Leads to Fake AV
  • leads to fake flashplayer installer at OneDrive
  • Leads to fake Google Chrome
  • leads to malicious download on Mediafire
  • leads to ransomware
  • Leads to ransomware
  • Leads to trojan
  • Leads to Trojan.Zbot
  • Leads to Win32/InstallRex
  • Malvertising
  • "Malvertising
  • MasterCard phishing
  • Multiple.Malware
  • obfuscated iframe directs to exploit kit
  • obfuscated iframe directs to exploits
  • obfuscated iframe directs to LuckySploit
  • obfuscated iframe leads to exploit
  • obfuscated iframe leads to exploit kit
  • obfuscated iframe leads to Nuclear exploit kit
  • obfuscated iframe on compromised site leads to exploit kit
  • obfuscated Javascript leads to fake flash player site
  • obfuscated script directs to exploits
  • P2PZeus.WebInject
  • Paypal phishing
  • Paypal Phishing (Redirect)
  • phishing
  • Phishing
  • phishing/fraud
  • phishing site
  • PHP.RFI
  • PlugX C&C
  • pony loader C&C
  • Postbank phishing
  • Produce Items.scr Trojan.Email.FakeDoc
  • PUP.Optional.FileServer.A
  • "Ransom
  • Ransom message text
  • ransomware
  • Ransomware
  • Ransomware payment processor
  • redirecting to Sweet Orange exploit kit with Google referrer
  • redirects to exploit
  • Redirects to exploit
  • redirects to exploit kit
  • redirects to exploits
  • redirects to Paypal phishing
  • redirects to Postbank phishing
  • redirects to rogue
  • Redirects to Rogue.FakeFlashPlayer
  • redirects to Rogue if referer is a search engine
  • redirects to trojan
  • Redirects to trojan
  • Redirects to Trojan
  • redirects to trojan download
  • redirects to trojan download at SugarSync
  • redirects to trojan TDSS
  • related to a Mirai windows spreader trojan
  • returns malware url base64 encoded
  • RFI
  • Rogue
  • Rootkit.0Access
  • "Script.Exploit
  • Script.Exploit
  • Script.iFrame.TDS (via compromised sites)
  • Solar EK
  • Spyware.Password
  • Spyware.Zbot
  • Spyware.Zbot.ED
  • Spyware.Zbot.VXGen
  • Spyware.ZeuS
  • Spyware.ZeuS.GO
  • Sweet Orange exploit kit
  • TDSS
  • Teslacrypt C&C
  • Teslacrypt ransomware C&C
  • trojan
  • Trojan
  • Trojan.AdWind
  • Trojan.Agent
  • Trojan.Agent.AI
  • Trojan.Agent.CRV
  • Trojan.Agent.ED
  • Trojan.Agent.rfz
  • Trojan.Android
  • "Trojan.Backdoor
  • Trojan.Backdoor
  • Trojan.Backdoor.Androm.Ar
  • trojan Bancos
  • trojan Banker
  • Trojan.Banker
  • Trojan.Banker.DE
  • trojan Banload
  • Trojan.Banload
  • Trojan.Chad
  • Trojan.Crypt.NKN
  • Trojan.CryptoLocker.CallBack
  • Trojan.Delf
  • trojan download
  • trojan downloader
  • Trojan.Downloader
  • Trojan.Downloader.Agent
  • Trojan.Downloader.RRE
  • Trojan.Dridex
  • Trojan.Dropper
  • Trojan.Dyre
  • Trojan.Email.FakeDoc
  • Trojan.Email.Gen
  • Trojan.Extension.Exploit
  • Trojan.FakeFlash
  • Trojan.FakeMS
  • Trojan.FareIt
  • Trojan.FareIT
  • Trojan.Inject
  • Trojan.Injector
  • trojan inside zip file
  • Trojan.Krypt
  • Trojan.MSIL.Injector
  • Trojan.Muiref
  • Trojan.P0ny
  • Trojan.PlasmaRAT.Miner
  • Trojan.Pony
  • Trojan.PWS
  • Trojan.Ramnit
  • trojan Ransom
  • Trojan.Ransom
  • Trojan.Ransom.ED
  • Trojan.Spy
  • trojan Swizzor
  • Trojan.Symmi
  • trojan TDSS
  • trojan Yimfoca
  • Trojan.Zbot
  • trojan ZeroAccess/Sirefef
  • Trojan.ZeuS
  • Trojan.Zeus.GameOver
  • Trojan.Zeus.GO
  • Used by malspam to lead victims to Trojan.Banload
  • vbscript downloader
  • VBScript.Trojan.IRC
  • VBS.Trojan.Downloader
  • Win32/Agent.HSDNOGR
  • Win32/Exploit.CVE-2013-3897.A
  • Win32/FirseriaInstaller.C
  • Win32/Injector.Autoit.ABQ trojan
  • Win32/Injector.AXJG
  • Win32/Injector.AYAH
  • Win32/InstallMonetizer
  • Win32/Trojan.Backdoor
  • Win32/Trojan.Genome
  • Win32/Trojan.Injects
  • Win32/Trojan.Pasta.h
  • Win32/Trojan.Spy
  • ycuF2Zy9WLk5WYtM3buFWaw1ycld3bs5yd3d3LvoDc0RHa8NnZ exploit kit
  • zeus config file
  • Zeus config file
  • Zombie exploitation kit
threat.category
  • malware
threat.source
  • malwaredomainlist-domain

Malware IP List (nwmalwareiplist)

Description: List of IP addresses commonly associated with malware sourced from www.malwaredomainlist.com.

Medium: log, packet

Live Tags: threat, malware

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • phishing
  • phishing/fraud
  • trojan
  • trojan download
threat.category
  • malware
threat.source
  • malwaredomainlist-ip

RSA FirstWatch APT Threat Domains (nwconst_apt_domain)

Description: Contains domains known to be associated with Advanced Persistent Threats (APTs).

Medium: log, packet

Live Tags: featured, threat, attack phase

Index/Trigger Meta Key: alias.host

Registered Meta Keys: threat.category, threat.desc, threat.source

No current indicators.

RSA FirstWatch APT Threat IPs (nwconst_apt_ip)

Description: Contains IP addresses known to be associated with Advanced Persistent Threats (APTs).

Medium: log, packet

Live Tags: featured, threat, attack phase

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

No current indicators.

RSA FirstWatch Command and Control Domains (nwconst_c2_domains)

Description: Contains domains that are known to be associated with malware command and control.

Medium: log, packet

Live Tags: threat, attack phase

Index/Trigger Meta Key: alias.host

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • c2-domain
  • cerber
  • delivery-domain
  • locky
  • shadowpad
  • trickbot
threat.category
  • botnet
  • c2
  • delivery
  • malspam
  • ransomware
threat.source
  • rsa-firstwatch

RSA FirstWatch Command and Control IPs (nwconst_c2_ips)

Description: Contains IPs that are known to be associated with malware command and control.

Medium: log, packet

Live Tags: threat, attack phase

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

No current indicators

RSA FirstWatch Criminal SOCKS node IPs (nwconst_socks_proxies_ip_recent)

Description: Contains IP addresses that represent known SOCKS nodes for criminal anonymization services.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • aliveproxy
  • gatherproxy
  • proxynova
  • socks24
  • sockslist
  • ultraproxies
threat.category
  • anonymous access
threat.source
  • rsa-firstwatch

RSA FirstWatch Criminal VPN Entry IPs (nwconst_vpn_entry_ip_recent)

Description: Contains IP addresses that represent known VPN entry nodes for criminal anonymization services.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: Dynamically generated from feed server.

No current indicators.

RSA FirstWatch Criminal VPN Exit IPs (nwconst_vpn_exit_ip_recent)

Description: Contains IP addresses that represent known VPN exit nodes for criminal anonymization services.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • 5vpn
  • anonine
  • astrill
  • blackvpn
  • cyberghost
  • doublevpn
  • dreamvpn
  • hidemyass
  • ibvpn
  • insorg
  • ipvanish
  • ivpn
  • multivpn
  • nordvpn
  • perfectprivacy
  • privateinternetaccess
  • privatevpn
  • proxysh
  • secretlines
  • superbvpn
  • switchvpn
  • tools
  • torguard
  • vip72
  • vpnac
  • vpnlab
  • vpn-service
  • worldvpn
threat.category
  • anonymous-access
threat.source
  • rsa-firstwatch

RSA FirstWatch SSL Blacklist (ssl_blacklist)

Description: Allows analysts to identify web domains with blacklisted SSL certificates.

Medium: packet

Live Tags: malware, threat

Index/Trigger Meta Key: ssl.ca, ssl.serial

Registered Meta Keys: checksum, threat.source, threat.category, threat.desc, inv.category, inv.context, ioc, feed.name, feed.desc, feed.category

                                                   
Meta KeyRegistered Values (Unique)

checksum

MD5 hash of the file that connected to the malicious server using the blacklisted SSL certificate.

threat.source

abuse.ch

threat.category

malware

threat.desc

Listing reason for the blacklisted SSL certificate.

inv.category

threat

inv.context

malware

ioc

blacklisted ssl cert

feed.name

rsa firstwatch ssl blacklist

feed.desc

ssl.ca:ssl.serial

feed.category

network activity

RSA Fraud Action Domains (nwrsafraudactiondomain)

Description: Developed and maintained by the RSA FraudAction Intelligence team, this feed contains domains that host malicious online activity, and thus present a risk to your infrastructure.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

No current indicators.

RSA Fraud Action IPs (nwrsafraudactionip)

Description: Developed and maintained by the RSA FraudAction Intelligence team, this feed contains IP addresses that host malicious online activity, and thus present a risk to your infrastructure.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: ip.addr

Registered Meta Keys: threat.category, threat.desc, threat.source

No current indicators.

Spamhaus DROP List IP Ranges (nwspamhaus_drop_list_ip)

Description: DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers.

Medium: log, packet

Live Tags: threat, attack phase, operations, event analysis

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • SBL100272
  • SBL101196
  • SBL101198
  • SBL101250
  • SBL101324
  • SBL101325
  • SBL101328
  • SBL101329
  • SBL101571
  • SBL101572
  • SBL101573
  • SBL101574
  • SBL102573
  • SBL103438
  • SBL103493
  • SBL103494
  • SBL103495
  • SBL103496
  • SBL103497
  • SBL103499
  • SBL103685
  • SBL103686
  • SBL104251
  • SBL104252
  • SBL104253
  • SBL104254
  • SBL104258
  • SBL104260
  • SBL104261
  • SBL104408
  • SBL104616
  • SBL105802
  • SBL105804
  • SBL105808
  • SBL106073
  • SBL106075
  • SBL106078
  • SBL106080
  • SBL106606
  • SBL106609
  • SBL107014
  • SBL107139
  • SBL107317
  • SBL107773
  • SBL107775
  • SBL108610
  • SBL109258
  • SBL109259
  • SBL109341
  • SBL109342
  • SBL109343
  • SBL109583
  • SBL110044
  • SBL110170
  • SBL110171
  • SBL111502
  • SBL111681
  • SBL113125
  • SBL113126
  • SBL113127
  • SBL113128
  • SBL113129
  • SBL113130
  • SBL113323
  • SBL115039
  • SBL116416
  • SBL116417
  • SBL116418
  • SBL116419
  • SBL11667
  • SBL117319
  • SBL117320
  • SBL122292
  • SBL125132
  • SBL12947
  • SBL134638
  • SBL134712
  • SBL13483
  • SBL14251
  • SBL14253
  • SBL145400
  • SBL147763
  • SBL151876
  • SBL153758
  • SBL154590
  • SBL154609
  • SBL154617
  • SBL156561
  • SBL156894
  • SBL156916
  • SBL156981
  • SBL156982
  • SBL156983
  • SBL156985
  • SBL156986
  • SBL156988
  • SBL156998
  • SBL169540
  • SBL169644
  • SBL172706
  • SBL175056
  • SBL176147
  • SBL177387
  • SBL177459
  • SBL177484
  • SBL177485
  • SBL177686
  • SBL177843
  • SBL178615
  • SBL178616
  • SBL178647
  • SBL178648
  • SBL178649
  • SBL178650
  • SBL179270
  • SBL179271
  • SBL179291
  • SBL179292
  • SBL179440
  • SBL180437
  • SBL180438
  • SBL180439
  • SBL180441
  • SBL180442
  • SBL180556
  • SBL181088
  • SBL181738
  • SBL181786
  • SBL181787
  • SBL182148
  • SBL182162
  • SBL182245
  • SBL184714
  • SBL186753
  • SBL187946
  • SBL187947
  • SBL189463
  • SBL190333
  • SBL190623
  • SBL191858
  • SBL192671
  • SBL192680
  • SBL193031
  • SBL193420
  • SBL193555
  • SBL194484
  • SBL194793
  • SBL194796
  • SBL195122
  • SBL195132
  • SBL195447
  • SBL195898
  • SBL197720
  • SBL201065
  • SBL201382
  • SBL201384
  • SBL201389
  • SBL201390
  • SBL201519
  • SBL202842
  • SBL202964
  • SBL204151
  • SBL204231
  • SBL204517
  • SBL204948
  • SBL204949
  • SBL204954
  • SBL205578
  • SBL205801
  • SBL206879
  • SBL207050
  • SBL207485
  • SBL208009
  • SBL208164
  • SBL208416
  • SBL208418
  • SBL208853
  • SBL209467
  • SBL209488
  • SBL209495
  • SBL209865
  • SBL209868
  • SBL209869
  • SBL209870
  • SBL209988
  • SBL209995
  • SBL209997
  • SBL209998
  • SBL210079
  • SBL210082
  • SBL210084
  • SBL210085
  • SBL210086
  • SBL210087
  • SBL210088
  • SBL210089
  • SBL210090
  • SBL210091
  • SBL210092
  • SBL210093
  • SBL210094
  • SBL210095
  • SBL210096
  • SBL210097
  • SBL210098
  • SBL210099
  • SBL210100
  • SBL210101
  • SBL210102
  • SBL210159
  • SBL210160
  • SBL210161
  • SBL210168
  • SBL210175
  • SBL210187
  • SBL210373
  • SBL210542
  • SBL211023
  • SBL211387
  • SBL211522
  • SBL211530
  • SBL211531
  • SBL211796
  • SBL212353
  • SBL212509
  • SBL212525
  • SBL212527
  • SBL212619
  • SBL212760
  • SBL212761
  • SBL212762
  • SBL212763
  • SBL212764
  • SBL212765
  • SBL212766
  • SBL212767
  • SBL212803
  • SBL212979
  • SBL212980
  • SBL212981
  • SBL212982
  • SBL212983
  • SBL212984
  • SBL212985
  • SBL212986
  • SBL213745
  • SBL214056
  • SBL214155
  • SBL214239
  • SBL214384
  • SBL214502
  • SBL214750
  • SBL214914
  • SBL215185
  • SBL215707
  • SBL216916
  • SBL216919
  • SBL216920
  • SBL217198
  • SBL217199
  • SBL217200
  • SBL217201
  • SBL219931
  • SBL220085
  • SBL220132
  • SBL220502
  • SBL220725
  • SBL220726
  • SBL221024
  • SBL221342
  • SBL221372
  • SBL221373
  • SBL221376
  • SBL221379
  • SBL221380
  • SBL221383
  • SBL221384
  • SBL221385
  • SBL221386
  • SBL221387
  • SBL221388
  • SBL221390
  • SBL221429
  • SBL221501
  • SBL221511
  • SBL221760
  • SBL221761
  • SBL221762
  • SBL221765
  • SBL221768
  • SBL221771
  • SBL221772
  • SBL221773
  • SBL221774
  • SBL221776
  • SBL221777
  • SBL221778
  • SBL221779
  • SBL221780
  • SBL221781
  • SBL221782
  • SBL222563
  • SBL222568
  • SBL222855
  • SBL223547
  • SBL223549
  • SBL223550
  • SBL223551
  • SBL223552
  • SBL223553
  • SBL223554
  • SBL223555
  • SBL223556
  • SBL224702
  • SBL224778
  • SBL225581
  • SBL225929
  • SBL225949
  • SBL226062
  • SBL226063
  • SBL226064
  • SBL226353
  • SBL226518
  • SBL226519
  • SBL227135
  • SBL227137
  • SBL227840
  • SBL227957
  • SBL229160
  • SBL229889
  • SBL230571
  • SBL230805
  • SBL231509
  • SBL231680
  • SBL233285
  • SBL233286
  • SBL233406
  • SBL233458
  • SBL233662
  • SBL234221
  • SBL234286
  • SBL234290
  • SBL234413
  • SBL235294
  • SBL235333
  • SBL235382
  • SBL235649
  • SBL235784
  • SBL236811
  • SBL237236
  • SBL237882
  • SBL23969
  • SBL23976
  • SBL240150
  • SBL240523
  • SBL240529
  • SBL240624
  • SBL240942
  • SBL240976
  • SBL241011
  • SBL241017
  • SBL241018
  • SBL241020
  • SBL241021
  • SBL241281
  • SBL242253
  • SBL242814
  • SBL243361
  • SBL243632
  • SBL243633
  • SBL244233
  • SBL244637
  • SBL244638
  • SBL244694
  • SBL245070
  • SBL245071
  • SBL245072
  • SBL247063
  • SBL247064
  • SBL247066
  • SBL247631
  • SBL247797
  • SBL247800
  • SBL247801
  • SBL247802
  • SBL247953
  • SBL249298
  • SBL249299
  • SBL249351
  • SBL249621
  • SBL249708
  • SBL249946
  • SBL252073
  • SBL252074
  • SBL253216
  • SBL253217
  • SBL253218
  • SBL253491
  • SBL253878
  • SBL253898
  • SBL253899
  • SBL253946
  • SBL253950
  • SBL254875
  • SBL256082
  • SBL256083
  • SBL256092
  • SBL256452
  • SBL256894
  • SBL257064
  • SBL257142
  • SBL257914
  • SBL257915
  • SBL257917
  • SBL257918
  • SBL257919
  • SBL258006
  • SBL258296
  • SBL258585
  • SBL258771
  • SBL259017
  • SBL259469
  • SBL260704
  • SBL260929
  • SBL261012
  • SBL262062
  • SBL262124
  • SBL262270
  • SBL262363
  • SBL262364
  • SBL262407
  • SBL263886
  • SBL263887
  • SBL264043
  • SBL264045
  • SBL264087
  • SBL264554
  • SBL264630
  • SBL264721
  • SBL265729
  • SBL265745
  • SBL266791
  • SBL266803
  • SBL266894
  • SBL267343
  • SBL267344
  • SBL267346
  • SBL267366
  • SBL267532
  • SBL267875
  • SBL268203
  • SBL268204
  • SBL268207
  • SBL268208
  • SBL268209
  • SBL268212
  • SBL268215
  • SBL268216
  • SBL268270
  • SBL268277
  • SBL268364
  • SBL268365
  • SBL268429
  • SBL268430
  • SBL268431
  • SBL268432
  • SBL268433
  • SBL268436
  • SBL268451
  • SBL269891
  • SBL269892
  • SBL269893
  • SBL269894
  • SBL270290
  • SBL270428
  • SBL270738
  • SBL270821
  • SBL270956
  • SBL270960
  • SBL270961
  • SBL271127
  • SBL271129
  • SBL272081
  • SBL272354
  • SBL272522
  • SBL273180
  • SBL274861
  • SBL276751
  • SBL276752
  • SBL276762
  • SBL276764
  • SBL276765
  • SBL276924
  • SBL276925
  • SBL276926
  • SBL276927
  • SBL277040
  • SBL277063
  • SBL277064
  • SBL277065
  • SBL277066
  • SBL277067
  • SBL277629
  • SBL278657
  • SBL279124
  • SBL281608
  • SBL282274
  • SBL282275
  • SBL283229
  • SBL283285
  • SBL283672
  • SBL284065
  • SBL284066
  • SBL284067
  • SBL284072
  • SBL284076
  • SBL284077
  • SBL284078
  • SBL284079
  • SBL284080
  • SBL284081
  • SBL284082
  • SBL284084
  • SBL284085
  • SBL284086
  • SBL284619
  • SBL285817
  • SBL286068
  • SBL286069
  • SBL286070
  • SBL286073
  • SBL286074
  • SBL286076
  • SBL286081
  • SBL286082
  • SBL286239
  • SBL286275
  • SBL286276
  • SBL286278
  • SBL287233
  • SBL287250
  • SBL287252
  • SBL287254
  • SBL287428
  • SBL287439
  • SBL287440
  • SBL287441
  • SBL287442
  • SBL287443
  • SBL287709
  • SBL287714
  • SBL287730
  • SBL287738
  • SBL287739
  • SBL287741
  • SBL288405
  • SBL289342
  • SBL290050
  • SBL290052
  • SBL291132
  • SBL291133
  • SBL291134
  • SBL291135
  • SBL291136
  • SBL291137
  • SBL291410
  • SBL292431
  • SBL293131
  • SBL293132
  • SBL293337
  • SBL294625
  • SBL296343
  • SBL298206
  • SBL300353
  • SBL301027
  • SBL301221
  • SBL301222
  • SBL301223
  • SBL302162
  • SBL302348
  • SBL302503
  • SBL302504
  • SBL302505
  • SBL302571
  • SBL302572
  • SBL302578
  • SBL302597
  • SBL302598
  • SBL302620
  • SBL303509
  • SBL303513
  • SBL303514
  • SBL303516
  • SBL303894
  • SBL303895
  • SBL303949
  • SBL303950
  • SBL305886
  • SBL306093
  • SBL307104
  • SBL307426
  • SBL307427
  • SBL307428
  • SBL307429
  • SBL307830
  • SBL308072
  • SBL308825
  • SBL308891
  • SBL309865
  • SBL309866
  • SBL310189
  • SBL310268
  • SBL311378
  • SBL311379
  • SBL312492
  • SBL312493
  • SBL312494
  • SBL312498
  • SBL312500
  • SBL312749
  • SBL312758
  • SBL313107
  • SBL314888
  • SBL316955
  • SBL320036
  • SBL322605
  • SBL322920
  • SBL323108
  • SBL323562
  • SBL323571
  • SBL325368
  • SBL325370
  • SBL325621
  • SBL325623
  • SBL325655
  • SBL325656
  • SBL326434
  • SBL329370
  • SBL329623
  • SBL331922
  • SBL332288
  • SBL332291
  • SBL333278
  • SBL333359
  • SBL333429
  • SBL333430
  • SBL333431
  • SBL333432
  • SBL333433
  • SBL333435
  • SBL333436
  • SBL333437
  • SBL333438
  • SBL333439
  • SBL333905
  • SBL334180
  • SBL335959
  • SBL336185
  • SBL336186
  • SBL336187
  • SBL337302
  • SBL338645
  • SBL339089
  • SBL339091
  • SBL339821
  • SBL340114
  • SBL340166
  • SBL341230
  • SBL342579
  • SBL344493
  • SBL347494
  • SBL351339
  • SBL352250
  • SBL353061
  • SBL354694
  • SBL354695
  • SBL354696
  • SBL354697
  • SBL354698
  • SBL354699
  • SBL361680
  • SBL361852
  • SBL366503
  • SBL366504
  • SBL369604
  • SBL369605
  • SBL369606
  • SBL369607
  • SBL370482
  • SBL371243
  • SBL371617
  • SBL371618
  • SBL371619
  • SBL371620
  • SBL371621
  • SBL371622
  • SBL371623
  • SBL371624
  • SBL371625
  • SBL379822
  • SBL379851
  • SBL379853
  • SBL380805
  • SBL381541
  • SBL381542
  • SBL382543
  • SBL384549
  • SBL384550
  • SBL384551
  • SBL384552
  • SBL384554
  • SBL384567
  • SBL384569
  • SBL384570
  • SBL384571
  • SBL384572
  • SBL386429
  • SBL386576
  • SBL388093
  • SBL388505
  • SBL388506
  • SBL388509
  • SBL388528
  • SBL388530
  • SBL389071
  • SBL390102
  • SBL390103
  • SBL390111
  • SBL390277
  • SBL390693
  • SBL390694
  • SBL390695
  • SBL390696
  • SBL390697
  • SBL390700
  • SBL390701
  • SBL390702
  • SBL390703
  • SBL390704
  • SBL390705
  • SBL390707
  • SBL390709
  • SBL390711
  • SBL390712
  • SBL390720
  • SBL391151
  • SBL391305
  • SBL391306
  • SBL391307
  • SBL391308
  • SBL391315
  • SBL391316
  • SBL391317
  • SBL391318
  • SBL391319
  • SBL392929
  • SBL394781
  • SBL396809
  • SBL396810
  • SBL400694
  • SBL402224
  • SBL402741
  • SBL402742
  • SBL402911
  • SBL403528
  • SBL47622
  • SBL6026
  • SBL6648
  • SBL6658
  • SBL69354
  • SBL69615
  • SBL69616
  • SBL69617
  • SBL69618
  • SBL69619
  • SBL7097
  • SBL7182
  • SBL7244
  • SBL79700
  • SBL79702
  • SBL8083
  • SBL8148
  • SBL8179
  • SBL83326
  • SBL84763
  • SBL84896
  • SBL84941
  • SBL84942
  • SBL84943
  • SBL84944
  • SBL84945
  • SBL84946
  • SBL88206
  • SBL8847
  • SBL89255
  • SBL90515
  • SBL9159
  • SBL93883
  • SBL93884
  • SBL9442
  • SBL9493
  • SBL95012
  • SBL96696
  • SBL96697
  • SBL96698
  • SBL96699
  • SBL96701
  • SBL96702
  • SBL96703
  • SBL96704
  • SBL96708
  • SBL96743
  • SBL96745
  • SBL96747
  • SBL9682
  • SBL97016
  • SBL97023
  • SBL97024
  • SBL97026
  • SBL97208
  • SBL97209
  • SBL97211
  • SBL98307
  • SBL98308
  • SBL9923
threat.category
  • suspect
threat.source
  • spamhaus_drop_list_ip

Spamhaus EDROP List IP Ranges (nwspamhaus_edrop_list_ip)

Description: EDROP (Extended DROP) is an advisory "drop all traffic" list, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers.

Medium: log, packet

Live Tags: threat, attack phase, operations, event analysis

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.desc, threat.source

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • SBL122298
  • SBL131095
  • SBL194244
  • SBL198435
  • SBL201196
  • SBL207820
  • SBL208933
  • SBL208936
  • SBL208937
  • SBL208940
  • SBL208943
  • SBL230802
  • SBL233459
  • SBL234552
  • SBL237213
  • SBL237227
  • SBL237235
  • SBL237955
  • SBL247795
  • SBL249532
  • SBL251953
  • SBL251954
  • SBL253581
  • SBL253827
  • SBL253828
  • SBL253829
  • SBL253830
  • SBL258301
  • SBL260479
  • SBL260482
  • SBL260485
  • SBL260487
  • SBL260488
  • SBL260491
  • SBL260492
  • SBL262362
  • SBL266080
  • SBL271294
  • SBL271295
  • SBL273113
  • SBL288322
  • SBL295231
  • SBL295232
  • SBL295234
  • SBL295496
  • SBL308886
  • SBL312759
  • SBL317196
  • SBL343332
  • SBL356227
  • SBL364783
  • SBL364784
  • SBL378148
  • SBL390716
  • SBL390722
  • SBL391282
  • SBL391303
  • SBL391304
  • SBL391309
  • SBL391310
  • SBL394632
  • SBL394633
  • SBL394634
  • SBL394635
  • SBL394636
  • SBL394637
  • SBL394638
  • SBL394639
  • SBL394640
  • SBL394641
  • SBL394642
  • SBL394643
  • SBL394644
  • SBL394645
  • SBL394646
  • SBL394647
  • SBL394648
  • SBL394649
  • SBL394650
  • SBL394651
  • SBL394652
  • SBL394653
  • SBL394654
  • SBL394655
  • SBL394656
  • SBL394657
  • SBL394658
  • SBL394659
  • SBL394660
  • SBL394661
  • SBL394662
  • SBL394663
  • SBL394664
  • SBL394665
  • SBL394666
  • SBL394667
  • SBL394668
  • SBL394669
  • SBL394672
  • SBL394673
  • SBL394674
  • SBL394675
  • SBL394676
  • SBL394677
  • SBL394678
  • SBL394679
  • SBL394680
  • SBL394681
  • SBL394682
  • SBL394683
  • SBL394685
  • SBL394686
  • SBL394687
  • SBL394688
  • SBL394689
  • SBL394690
  • SBL394692
  • SBL394693
  • SBL394695
  • SBL394696
  • SBL394697
  • SBL394698
  • SBL394699
  • SBL394700
  • SBL394701
  • SBL394702
  • SBL394703
  • SBL394704
  • SBL394705
  • SBL394706
  • SBL394707
  • SBL394708
  • SBL398154
  • SBL402809
  • SBL404000
  • SBL404001
threat.category
  • suspect
threat.source
  • spamhaus_edrop_list_ip

spectrum_whitelist.zip (spectrum_whitelist)

Description: Whitelist domains for spectrum.

Medium: log, packet

Live Tags: spectrum, malware analysis, operations, event analysis

Index/Trigger Meta Key: alias.host

Registered Meta Keys: content

               
Meta KeyRegistered Values (Unique)
content

spectrum.filter

TCP Flags Seen (tcp_flags_seen)

Description: Maps ASCII values of TCP Flags (tcp.flags) to a custom key TCP Flags Seen (tcp.flags.seen) that registers the text values of the contained TCP Flags.

Medium: log, packet

Live Tags: event analysis, operations

Index/Trigger Meta Key: tcp.flags

Registered Meta Keys: tcp.flags.seen

               
Meta KeyRegistered Values (Unique)
tcp.flags.seen

Text values of TCP flag combinations seen in the session.

Third Party IOC Domains (nwrsa_third_party_ioc_domain)

Description: Contains domains published as malicious from third party research and publications.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: alias.host

Registered Meta Keys: threat.category, threat.desc, threat.source

No current indicators.

Third Party IOC IPs (nwrsa_third_party_ioc_ip)

Description: Contains IPs published as malicious from third party research and publications.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.source, threat.category, threat.desc

                       
Meta KeyRegistered Values (Unique)
threat.desc
  • firstwat.ch/amg69b
threat.category
  • bambenek consulting
threat.source
  • rsa-firstwatch
  • third party publicized iocs

Tor Exit Nodes (nwtor_exit_nodes_ip_recent)

Description: Contains IP addresses that are listed as active exit nodes for the Tor network.

Medium: log, packet

Live Tags: threat, attack phase, malware

Index/Trigger Meta Key: ip.src, ip.dst

Registered Meta Keys: threat.category, threat.source

                   
Meta KeyRegistered Values (Unique)
threat.category

suspicious

threat.source

tor-exit-node-ip

Tox Supernode (tox_supernode)

Description: This feed is an alternative to Tox identification. It identifies sessions with known Tox supernodes (hosts that coordinate and facilitate P2P connections). Use of this feed provides hosts that are utilizing the Tox protocol; it does not indicate any specific sessions that are using the Tox protocol.

Medium: log, packet

Live Tags: assurance, event analysis, operations, risk

Index/Trigger Meta Keys: ip.dst, udp.dstport, ip.dstport

Registered Meta Keys: analysis.session

               
Meta KeyRegistered Values (Unique)
analysis.session

tox supernode

Previous Topic:Investigation Feed
You are here
Table of Contents > RSA NetWitness Platform Content > Feeds > In Depth Feeds Information

Attachments

    Outcomes