The RSA FirstWatch feeds are updated periodically, so please check back regularly to get the latest information.
Note: For content that has been discontinued, see Discontinued Content.
List of Feeds
Use this table to navigate directly to the feed in which you are interested.
Alert IDs Info (alertids_info)
Description: Alert ID-to-name mappings for informational alerts.
Medium: log, packet
Live Tags: none
Index/Trigger Meta Key: alert.id
Registered Meta Keys: risk.info, threat.category, threat.source
Meta Key | Registered Values (Unique) |
---|---|
risk.info | Name of application rule or Lua parser logic |
threat.category | netwitness |
threat.source |
|
Alert IDs Suspicious (alertids_suspicious)
Description: Alert ID-to-name mappings for suspicious alerts.
Medium: log, packet
Live Tags: none
Index/Trigger Meta Key: alert.id
Registered Meta Keys: risk.suspicious, threat.category, threat.source
Meta Key | Registered Values (Unique) |
---|---|
risk.suspicious | Name of application rule or Lua parser logic |
threat.category | netwitness |
threat.source |
|
Alert IDs Warning (alertids_warning)
Description: Alert ID-to-name mappings for warning alerts.
Medium: log, packet
Live Tags: none
Index/Trigger Meta Key: alert.id
Registered Meta Keys: risk.warning, threat.category, threat.source
Meta Key | Registered Values (Unique) |
---|---|
risk.warning | Name of application rule or Lua parser logic |
threat.category | netwitness |
threat.source |
|
Common Doc Extensions (common-doc-extensions)
Description: Alerts on extensions as follows: doc, xls, ppt, pdf, txt, xml.
Medium: log, packet
Live Tags: operations, event analysis
Index/Trigger Meta Keys: extension, alert.id
Registered Meta Keys: risk info
Meta Key | Registered Values (Unique) |
---|---|
risk.info | common document formats |
Dynamic DNS Domains (dynamic_dns)
Description: Identifies many commonly seen dynamic DNS-related domains.
Medium: log, packet
Live Tags: operations, event analysis
Index/Trigger Meta Key: alias.host
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc | dynamic dns domain |
threat.category | suspicious |
threat.source | netwitness |
Investigation (investigation)
Description: The investigation keys (inv.category, inv.context) assist in categorizing collections based off common practice response scenarios. These keys provide reasoning as to why a given session or log may have been highlighted. For more details, see the Investigation Feed documentation.
Medium: log, packet
Live Tags: assurance, identity, operations, threat
Index/Trigger Meta Key: alert.id
Registered Meta Keys: inv.category, inv.context, feed.name
Meta Key | Registered Values (Unique) |
---|---|
inv.category |
|
inv.context |
|
feed.name | investigation |
Malware Domain List (nwmalwaredomainlist)
Description: List of domains commonly associated with malware sourced from www.malwaredomainlist.com.
Medium: log, packet
Live Tags: threat, malware
Index/Trigger Meta Key: alias.host
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
Malware IP List (nwmalwareiplist)
Description: List of IP addresses commonly associated with malware sourced from www.malwaredomainlist.com.
Medium: log, packet
Live Tags: threat, malware
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
RSA FirstWatch APT Threat Domains (nwconst_apt_domain)
Description: Contains domains known to be associated with Advanced Persistent Threats (APTs).
Medium: log, packet
Live Tags: featured, threat, attack phase
Index/Trigger Meta Key: alias.host
Registered Meta Keys: threat.category, threat.desc, threat.source
No current indicators.
RSA FirstWatch APT Threat IPs (nwconst_apt_ip)
Description: Contains IP addresses known to be associated with Advanced Persistent Threats (APTs).
Medium: log, packet
Live Tags: featured, threat, attack phase
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
No current indicators.
RSA FirstWatch Command and Control Domains (nwconst_c2_domains)
Description: Contains domains that are known to be associated with malware command and control.
Medium: log, packet
Live Tags: threat, attack phase
Index/Trigger Meta Key: alias.host
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
RSA FirstWatch Command and Control IPs (nwconst_c2_ips)
Description: Contains IPs that are known to be associated with malware command and control.
Medium: log, packet
Live Tags: threat, attack phase
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
No current indicators
RSA FirstWatch Criminal SOCKS node IPs (nwconst_socks_proxies_ip_recent)
Description: Contains IP addresses that represent known SOCKS nodes for criminal anonymization services.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
RSA FirstWatch Criminal VPN Entry IPs (nwconst_vpn_entry_ip_recent)
Description: Contains IP addresses that represent known VPN entry nodes for criminal anonymization services.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: Dynamically generated from feed server.
No current indicators.
RSA FirstWatch Criminal VPN Exit IPs (nwconst_vpn_exit_ip_recent)
Description: Contains IP addresses that represent known VPN exit nodes for criminal anonymization services.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
RSA FirstWatch SSL Blacklist (ssl_blacklist)
Description: Allows analysts to identify web domains with blacklisted SSL certificates.
Medium: packet
Live Tags: malware, threat
Index/Trigger Meta Key: ssl.ca, ssl.serial
Registered Meta Keys: checksum, threat.source, threat.category, threat.desc, inv.category, inv.context, ioc, feed.name, feed.desc, feed.category
Meta Key | Registered Values (Unique) |
---|---|
checksum | MD5 hash of the file that connected to the malicious server using the blacklisted SSL certificate. |
threat.source | abuse.ch |
threat.category | malware |
threat.desc | Listing reason for the blacklisted SSL certificate. |
inv.category | threat |
inv.context | malware |
ioc | blacklisted ssl cert |
feed.name | rsa firstwatch ssl blacklist |
feed.desc | ssl.ca:ssl.serial |
feed.category | network activity |
RSA Fraud Action Domains (nwrsafraudactiondomain)
Description: Developed and maintained by the RSA FraudAction Intelligence team, this feed contains domains that host malicious online activity, and thus present a risk to your infrastructure.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
No current indicators.
RSA Fraud Action IPs (nwrsafraudactionip)
Description: Developed and maintained by the RSA FraudAction Intelligence team, this feed contains IP addresses that host malicious online activity, and thus present a risk to your infrastructure.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: ip.addr
Registered Meta Keys: threat.category, threat.desc, threat.source
No current indicators.
Spamhaus DROP List IP Ranges (nwspamhaus_drop_list_ip)
Description: DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers.
Medium: log, packet
Live Tags: threat, attack phase, operations, event analysis
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
Spamhaus EDROP List IP Ranges (nwspamhaus_edrop_list_ip)
Description: EDROP (Extended DROP) is an advisory "drop all traffic" list, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers.
Medium: log, packet
Live Tags: threat, attack phase, operations, event analysis
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.desc, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
spectrum_whitelist.zip (spectrum_whitelist)
Description: Whitelist domains for spectrum.
Medium: log, packet
Live Tags: spectrum, malware analysis, operations, event analysis
Index/Trigger Meta Key: alias.host
Registered Meta Keys: content
Meta Key | Registered Values (Unique) |
---|---|
content | spectrum.filter |
TCP Flags Seen (tcp_flags_seen)
Description: Maps ASCII values of TCP Flags (tcp.flags) to a custom key TCP Flags Seen (tcp.flags.seen) that registers the text values of the contained TCP Flags.
Medium: log, packet
Live Tags: event analysis, operations
Index/Trigger Meta Key: tcp.flags
Registered Meta Keys: tcp.flags.seen
Meta Key | Registered Values (Unique) |
---|---|
tcp.flags.seen | Text values of TCP flag combinations seen in the session. |
Third Party IOC Domains (nwrsa_third_party_ioc_domain)
Description: Contains domains published as malicious from third party research and publications.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: alias.host
Registered Meta Keys: threat.category, threat.desc, threat.source
No current indicators.
Third Party IOC IPs (nwrsa_third_party_ioc_ip)
Description: Contains IPs published as malicious from third party research and publications.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.source, threat.category, threat.desc
Meta Key | Registered Values (Unique) |
---|---|
threat.desc |
|
threat.category |
|
threat.source |
|
Tor Exit Nodes (nwtor_exit_nodes_ip_recent)
Description: Contains IP addresses that are listed as active exit nodes for the Tor network.
Medium: log, packet
Live Tags: threat, attack phase, malware
Index/Trigger Meta Key: ip.src, ip.dst
Registered Meta Keys: threat.category, threat.source
Meta Key | Registered Values (Unique) |
---|---|
threat.category | suspicious |
threat.source | tor-exit-node-ip |
Tox Supernode (tox_supernode)
Description: This feed is an alternative to Tox identification. It identifies sessions with known Tox supernodes (hosts that coordinate and facilitate P2P connections). Use of this feed provides hosts that are utilizing the Tox protocol; it does not indicate any specific sessions that are using the Tox protocol.
Medium: log, packet
Live Tags: assurance, event analysis, operations, risk
Index/Trigger Meta Keys: ip.dst, udp.dstport, ip.dstport
Registered Meta Keys: analysis.session
Meta Key | Registered Values (Unique) |
---|---|
analysis.session | tox supernode |