RSA Application Rules- 10

Column 1: Scripting Engine Runs Powershell
Column 2: scripting_engine_runs_powershell
Column 3: Common cyber criminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool for windows based systems. Scripting engine Running powershell can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = scripting engine runs powershell
Column 4: endpoint
Column 5: "execution":"scripting"

Column 1: Scripting Engine Runs Regsvr32
Column 2: scripting_engine_runs_regsvr32
Column 3: Regsvr32.exe is a command-line program used to register and unregister object linking such as dynamic link libraries (DLLs), on Windows systems. Scripting engine runs regsvr32 can be an indication of someone trying to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* analysis.file = scripting engine runs regsvr32
Column 4: endpoint
Column 5: "execution":"scripting"

Column 1: Scripting Engine Runs Rundll32
Column 2: scripting_engine_runs_rundll32
Column 3: Scripting engine running rundll32 process can be an indication of someone trying to run malicious DLLs and placing its libraries in the memory to exploit the system, which can be further used to gain access, to do lateral movement or to gain elevated privileges. Attackers may take advantage of this to proxy execution of code to avoid triggering security tools.

VERSIONS SUPPORTED
* NetWitness Platform 11.3 and higher

DEPENDENCIES
* NetWitness Endpoint Server

GENERATED META KEYS
* boc = scripting engine runs rundll32
Column 4: endpoint
Column 5: "execution":"scripting"

Column 1: SecurID Cloud Add Admin
Column 2: securid_cloud_add_admin
Column 3: Raises an alert when RSA SecurID (Cloud) admin adds another admin.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":"account manipulation"

Column 1: SecurID Cloud API Keys Added
Column 2: securid_cloud_api_keys_added
Column 3: Raises an alert when RSA SecurID (Cloud) Access admin API keys are added.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":"account manipulation"

Column 1: SecurID Cloud API Keys Deleted
Column 2: securid_cloud_api_keys_deleted
Column 3: Raises an alert when RSA SecurID (Cloud) Access admin API keys are deleted or edited.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":"account manipulation"

Column 1: SecurID Cloud Approve Auth Failure
Column 2: securid_cloud_approve_auth_failure
Column 3: Raises an alert when RSA SecurID (Cloud) Access user approve authentication fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":""

Column 1: SecurID Cloud Approve Auth Success
Column 2: securid_cloud_approve_auth_success
Column 3: Raises an alert when RSA SecurID (Cloud) Access user approve authentication is succeeded.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":""

Column 1: SecurID Cloud Audit Log Config Changed
Column 2: securid_cloud_audit_log_config_changed
Column 3: Raises an alert when RSA SecurID (Cloud) admin audit log configuration is changed.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "defense evasion":"indicator removal on host"

Column 1: SecurID Cloud Auth Failure
Column 2: securid_cloud_auth_failure
Column 3: Raises an alert when RSA SecurID (Cloud) user authentication fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":""

Column 1: SecurID Cloud Auth Success
Column 2: securid_cloud_auth_success
Column 3: Raises an alert when RSA SecurID (Cloud) user authentication succeeds.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":""

Column 1: SecurID Cloud Delete Admin
Column 2: securid_cloud_delete_admin
Column 3: Raises an alert when RSA SecurID (Cloud) admin deletes another admin.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":"account manipulation"

Column 1: SecurID Cloud Device Register Failure
Column 2: securid_cloud_device_register_failure
Column 3: Raises an alert when RSA SecurID (Cloud) device registration fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "":""

Column 1: SecurID Cloud Device Register Success
Column 2: securid_cloud_device_register_success
Column 3: Raises an alert when RSA SecurID (Cloud) device registration succeeds.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "":""

Column 1: SecurID Cloud FIDO Auth Failure
Column 2: securid_cloud_fido_auth_failure
Column 3: Raises an alert when RSA SecurID (Cloud) user FIDO token authentication fails.

VERSIONS SUPPORTED
10.6.5.x and higher
This is supported only for the SecurID Cloud platform

CONFIGURATION
Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document
Use the latest table-map.xml
Column 4: log
Column 5: "credential access":""

Column 1: SecurID Cloud FIDO Auth Success
Column 2: securid_cloud_fido_auth_success
Column 3: Raises an alert when RSA SecurID (Cloud) user FIDO toke , 196, 196);width: 7.74039%;>log
Column 4: "credential access":""

Column 1: SecurID Cloud IDR Deleted
Column 2: securid_cloud_idr_deleted