Skip to content
  • There are no suggestions because the search field is empty.

RSA ESA Rules

Tags: Threat Intelligence

RSA ESA Rules

The following table illustrates how the current RSA Event Stream Analysis Rules are displayed in the ESA Define view after you download them from Live. The Module Name is the internal identification code for the rule.

Note: For content that has been discontinued, see Discontinued Content.

Pivot to Investigate > Navigate from Respond May Not WorkPivot to Investigate > Navigate from Respond May Not Work

In ESA rules that do not select every piece of meta from the session (that is, rules that do not use select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work. For details on how to fix this, see "Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id" section in the Alerting with ESA Correlation Rules User Guide.

List of ESA RulesList of ESA Rules

  • Display Name: Account Added to Administrators Group and Removed
  • File Name: esa000090
  • Description: Detects log events when a user is added to an administrative group and then removed from the group within 15 minutes. Both the list of administrator groups and event time window are configurable.

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 900 seconds time frame
    * List of Administrator groups. By default, the groups are Administrators, root and wheel

    DEPENDENCIES
    * Existence of at least one Windows Event or Unix log parser enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Medium: log
  • Tag: "credential access":"account manipulation", "persistence":"account manipulation"

  • Display Name: Account Removals From Protected Groups on Domain Controller
  • File Name: esa000133
  • Description: Detects account removal from a protected group on a domain controller. There are five parameters: device hostnames to monitor, device IP addresses to monitor, protected groups to monitor, number of times an account was removed before the alert triggers and number of seconds in which events must occur.
  • Medium: log
  • Tag: "credential access":"account manipulation", "persistence":"account manipulation"

  • Display Name: Aggressive Internal Database Scan
  • File Name: esa000104
  • Description: Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of the following ports: TCP/1433, UDP/1434, TCP/3306, TCP/5432, TCP/3351, TCP/1521. Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.
  • Medium: packet
  • Tag: "discovery":"network service scanning"

  • Display Name: Aggressive Internal NetBIOS scan
  • File Name: esa000103
  • Description: Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of the following ports: UDP/137, UDP/138, TCP139. Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable.
  • Medium: packet
  • Tag: "discovery":"network service scanning"

  • Display Name: Aggressive internal web portal scan
  • File Name: esa000102
  • Description: Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443. Source & Destination IPs must be internal addresses according to the RFC-1918 specification. The list of ports, time window, and target host count are configurable.
  • Medium: packet
  • Tag: "discovery":"network service scanning"

  • Display Name: AWS Critical VM Modified
  • File Name: esa000134
  • Description: Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed or application rule of critical instance source IPs must be created to populate the 'alert' meta key with the value 'critical_vm'.

    VERSIONS SUPPORTED
    * 11.3 and higher
    * 11.2 and prior (see CONFIGURATION)

    CONFIGURATION
    For this rule to successfully deploy prior to version 11.3, be sure the meta key of 'alert' used within the rule is listed as an array type within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'.

    DEPENDENCIES
    * CEF Log Parser
  • Medium: log
  • Tag:

  • Display Name: AWS Permissions Modified Followed By Instance State Change
  • File Name: esa000155
  • Description: Detects when an Amazon Web Services (AWS) permission is modified followed by an instance state change. By default, the creation of a new user followed by a run of a new instance or termination of an existing instance within 5 minutes trigger the rule. The list of permission modifications, instance state changes and time window are configurable.

    VERSIONS SUPPORTED
    NetWitness 10.5 and higher

    CONFIGURATION
    * Deploy the latest Envision Config File and CEF log parser from Live to enable proper meta generation on the Log Decoder
    * Prior to 11.3.2, add an entry for the reference.id1 meta key to the index-concentrator-custom.xml file:

    * Restart the Concentrator service to force the index update or wait the configured number of hours for index syncronization
    * Deploy the rule to the ESA service

    Rule Parameters:
    * Event descriptions indicating instance state change. By default, TerminateInstances and RunInstances event descriptions are configured
    * Event descriptions indicating permissions modified. By default, it's a CreateUser event description
    * Within this number of seconds. By default, 300 seconds

    DEPENDENCIES
    * CEF log parser
  • Medium: log
  • Tag: "credential access":"account manipulation", "persistence":"account manipulation"

  • Display Name: Backdoor Activity Detected
  • File Name: esa000061
  • Description: The rule will detect backdoor activity using logs. By default, the rule will trigger when there is a variation of the keyword backdoor found in either policy.name or event.category.name. This rule may also be customized with a list of backdoor names and will look for these names in either policy.name or event.category.name.
  • Medium: log
  • Tag:

  • Display Name: BYOD Mobile Web Agent Detected
  • File Name: esa000117
  • Description: Detects a web-browsing agent for a mobile device. To configure the rule, specify the list of unauthorized browser agents and remove any mobile agents that are authorized from the list. The rule is triggered when an employee uses an unauthorized device on the network. In addition to the list of unauthorized browser agents, the following parameters are also configurable: the number of connections allowed per source before the alert is triggered and the time window within which the unauthorized use takes place.
  • Medium: packet
  • Tag: "execution":"third-party software", "lateral movement":"third-party software"


  • Display Name: Client Using Multiple DHCP Servers
  • File Name: esa000152
  • Description: Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68 within 10 minutes. The time period is configurable.
  • Medium: log, packet
  • Tag:

  • Display Name: Detection of Encrypted Traffic to Countries
  • File Name: esa000065
  • Description: Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries. Note: You must deploy and enable the TLS_lua parser,the SSH_lua parser and their dependencies on the Decoder.
  • Medium:
  • Tag: "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts"

  • Display Name:
  • File Name: log
  • Description: "credential access":"brute force", "credential access":"account manipulation", "persistence":"account manipulation"

  • Display Name: log
  • File Name: "defense evasion":"indicator removal on host", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts"

  • Display Name: log
  • File Name: "credential access":"account manipulation", "persistence":"account manipulation"

  • Display Name: Lateral Movement Suspected Windows
  • File Name: log
  • Description: "command and control":"remote file copy", "lateral movement":"remote file copy", "persistence":"new service", "privilege escalation":"new service", "execution":"service execution"

  • Display Name: log
  • File Name: "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts"

  • Display Name: log
  • File Name: "credential access":"brute force"

  • Display Name: Multiple Failed logins Followed By Successful Login
  • File Name: esa000174
  • Description:
  • Medium: log
  • Tag: "credential access":"brute force"

  • Display Name: Multiple Failed Logins from Multiple Diff Sources to Same Dest
  • File Name: log
  • Description: "credential access":"brute force"

  • Display Name: Multiple Failed Logins from Multiple Users to Same Destination
  • File Name: esa000192
  • Description: log
  • Medium: "credential access":"brute force"

  • Display Name: Multiple Failed Logins from Same User Originating from Different Countries
  • File Name: esa000193
  • Description: log
  • Medium: "credential access":"brute force"

, , , , , , , , , , ,


Attachments:
RSA ESA Rules.pdf