Skip to content
  • There are no suggestions because the search field is empty.

RSA ESA Rules-2

  • Column 1: Multiple Failed Logins to Single Host from Multiple Hosts
  • Column 2: esa000045
  • Column 3: Alert when log events contain multiple failed logins to a single host from multiple different sources in 300 seconds. User info is not correlated among events. Both the time window and number of failed logins are configurable.
  • Column 4: log
  • Column 5: "credential access":"brute force"

  • Column 1: Multiple Failed Privilege Escalations by Same User
  • Column 2: esa000196
  • Column 3: Triggers after a user account fails privilege escalation multiple times within configured period of time.

    VERSIONS SUPPORTED
    NetWitness 11.1 and higher

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
    * Number of failed privilege escalation attempts. By default, it's 3
    * Name of the CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    DEPENDENCIES
    * Admin_Accounts CH list
    * Existence of at least one Windows Event log parser or Unix log parsers like 'aix', 'hpux' or 'solaris' enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "credential access":"brute force", "privilege escalation":"valid accounts"

  • Column 1: Multiple Intrusion can Events from Same Username to Unique Destinations
  • Column 2: esa000068
  • Column 3: Detects scan events from intrusion devices to unique destinations from the same user. All events leading to alert will have same username and different destination address. This rule triggers when the detected events have the ECT (Event Classification Tag) for ec.activity equals "Scan".
  • Column 4: log
  • Column 5: "discovery":"network service scanning"

  • Column 1: Multiple Login Failures by Administrators to Domain Controller
  • Column 2: esa000198
  • Column 3: This rule is triggered when a user enters Administrator credentials to log in to a domain controller and fails multiple times within a certain number of minutes.

    VERSIONS SUPPORTED
    NetWitness 11.1 and higher

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame
    * Number of failured logons to trigger events. By default, it's 3
    * Name of a custom CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts.
    * Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist.
    * Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist.
    For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    DEPENDENCIES
    * Admin_Accounts CH list
    * Host_Blacklist CH list
    * IP_Blacklist CH list
    * Existence of at least one Windows Event log parser enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "credential access":"brute force"

  • Column 1: Multiple Login Failures by Guest to Domain Controller
  • Column 2: esa000199
  • Column 3: This rule is triggered when a user enters Guest credentials to log in to a domain controller and fails multiple times within a certain number of minutes.

    VERSIONS SUPPORTED
    NetWitness 11.1 and higher

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame
    * Number of failured logons to trigger events. By default, it's 3
    * Name of a custom CH list with guest user accounts. By default, the CH list is named Guest_Accounts. You have to add users to the default Guest_Accounts CH list or replace the default CH list with the name of a custom CH list with guest user accounts.
    * Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist.
    * Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist.
    For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    DEPENDENCIES
    * Guest_Accounts CH list
    * Host_Blacklist CH list
    * IP_Blacklist CH list
    * Existence of at least one Windows Event log parser enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "credential access":"brute force"

  • Column 1: Multiple Login Failures Due to Username That Does Not Exist
  • Column 2: esa000038
  • Column 3: Alerts when log events contain multiple login failures due to a username that does not exist from same source in 180 seconds. In this scenario, the username being logged into does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.
  • Column 4: log
  • Column 5: "credential access":"brute force"

  • Column 1: Multiple Login Failures from Same Source IP with Unique Usernames
  • Column 2: esa000067
  • Column 3: Detects when log events that contain multiple failed login events from the same source IP address with unique usernames occur within the specified time period. You can configure the time period (default is 180 seconds) and number of failed logins (default is three).

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "credential access":"brute force"

  • Column 1: Multiple Logs from a MsgID Set with Same SourceIP and DestinationIP
  • Column 2: esa000071
  • Column 3: Detects when multiple log events from the specified list of message IDs with Same Source IP and Destination IP take place in the specified time period. You can configure the number of log events (default value is three), the list of message IDs, and the time period (default is 300 seconds).
  • Column 4: log
  • Column 5:

  • Column 1: Multiple PsExec Within Short Time
  • Column 2: esa000200
  • Column 3: This rule is triggered when multiple PsExec.exe instances runs within a certain number of minutes. Running PSEXEC can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation

    VERSIONS SUPPORTED
    * NetWitness 11.3 (Respond Alerting only)
    * NetWitness 11.4 and higher (Full Support)

    DEPENDENCIES
    * NetWitness Endpoint Server
  • Column 4: endpoint
  • Column 5: "execution":"service execution"

  • Column 1: Multiple Service Connections with Authorization Failures
  • Column 2: esa000051
  • Column 3: Detects 4 failed login attempts from the same source to the same destination on different destination ports, within a 5 minute period. You can configure the time period, list of destination ports to be monitored, and the number of connection attempts.
  • Column 4: log
  • Column 5: "credential access":"brute force"

  • Column 1: Multiple Successful Logins from Multiple Diff Src to Diff Dest
  • Column 2: esa000183
  • Column 3: Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations.

    VERSIONS SUPPORTED
    * NetWitness 11.3 and higher
    * NetWitness 11.1 - 11.2 (see CONFIGURATION)

    CONFIGURATION
    For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'.

    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame
    * Number of successful logons to trigger events. By default, it's 3
    * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist.
    * Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist.
    * Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist.
    For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    DEPENDENCIES
    * User_Whitelist CH list
    * Host_Whitelist CH list
    * IP_Whitelist CH list
    * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts"

  • Column 1: Multiple Successful Logins from Multiple Diff Src to Same Dest
  • Column 2: esa000191
  • Column 3: Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in configured time.

    VERSIONS SUPPORTED
    * NetWitness 11.3 and higher
    * NetWitness 11.1 - 11.2 (see CONFIGURATION)

    CONFIGURATION
    For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'.

    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame
    * Number of success logins to trigger events. By default, its 3
    * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH li , the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist.
    * Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist.
    For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    DEPENDENCIES
    * User_Whitelist CH list
    * Host_WhitelistCH list
    * IP_WhitelistCH list
    * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "privilege escalation":"valid accounts", "defense evasion":"valid accounts" , ,