Skip to content
  • There are no suggestions because the search field is empty.

RSA ESA Rules-3

  • Column 1: User Login Baseline
  • Column 2: esa000173
  • Column 3: This rule detects user accounts suspected of misuse due to credential compromise or a malicious insider. The user account is suspicious due to unusual login activity within the organization. Login activity by user is stored and a score is calculated. When that score is higher than a configurable threshold and the number of unique devices being logged into is unusual, then an alert is generated.

    REFERENCES
    For more details about this rule, see the User Login Baseline topic at https://community.netwitness.com/t5/netwitness-platform-threat/user-login-baseline-rule/ta-p/677886

    VERSIONS SUPPORTED
    * NetWitness 11.3 and higher
    * NetWitness 11.1 - 11.2 (see CONFIGURATION)

    CONFIGURATION
    For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'.

    Rule Parameters:
    * Blacklist of device class. By default, each device class supported by RSA are listed.
    * Maximum average for user login activity. By default, this is 150 user logins over the length of the baseline.
    * Maximum login count. By default, this is 300 user logins over the current window of 24 hours.
    * Minimum average for user login activity. By default, this is an average of 3 user logins over the length of the baseline.
    * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    * Number of days to baseline user login activity. By default, the rule will store user login activity for 7 days.
    * Score threshold to trigger the rule. By default, the score threshold is 80.

    DEPENDENCIES
    * User_Whitelist CH list
    * At least one log parser which populates ec_activity = Logon and ec_outcome = Success or Failure with a user_dst key that is not null

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts"

  • Column 1: VM Clone After Multiple Root ESX Login Attempts
  • Column 2: esa000050
  • Column 3: 10.4 or higher. Alert if there are 3 root login failures to an ESX server followed by root login success to an ESX server followed by a VM Clone event within 5 minutes. The time window and number of root login failures are configurable.
  • Column 4: log
  • Column 5: "credential access":"brute force"

  • Column 1: Web DoS Alert
  • Column 2: esa000095
  • Column 3: Alert to a possible web DoS when 40 connection attempts occur within a 1 minute period, over port 80 or 443, from unique source IP addresses to the same destination IP address. The number of connection attempts, list of TCP destination ports, and whitelist of source IP addresses are configurable.

    VERSIONS SUPPORTED
    * NetWitness 11.4 and higher
    * NetWitness 11.3 and prior (requires configuration)

    CONFIGURATION
    For NetWitness 11.3 and prior, you must add the meta key 'event_source_id' to the index-concentrator.xml file. See the topic 'Customize the Meta Framework' at https://community.netwitness.com/t5/netwitness-platform-threat/customize-the-meta-framework/ta-p/677978 for details on how to make this change. Without this step, ESA will not recognize the meta key and the rule will fail to deploy. This meta key is required for data masking.

    DEPENDENCIES
    * NETWORK Decoder parser
  • Column 4: packet
  • Column 5: action on objectives, attack phase, denial of service, threat

  • Column 1: Web DoS Attack
  • Column 2: esa000030
  • Column 3: Web DoS attack possible with 1000 connection attempts over port 80 or 443 from the same source IP to the same destination IP. The number of connection attempts, list of TCP destination ports and whitelist of source IPs are configurable.
  • Column 4: packet
  • Column 5: "impact":"network denial of service"

  • Column 1: Webshells Detected
  • Column 2: esa000163
  • Column 3: This rule indicates that 3 webshells have been detected through communication between the same IP source and destination pair within a 10 minute time window.

    VERSIONS SUPPORTED
    * 10.6.2.1 and higher
    * 10.6.2 and prior (see CONFIGURATION)

    CONFIGURATION
    To enable for ESA 10.6.2 and prior, you must make the keys 'analysis_service' and 'ioc' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. For more information, see https://community.netwitness.com/t5/netwitness-community-blog/introduction-to-mitre-s-att-ck-and-mapping-to-esa-rules/ba-p/519611

    DEPENDENCIES
    Lua Parsers
    * HTTP_lua
    * china_chopper
  • Column 4: packet
  • Column 5: "persistence":"web shell", "privilege escalation":"web shell"

  • Column 1: Windows Audit Log Cleared
  • Column 2: esa000014
  • Column 3: Alert is fired when Windows Audit log is cleared.
  • Column 4: log
  • Column 5: "defense evasion":"indicator removal on host"

  • Column 1: Windows Suspicious Admin Activity: Audit Log Cleared
  • Column 2: esa000176
  • Column 3: Detects when a user account is created, added to the Administrators group, and the audit logs are cleared within a five minute period.

    VERSIONS SUPPORTED
    NetWitness 11.1 and higher

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
    * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)

    DEPENDENCIES
    * User_Whitelist CH list
    * Existence of at least one Windows Event log parser enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "defense evasion":"indicator removal on host"

  • Column 1: Windows Suspicious Admin Activity: Firewall Service Stopped
  • Column 2: esa000177
  • Column 3: Detects when a user account is created, added to administrators group, and the firewall is stopped within a five minute time period.

    VERSIONS SUPPORTED
    NetWitness 11.1 and higher

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
    * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    DEPENDENCIES
    * User_Whitelist CH list
    * Existence of at least one Windows Event log parser enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "defense evasion":"disabling security tools"

  • Column 1: Windows Suspicious Admin Activity: Network Share Created
  • Column 2: esa000178
  • Column 3: Detects when a user account is created, added to administrators group, and a network share is created within a five minute time period. You can configure the time period.

    VERSIONS SUPPORTED
    NetWitness 11.1 and higher

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
    * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)

    DEPENDENCIES
    * User_Whitelist CH list
    * Existence of at least one Windows Event log parser enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "lateral movement":"windows admin shares"

  • Column 1: Windows Suspicious Admin Activity: Shared Object Accessed
  • Column 2: esa000179
  • Column 3: Detects when a Windows user account is created, a shared object is accessed, and the account is deleted within a five minute time period.

    VERSIONS SUPPORTED
    NetWitness 11.1 and higher

    CONFIGURATION
    Rule Parameters:
    * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame
    * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (Configure Lists as a Data Source)
    DEPENDENCIES
    * User_Whitelist CH list
    * Existence of at least one Windows Event log parser enabled on the log decoder

    BUNDLES
    * UEBA Essentials
  • Column 4: log
  • Column 5: "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "collection":"data from network shared drive"

  • Column 1: Windows User Added to Administrators Group and Security Disabled
  • Column 2: esa000073
  • Column 3: Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specified time period. You can configure the list of administrator groups and time period (default values is five minutes). Note: This rule uses the "accesses" and "event.desc" non-standard meta keys. You must implement this non-standard meta keys after you download this rule.
  • Column 4: log
  • Column 5: "credential access":"account manipulation", "defense evasion":"disabling security tools"

  • Column 1: esa000082
  • Column 2: Detects log messages indicative of a worm with a destination port of 137,138, 139 or 445 from at least 10 unique RFC-1918 source IPs within 1 minute. The list of destination ports , ,