To help facilitate future content improvements such as new bundles and feeds, we have adjusted the alert meta mappings for several Application Rules. By more strictly adhering to the original intention for the alert detection categories, NetWitness users will gain more meaningful and accurate insights into activity within their environments. Rules were re-aligned with the Hunting Compromise and Analysis Keys:
- Behavior of Compromise (boc): Designated for suspect or nefarious behavior outside the standard signature-based detection
- Service Analysis (analysis.service): Core application protocols identification and inspection
- Session Analysis (analysis.session): Client-server communication deviations
- File Analysis (analysis.file): A large inspection library that highlights file characteristics and anomalies
Updated Application Rules:
| Name |
Previous Key |
New Key |
| exe filetype but not exe extension* |
boc |
analysis.file |
| Small Executable |
alert.id |
analysis.file |
| Small Executable Extension Mismatch |
alert.id |
analysis.file |
| Small Executable No Directory |
alert.id |
analysis.file |
| Small Executable No Host |
alert.id |
analysis.file |
| Small Executable Root Directory |
alert.id |
analysis.file |
| DoH Usage* |
boc |
analysis.service |
| IRC File Transfer |
alert.id |
analysis.service |
| Passwords Over FTP |
alert.id |
analysis.service |
| Passwords Over HTTP |
alert.id |
analysis.service |
| Passwords Over Other Protocols |
alert.id |
analysis.service |
| Passwords Over Pop3 |
alert.id |
analysis.service |
| Passwords Over SMTP |
alert.id |
analysis.service |
| Passwords Over Telnet |
alert.id |
analysis.service |
| Possible SMB Scanning Detected* |
boc |
analysis.service |
| BYOD Mobile Web Agent Detected |
alert.id |
analysis.session |
| Possible Port Scanning Detected* |
boc |
analysis.session |
| suspicious long filename get request |
alert.id |
analysis.session |
| suspicious PHP url-encoded put |
alert.id |
analysis.session |
| Unknown Service Over DNS Port |
alert.id |
analysis.session |
| Unknown Service Over FTP Port |
alert.id |
analysis.session |
| Unknown Service Over HTTP Port |
alert.id |
analysis.session |
| Unknown Service Over IRC Port |
alert.id |
analysis.session |
| Unknown Service Over NNTP Port |
alert.id |
analysis.session |
| Unknown Service Over POP3 Port |
alert.id |
analysis.session |
| Unknown Service Over SMB Port |
alert.id |
analysis.session |
| Unknown Service Over SMTP Port |
alert.id |
analysis.session |
| Unknown Service Over SSL Port |
alert.id |
analysis.session |
| Unknown Service Over Telnet Port |
alert.id |
analysis.session |
| Archive From IP Address |
alert.id |
boc |
| Attachment Overload |
alert.id |
boc |
| File Transport Over Unknown Protocol |
alert.id |
boc |
| Non-Standard Port Use - DHCP |
alert.id |
boc |
| Non-Standard Port Use - DNS |
alert.id |
boc |
| Non-Standard Port Use - FTP |
alert.id |
boc |
| Non-Standard Port Use - H323 |
alert.id |
boc |
| Non-Standard Port Use - HTTP |
alert.id |
boc |
| Non-Standard Port Use - IRC |
alert.id |
boc |
| Non-Standard Port Use - NetBios |
alert.id |
boc |
| Non-Standard Port Use - NNTP |
alert.id |
boc |
| Non-Standard Port Use - POP3 |
alert.id |
boc |
| Non-Standard Port Use - RDP |
alert.id |
boc |
| Non-Standard Port Use - RIP |
alert.id |
boc |
| Non-Standard Port Use - RPC |
alert.id |
boc |
| Non-Standard Port Use - RTP |
alert.id |
boc |
| Non-Standard Port Use - SIP |
alert.id |
boc |
| Non-Standard Port Use - SMB |
alert.id |
boc |
| Non-Standard Port Use - SMTP |
alert.id |
boc |
| Non-Standard Port Use - SNMP |
alert.id |
boc |
| Non-Standard Port Use - SSH |
alert.id |
boc |
| Non-Standard Port Use - SSL |
alert.id |
boc |
| Non-Standard Port Use - TDS |
alert.id |
boc |
| Non-Standard Port Use - Telnet |
alert.id |
boc |
| Non-Standard Port Use - TFTP |
alert.id |
boc |
| Non-Standard Port Use - TNS |
alert.id |
boc |
* - Users subscribed to these alerts will have rules automatically updated
Note - Application Rules formerly keyed to ‘alert.id’ will need to be added from NetWitness Live.
Removed Content
As an additional content hygiene measure, the following outdated/discontinued content has been removed from NetWitness Live:
- Advanced Analytics (Warehouse) / Data Science Model
- ETL for Mapr
- ETL
- ETL for Pivotal
- Host Profile for Mapr
- Host Profile for Pivotal
- Suspicious DNS Activity for Mapr
- Suspicious DNS Activity for Pivotal
- Suspicious Domains for Mapr
- Suspicious Domains for Pivotal
- Application Rules
- HttpBrowser Malware
- NTP DDoS Attack 234-byte Request: Packets
- NTP DDoS Attack 50-byte Request: Packets
- NTP DDoS Attack 60-byte Request: Packets
- NTP DDoS Attack 234-byte Request: Netflow
- NTP DDoS Attack 50-byte Request: Netflow
- NTP DDoS Attack 60-byte Request: Netflow
- Large Outbound Encrypted session
- Large Outbound Session
- Event Stream Analysis
- Cerber Ransomware
- Inbound Packet Followed by Recipient Outbound Encrypted Connection
- Internal Data Posting to 3rd party sites
- Malware Dropper
- Web DoS Alert
- BYOD Mobile Web Agent Detected
- Detection of Encrypted Traffic to Countries
- Multiple SYN packets from Same Source
- Potential HTTP Slow Post DoS
- Detect Port Knocking Packet
- Punycode Phishing Attempt
- Investigation Column Group
- Email Analysis Column Group
- Endpoint Analysis Column Group
- Web Analysis Group Column
- Malware Analysis Column Group
- Threat Analysis Column Group
- User and Entity Behaviour Analysis Column Group
- Lua Parsers
- Poison_Ivy
- plugx
- rekaf
- struts_exploit
- pvid
- MSU_rat
- CustomTCP
- supercmd
- china_chopper
- apt_artifacts
- cerber
- duqu_lua
- electricfish
- Evilgrab
- NetWitness Reports
- Malware Activity Report
- Large Outbound Connections to 3rd Party Sites Sessions
- Large Outbound Encrypted Sessions
- Large Outbound Sessions
- Hunting Summary
- Hunting Detail
- Encrypted Traffic
- NetWitness Rules
- Large Outbound Encrypted Sessions
- Large Outbound Sessions
- Malware Activity DNS
- Malware Activity Unidentified
- Malware Activity Web