search
    search
      9 Sep, 2021

      NetWitness announces the release of the following threat content and publications:

      Blog Posts

      Ransomware: A Beginner’s Guide to a Major Threat

      At NetWitness we understand how devastating it can be to find yourself impacted by a ransomware attack. This primer was created to provide a ransomware FAQ on basic ransomware concepts and equip IT and non-IT professionals with a greater understanding of this growing threat.

      AmitRotem_1-1631201664743.png

       

      Videos

      Visit the NetWitness Threat Detection and Response Playlist on www.youtube.com

      AmitRotem_3-1631201897056.png

       

      AmitRotem_5-1631202003709.png

      Application Rules

      OPSWAT rules (Endpoint)

      OPSWAT (MetaDefender Core) provides advanced malware detection capabilities by scanning files with multiple anti-malware engines simultaneously. OPSWAT is integrated into the endpoint servers.

      The following OPSWAT app rules are now available on RSA Live:

      • opswat reported infected
      • opswat reported suspicious
      • process with opswat reported infected
      • process with opswat reported suspicious

      See the following article for details on how to configure OPSWAT scans:

      https://community.rsa.com/t5/netwitness-platform-online/configure-opswat/ta-p/634816

       

      AWS CloudTrail – Anomalous Activity Detection App Rules

      AWS CloudTrail is an AWS service that helps in governance, compliance and operational risk auditing of an AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. We have used CloudTrail Events to create Log based App Rules and ESA Rules which will be effective in detecting Anomalous Behavioral Activity across multiple AWS services and will be helpful in maintaining security monitoring.

      • EC2 - Multiple instances created
      • EC2 - Multiple large instances created
      • EC2 - Multiple instances terminated
      • Critical changes to logging


      Event Streaming Analytics (ESA) Rules

      AWS CloudTrail - Anomalous Activity Detection ESA Rules

      • IAM - Multiple failed API calls from a single user (Unauthorized Access)
      • IAM - Multiple users created within a short period of time
      • IAM - Multiple users deleted within a short period of time
      • IAM - Multiple worldwide successful console logins were observed
      • EC2 - Multiple instances created within a short period of time
      • EC2 - Multiple large instances created within a short period of time
      • EC2 - Multiple instances terminated within a short period of time
      • EC2 - Multiple instances created in multiple regions within a short period of time
      • S3 - Mass copy objects
      • S3 - Mass delete objects
      • S3 - Buckets enumerated

       

      Threat Intel Feeds

      OSINT (open-source intelligence) IP Threat Intel Feed

      This feed contains IP Address (IPv4 and IPv6) indicators that are suspected to be malicious. These indicators are extracted from multiple openly available sources (OSINT) and aggregated and scored through a partnership with ThreatConnect. The score (ThreatAssess) combines the severity and confidence of an indicator into a single value to help analysts understand the potential risk when that indicator is observed in their environment. This feed will trigger when one of the feed indicators is observed in network, log, and/or endpoint event data.

       

      OSINT Non-IP Threat Intel Feed

      This feed contains Non-IP Address, text-based indicators like Host, URL, File Hashes etc. that are suspected to be malicious. These indicators are extracted from multiple openly available sources (OSINT) and aggregated and scored through a partnership with ThreatConnect. The score (ThreatAssess) combines the severity and confidence of an indicator into a single value to help analysts understand the potential risk when that indicator is observed in their environment. This feed will trigger when one of the feed indicators is observed in network, log, and/or endpoint event data.

      More details can be found on RSA Link at https://community.netwitness.com/t5/netwitness-community-blog/introducing-the-new-rsa-osint-threat-feeds/ba-p/521129

       

      Investigation Feed

      The Investigation feed generates metadata based upon the Investigation Model and MITRE ATT&CK® framework to assist an analyst with threat hunting and content generation. This is useful for front-line analysts as it minimizes the time dedicated to mining logs or sessions in support of their findings. To trigger the feed, a match to an application rule or part of a Lua parser logic is required.

      More details can be found on NetWitness Community at https://community.netwitness.com/t5/netwitness-platform-threat/investigation-feed/ta-p/677895

       

      Investigate Content


      The following Investigate Profiles, Meta Groups and Column Groups for the UI

      Investigate Profiles

      • ATT&CK Tactics
      • ATT&CK Techniques
      • Device classes
      • Protocols
      • Sources
      • UEBA models

      Cloud Integrations


      New Integration:            

      • MS Azure Graph Plugin

      New plugin that can be used to collect any type of events/alerts from MS Graph API

      Updated cloud integration:

      • Amazon CloudWatch Plugin

      Added support for AWS Windows AD and Windows VM logs

      • S3 Universal Connector

      Added support for AWS Windows AD and Windows VM logs

      • MS Azure Monitor

      Added support for Azure Sentinel Incidents

      • MS Azure NSG

      Added support for Gov cloud endpoint

      • MS Office 365
      • Google Cloud

      Protocol (Lua) Parsers


      New parsers:

      • TNS_lua

      Identifies Oracle TNS database protocol. Extracts database, client host, client program, and username.

      Updated parsers:

      • SMB_lua

      Added specific meta for v1 negotiate and setup commands and responses.

      Expanded support for Unicode character encodings.

      Added extraction of action meta from EFSRPC

      • HTTP_lua

      Expanded support for character encodings.

      Added specific meta for authentication mechanisms.

      Expanded plaintext credential detection and extraction.

      Added support for decompression of brotli encoded responses (11.6+ only)

      • SMTP_lua

      Added extraction of credentials from PLAIN and LOGIN authentication mechanisms

      • POP3_lua

      Added extraction of credentials from LOGIN authentication mechanism.

      • IMAP_lua

      Improved identification of IMAP sessions.

      • DNS_verbose_lua

      Added detection of hex-encoded TXT records.

      Improved identification of DNS sessions.

      Log Parsers

      Updated parsers:

      • Symantec Antivirus/Endpoint Protection
      • Tenable Network Security Nessus
      • Cisco IOS
      • PostgreSQL
      • Pulse Secure
      • Windows Events (Snare)
      • Aruba ClearPass Policy Manager
      • Netapp
      • Trend Micro IMSS
      • Rapid7 NeXpose
      • Palo Alto Networks Firewall
      • Astaro Security Gateway
      • Fortinet FortiGate
      • Microsoft Windows
      • Snort/Sourcefire
      • Big-IP Access Policy Manager
      • Windows Events (NIC)
      • Oracle
      • Symantec CEP
      Topic:
      0 Comment
        CATEGORIES
        RECENT POST
        Amazon Cloudwatch Event Source Log Configuration Guide
        3 Dec, 2025
        F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness
        31 Oct, 2025
        MSAzureGraph Universal Plugin for Microsoft Graph API
        17 Oct, 2025