NetWitness announces the release of the following threat content and publications:
Ransomware: A Beginner’s Guide to a Major Threat
At NetWitness we understand how devastating it can be to find yourself impacted by a ransomware attack. This primer was created to provide a ransomware FAQ on basic ransomware concepts and equip IT and non-IT professionals with a greater understanding of this growing threat.
Visit the NetWitness Threat Detection and Response Playlist on www.youtube.com
OPSWAT (MetaDefender Core) provides advanced malware detection capabilities by scanning files with multiple anti-malware engines simultaneously. OPSWAT is integrated into the endpoint servers.
The following OPSWAT app rules are now available on RSA Live:
See the following article for details on how to configure OPSWAT scans:
https://community.rsa.com/t5/netwitness-platform-online/configure-opswat/ta-p/634816
AWS CloudTrail is an AWS service that helps in governance, compliance and operational risk auditing of an AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. We have used CloudTrail Events to create Log based App Rules and ESA Rules which will be effective in detecting Anomalous Behavioral Activity across multiple AWS services and will be helpful in maintaining security monitoring.
This feed contains Non-IP Address, text-based indicators like Host, URL, File Hashes etc. that are suspected to be malicious. These indicators are extracted from multiple openly available sources (OSINT) and aggregated and scored through a partnership with ThreatConnect. The score (ThreatAssess) combines the severity and confidence of an indicator into a single value to help analysts understand the potential risk when that indicator is observed in their environment. This feed will trigger when one of the feed indicators is observed in network, log, and/or endpoint event data.
More details can be found on RSA Link at https://community.netwitness.com/t5/netwitness-community-blog/introducing-the-new-rsa-osint-threat-feeds/ba-p/521129
The Investigation feed generates metadata based upon the Investigation Model and MITRE ATT&CK® framework to assist an analyst with threat hunting and content generation. This is useful for front-line analysts as it minimizes the time dedicated to mining logs or sessions in support of their findings. To trigger the feed, a match to an application rule or part of a Lua parser logic is required.
More details can be found on NetWitness Community at https://community.netwitness.com/t5/netwitness-platform-threat/investigation-feed/ta-p/677895
The following Investigate Profiles, Meta Groups and Column Groups for the UI
New Integration:
New plugin that can be used to collect any type of events/alerts from MS Graph API
Updated cloud integration:
Added support for AWS Windows AD and Windows VM logs
Added support for AWS Windows AD and Windows VM logs
Added support for Azure Sentinel Incidents
Added support for Gov cloud endpoint
New parsers:
Identifies Oracle TNS database protocol. Extracts database, client host, client program, and username.
Updated parsers:
Added specific meta for v1 negotiate and setup commands and responses.
Expanded support for Unicode character encodings.
Added extraction of action meta from EFSRPC
Expanded support for character encodings.
Added specific meta for authentication mechanisms.
Expanded plaintext credential detection and extraction.
Added support for decompression of brotli encoded responses (11.6+ only)
Added extraction of credentials from PLAIN and LOGIN authentication mechanisms
Added extraction of credentials from LOGIN authentication mechanism.
Improved identification of IMAP sessions.
Added detection of hex-encoded TXT records.
Improved identification of DNS sessions.
Updated parsers: