The new Investigation Data Model (community.rsa.com/docs/DOC-62313) and Hunting Pack (community.rsa.com/docs/DOC-62301) with the associated Hunting Guide (
community.rsa.com/docs/DOC-62341) provide a new way for analysts to interact with their data and hunt for threats. The attached PDF provides a summary of the key points, and what changes you need to make to your RSA NetWitness deployment to make the most of the new content. Happy Hunting!
EDIT 20161214: Fixed a typo on page 21. Thanks Jim!
On slide 21 in the attached PDF the syntax for the index-concentrator-custom.xml is incorrect.
<!– Hunting Keys -->
The proper syntax for XML comments is:
<!–- Hunting Keys -->
Make this correction to each comment before applying to concentrator or it will fail to load.
Thanks.