NEW Hunting Guide & Investigation Model

Blog Post created by Chris Thomas

on Nov 30, 2016

Like • Show 3 Likes3
Comment • 2

The new Investigation Data Model (community.rsa.com/docs/DOC-62313) and Hunting Pack (community.rsa.com/docs/DOC-62301) with the associated Hunting Guide (

community.rsa.com/docs/DOC-62341) provide a new way for analysts to interact with their data and hunt for threats. The attached PDF provides a summary of the key points, and what changes you need to make to your RSA NetWitness deployment to make the most of the new content. Happy Hunting!

EDIT 20161214: Fixed a typo on page 21. Thanks Jim!

Attachments

20161214 HuntingInvestigationGuide.pdf5.5 MB

Outcomes

2 Comments

Jim Ward Dec 13, 2016 9:46 AM
On slide 21 in the attached PDF the syntax for the index-concentrator-custom.xml is incorrect.

<!– Hunting Keys -->

The proper syntax for XML comments is:

<!–- Hunting Keys -->

Make this correction to each comment before applying to concentrator or it will fail to load.

Thanks.
Like • Show 0 Likes0
Actions
- Chris Thomas @ Jim Ward on Dec 13, 2016 7:00 PM
  Thanks Jim! I have fixed the typo and re-published the PDF.
  Like • Show 0 Likes0
  Actions

Incoming Links

The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion