Skip navigationLog in to follow, share, and participate in this community. NOTE: Updated to support 11.4.1.2Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep... Centralized Backup & Restore of NetWitness Version 11.2+ (A Wrapper Script for NRT)
BackHello, I have a parsing issue with the following Linux log : <37>Jan 4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF) This... Linux log with syslog PRI not parsed
BackWhat is LogStash: LogStash is an Elastic product that can collect, parse, and transform logs to be presented to some type of output such as an Elastic Stack or a RSA Decoder or Virtual Log Collector. https://www.ela... Using RSA Logs and/or Packets to Send or Receive Data from/to LogStash – Putting it all together - Demonstration
BackWhat is bonding? Bonding protocol - Wikipedia Generally speaking, in the Linux world, this action combines multiple physical interfaces into one or more logical interface. Why you may want to bond? Ti... Interface Bonding - Putting it all together
BackUse this process if you would like full control of your backups, otherwise I advise you use the NRT Wrapper Method for an automated approach, - Centralized Backup & Restore of NetWitness Version 11.2+ (... Consolidating your backups and maximizing NRT (NetWitness Recovery Tool)
BackAlthough the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a... RSA NetWitness Storage Retention Script
BackHello. It may be a stupid question but I'm not a programmer. So, how can I compare two different types of meta in ESA Rule(EPL) statement. I need to compare string with string[] user_dst ... Comparing two different types of meta in ESA Rule
Back22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here. 08APR2020 - UPDATE: adding ... Custom Flat File Log Collection with NW-Endpoint 11.4
BackHi, We are migrate and upgrade from 10.6.6 to 11.3, using ISO to boot, while entering the setup prompt have this error; "mount : special device /dev/VolGroup00/root does not exist cp: cannot stat... Error while perform migrate & upgrade via ISO
BackHi Everyone I deploy RSA Netwitness 11.5 into my lab after that I change IP address on SA and component. Everything is fine, the only exception is I can't click on to event in Incident menu to see event d... Introduction
Credential Dumping
SafetyKatz
AndrewSpecial
Closing Notes
Discovery
SharpHound
Closing Notes
Lateral Movement
Impacket
Closing Notes
Persistence
ZeroLogon
... My organization has decided to drop log support in RSA (don't ask why, it wasn't my idea). If I'm using RSA for a packet only solution, can I still connect to Active Directory for an identity feed? My unde... Can I use the identity feed connected to AD without a log decoder
BackAs a (network) engineer I am used to having serial console access to physical devices. I noticed this is not enables by default on RSA Netwitness appliances. Notr is it anywhere documented here on RSA Link. &#... Serial console on hardware appliances
BackIs there a new version of Log Parser Tool in the roadmap? Actual version is 2 years old. RSA, a Dell Technologies business, announces the release of RSA® NetWitness Log Parser Tool v1.1 We commun... Netwitness Log parser Tool
BackZerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller. As more publ... Domain Controller Takeover with Zerologon, from Compromise to Detection
BackI'm interested in learning what would be best practice for filtering false alerts. We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors. An ESA alert is create... Filtering false positives from Alerts
BackMany of you may be using a Pi-hole in your home labs, or even at the office. The issue is the logs are stored in a local text file and NetWitness does not support the logs. As many know DNS records are v... Pi-hole log support in NetWitness
BackWhat is the difference between requirePri=false and snaplen=1514 in capture.device.params in Decoder config (DECODER->EXPLORE->decoder->config). When I add requirePri=false in that field, ... Decoder parameter for proceed raw syslog that doesn't contain valid priorityfield
BackWe have integrated the IBM IAM via syslog but there is no supported parser, appreciate if any one has this parser and can share it. is there any parser for IBM Identity and Access Management Solution?
BackTable of Contents
Introduction
How is Ransomware Deployed?
Credential Harvesting
ProcDump
comsvcs.dll
Custom Applications
Lateral Movement
RDP
WMI
SMB
Backdoors
Account Cre... Using RSA NetWitness to Detect Ransomware Attacks
Back
