• Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    NOTE:  Updated to support 11.4.1.2Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep...
    John Snider
    last modified by John Snider
  • Linux log with syslog PRI not parsed

    Hello,   I have a parsing issue with the following Linux log : <37>Jan  4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF) This...
    Yacine BERREZOUG
    last modified by Yacine BERREZOUG
  • Using RSA Logs and/or Packets to Send or Receive Data from/to LogStash – Putting it all together - Demonstration

    What is LogStash: LogStash is an Elastic product that can collect, parse, and transform logs to be presented to some type of output such as an Elastic Stack or a RSA Decoder or Virtual Log Collector. https://www.ela...
    Thomas Jones
    last modified by Thomas Jones
  • Interface Bonding - Putting it all together

    What is bonding? Bonding protocol - Wikipedia  Generally speaking, in the Linux world, this action combines multiple physical interfaces into one or more logical interface.   Why you may want to bond? Ti...
    Thomas Jones
    last modified by Thomas Jones
  • Consolidating your backups and maximizing NRT (NetWitness Recovery Tool)

    Use this process if you would like full control of your backups, otherwise I advise you use the NRT Wrapper Method for an automated approach, - Centralized Backup & Restore of NetWitness Version 11.2+  (...
    Thomas Jones
    last modified by Thomas Jones
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu
  • Comparing two different types of meta in ESA Rule

    Hello.   It may be a stupid question but I'm not a programmer.   So, how can I compare two different types of meta in ESA Rule(EPL) statement.   I need to compare string with string[] user_dst ...
    Maxim Marchenko
    last modified by Maxim Marchenko
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here.   08APR2020 - UPDATE: adding ...
    Josh Randall
    last modified by Josh Randall
  • Error while perform migrate & upgrade via ISO

    Hi,   We are migrate and upgrade from 10.6.6 to 11.3, using ISO to boot, while entering the setup prompt have this error;   "mount : special device /dev/VolGroup00/root does not exist cp: cannot stat...
    Mohd Amri Razlan
    last modified by Mohd Amri Razlan
  • Incident page issue

    Hi Everyone    I deploy RSA Netwitness 11.5 into my lab after that I change IP address on SA and component. Everything is fine, the only exception is I can't click on to event in Incident menu to see event d...
    pakorn amonstian
    created by pakorn amonstian
  • FireEye Breach

    Introduction Credential Dumping SafetyKatz AndrewSpecial Closing Notes Discovery SharpHound Closing Notes Lateral Movement Impacket Closing Notes Persistence ZeroLogon ...
  • Can I use the identity feed connected to AD without a log decoder

    My organization has decided to drop log support in RSA (don't ask why, it wasn't my idea).  If I'm using RSA for a packet only solution, can I still connect to Active Directory for an identity feed?  My unde...
    Dion Stempfley
    created by Dion Stempfley
  • Serial console on hardware appliances

    As a (network) engineer I am used to having serial console access to physical devices.   I noticed this is not enables by default on RSA Netwitness appliances. Notr is it anywhere documented here on RSA Link. &#...
    Hugo Van Der Kooij
    last modified by Hugo Van Der Kooij
  • Netwitness Log parser Tool

    Is there a new version of Log Parser Tool in the roadmap?   Actual version is 2 years old. RSA, a Dell Technologies business, announces the release of RSA® NetWitness Log Parser Tool v1.1   We commun...
    Isidore DESHAIES
    last modified by Isidore DESHAIES
  • Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Filtering false positives from Alerts

    I'm interested in learning what would be best practice for filtering false alerts. We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors.   An ESA alert is create...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Pi-hole log support in NetWitness

    Many of you may be using a Pi-hole in your home labs, or even at the office.  The issue is the logs are stored in a local text file and NetWitness does not support the logs.   As many know DNS records are v...
    Dave Glover
    last modified by Dave Glover
  • Decoder parameter for proceed raw syslog that doesn't contain valid priorityfield

    What is the difference between requirePri=false and snaplen=1514 in capture.device.params in Decoder config (DECODER->EXPLORE->decoder->config). When I add requirePri=false in that field, ...
    MUKUTAR RAHMAN
    last modified by MUKUTAR RAHMAN
  • is there any parser for IBM Identity and Access Management Solution?

    We have integrated the IBM IAM via syslog but there is no supported parser, appreciate if any one has this parser and can share it.
    Anas Bdeir
    last modified by Anas Bdeir
  • Using RSA NetWitness to Detect Ransomware Attacks

    Table of Contents Introduction How is Ransomware Deployed? Credential Harvesting ProcDump comsvcs.dll Custom Applications Lateral Movement RDP WMI SMB Backdoors Account Cre...
    Lee Kirkpatrick
    created by Lee Kirkpatrick