• ESA Rule - replace user_src in Alert

    I am creating EPL rule, where I want to take 2 type of events - one type has user.src and the second type has different identification of user in custom meta, for which I add user.src using a custom feed, but it can h...
    Bohdan Rylko
    last modified by Bohdan Rylko
  • Investigating an alert, need help with additional meta

    Here is my situation. I have a feed from a commercial threat intel provider that matches IPs and domains to threat actors. I'm in the investigate module, investigating an alert on a dst.ip address that is alerting to...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Syntax Errors in Esper

    Hi Friends,   I am getting Getting Error in when i try to deploy below Esper Rule in ESA "unknown method Collection.toLowerCase()"  .Can anyone Help?   This happened after upgrade from 11.x to 11.3.1....
    John Abinash Paul
    last modified by John Abinash Paul
  • New video for installing and configuring an Endpoint Relay Server

    The NetWitness Platform IDD team just added a new video for installing and configuring a Relay Server (How to Install and Configure an Endpoint Relay Server). See the NetWitness Platform Documentation page under Video...
    RSA Product Team
    created by RSA Product Team
  • How to Install and Configure an Endpoint Relay Server

    Open video

    RSA Product Team
    last modified by RSA Product Team
  • Parsing Suricata JSON logs with NW

    To successfully parse Suricata JSON logs via syslog collector we need to use LUA parser in NetWitness Log Decoder. Suricata LUA parser in this example is mapping only specific fields from JSON logs to metakeys. In ca...
    Miha Mesojedec
    last modified by Miha Mesojedec
  • I want to deploy rule for Mirai Botnet. Event Device Type is Customdns, Event.threat_Category is Malware and Event.threat_subtype is Mirai Aggregation is 2500 Events in 1 minute. but still I am getting many alerts. What to do to reduce the numberof matche

    I want to deploy rule for Mirai Botnet. Event Device Type is Customdns, Event.threat_Category is Malware and Event.threat_subtype is Mirai Aggregation is 2500 Events in 1 minute. but still I am getting many alerts. Wh...
    Vikramsingh Rajawat
    last modified by Vikramsingh Rajawat
  • RSA Webinar: The Current State of Digital Risk, Thurs., Sept. 12 @ 11:00 am ET

    It’s official: digital transformation is having a palpable impact on companies’ risk profiles, according to the results of our landmark RSA® Digital Risk Report, the first definitive survey of organiz...
    Denise Sposato
    created by Denise Sposato
  • Ports for Windows server log collection

    Which ports do I need to open for collecting logs from windows servers? Far as I know it's 5985 or 5986, bi-directional, between the windows event source and rsa sa log collector. Do I also need to open port 80 or 44...
    Visham Rawat
    last modified by Visham Rawat
  • About Archivers

    How can we include a metakey for storage on the Archiver? I see the device.host is not included. Unable to generate historical reports on this metakey.   Also, when we query the Archiver for session size (in by...
    Visham Rawat
    last modified by Visham Rawat
  • New Log Gear Deployment CPU Requirements

    RSA, Can someone please guide me to a document that has the CPU requirements for new log gear we are actively trying to deploy? I was hoping to find a document that is similar to the Virtual guide for requirements. T...
    Dwayne Fryer
    last modified by Dwayne Fryer
  • How to upload private key? (Decrypt Incoming Packets)

    I would decrypt SSL packets from website server powered by Apache, I set supported TLSv1.2 and supported cipher TLS_RSA_WITH_AES_256_CBC_SHA256 but when I trying upload key I receiving errors as below, ...
    Lukasz Czerwonka
    last modified by Lukasz Czerwonka
  • Do not send Blank Reports

    I am using RSA SA 10.6.5.2   There are many scheduled report which result in empty output/result. Output action is set as SMTP email. I would like to see email of the report(s) only if the report is NOT empty....
    Vivek Wanelkar
    last modified by Vivek Wanelkar
  • ESA Alert Suppression MultiEvent Alerts

    We cannot figure this out as the ESPER command of 'output every n' does not work for what we are looking for.  Not sure if we are going to need to create a persistent table that keeps rewriting itself.  ...
    Sean Koniarz
    last modified by Sean Koniarz
  • Recently Published Knowledge Base Articles for RSA NetWitness® Logs & Network

    Date Range: Sunday, August 4th-- Saturday, August 10th   Article Title Author Last Published Date 000035681 - Decoder Capture Rate Zero on Health & Wellness due to parser stuck in RSA NetWitness Platform Wonc...
    RSA Link Team
    last modified by RSA Link Team
  • Recently Published Knowledge Base Articles for RSA NetWitness® Endpoint

    Date Range: Sunday, August 4th-- Saturday, August 10th   Article Title Author Last Published Date 000037760 - ConsoleServer Service will not start after system has been recovered from Backup in RSA NetWitness End...
    RSA Link Team
    last modified by RSA Link Team
  • Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA replacement of a device. Solution – ...
    John Snider
    last modified by John Snider
  • 1 Decoder to Multiple Concentrators

    Can we have multiple Concentrators aggregating from 1 Decoder? I hope this doesn't result in duplication of events? If we have let's say 2 Concentrators aggregate from a Decoder actively, only those events which haven...
    Visham Rawat
    last modified by Visham Rawat
  • ESA Rule

    How can I write a rule w/reference ID 4741 FOLLOWED BY reference ID 5139? 
    Roger Feagin
    last modified by Roger Feagin
  • v11.3 Changes to ESA Script Outputs

    In RSA NetWitness 11.3, one of the behind-the-scenes changes to the platform was moving the script notification server from ESA onto the Admin Server.   This change opens up a number of possibilities for scripti...
    Joshua Randall
    last modified by Joshua Randall