• v11.3 Changes to ESA Script Outputs

    In RSA NetWitness 11.3, one of the behind-the-scenes changes to the platform was moving the script notification server from ESA onto the Admin Server.   This change opens up a number of possibilities for scripti...
    Joshua Randall
    last modified by Joshua Randall
  • Calling All Innovation Experts: We Need Your Feedback!

    Greetings fellow innovators!   RSA is in the midst of an internal innovation challenge and we are actively seeking feedback from customers and partners. Specifically, we have published concept summaries and would...
    David Dewald Jr.
    created by David Dewald Jr.
  • Event Reconstruction Now Inside Respond Case Management

    One of the most powerful features to make its way into RSA NetWitness Platform version 11.3 is also one of the most subtle in the interface.  11.3 now saves analysts one more step during incident response by inte...
    Sean Ennis
    last modified by Sean Ennis
  • Tips to Build [Small] RSA NetWitness Platform Virtual Hosts

    Overview The RSA NetWitness is run by many of our customers on RSA's physical appliances, but the entire stack can run in AWS, Azure, VMware, or Hyper-V just fine. You can even mix-and-match hardware between physical...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • Google G Suite Integration with the RSA NetWitness Platform

    G Suite (formerly known as Google Business Suite or Google Apps for Business) is now supported for log collection using the RSA NetWitness Platform.  Collection is achieved via the G Suite Reports API (v1) a...
    Mitchell Hanks
    last modified by Mitchell Hanks
  • Visual Process Analysis With RSA NetWitness Endpoint

    Starting in version 11.3, the RSA NetWitness Platform introduced the ability to analyze endpoint data captured by the RSA NetWitness Endpoint Agent (both the free "Insights" version and the full version). Fo...
    Sean Ennis
    last modified by Sean Ennis
  • RSA NetWitness Packet Meta in ELK

    In line with some of my other integrations, I recently decided to also create a proof-of-concept solution on how to integrate RSA NetWitness meta data into an ELK stack.   Given that I already had a couple of Py...
    Rui Ataide
    last modified by Rui Ataide
  • Top Level Domain (TLD) Lua Parser for Logs

    The TLD parser has been updated to now deploy on Log Decoders.     The parser looks for the following keys from log devices to parse out the same information as packets: Alias.host Host.src Host.dst...
    Eric Partington
    last modified by Eric Partington
  • Detecting Command and Control in RSA NetWitness: Cobalt Strike

    Introduction Cobalt Strike is a threat emulation tool used by red teams and advanced persistent threats for gaining and maintaining a foothold on networks. This blog post will cover the detection of Cobalt Strik...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • Building the Notifications of Your Dreams in the RSA NetWitness Platform

    Overview Sending a notification based on a critical or time-sensitive event seen in your environment is table stakes functionality for any detection platform. Alerting someone in a timely manner is important, but bui...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • Health and Wellness Policy - Alerting on Uptime

    A recent customer question about alerting on Uptime values from the REST API got me digging into the Health and Wellness Policies for a better solution.   The request was to alert when the uptime value for speci...
    Eric Partington
    last modified by Eric Partington
  • Purging unwanted data from the RSA NetWitness Platform

    Unfortunately sometimes sensitive data can find its way where it is not wanted. It should not, but it happens. Perhaps your IT Person decided connecting the high side network to the low side was a good idea. Mayb...
    William Hart
    last modified by William Hart
  • Domain Fronting Malware

    Customers frequently ask me about malware that uses domain fronting and how to detect it. Simply put, domain fronting is when malware or an application pretends to be going to one domain but instead is going somewhere...
    Rui Ataide
    last modified by Rui Ataide
  • Why You Shouldn't Worry About Risk

    (Authored by Steve Schlarman, Portfolio Strategist, RSA) It was Mark’s big shot.  He finally had a meeting with Sharon, the CIO.  Her schedule was so busy it was legendary and for her to spend time wit...
    Denise Sposato
    last modified by Denise Sposato
  • HTTP Error code 522

    Interesting blog post from ISC SANS Handlers blog about http error code 522 (Connection timed out)   https://isc.sans.edu/diary/522%2BError%2BCode%2Bfor%2Bthe%2BWin/21377   Which got me thinking, could RSA...
    Eric Partington
    last modified by Eric Partington
  • Introduction to MITRE’s ATT&CK™ and Mapping to ESA Rules

    Introduction to MITRE’s ATT&CK™   Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from I...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • VLC Load Balancing and Failover on AWS

    If you need to achieve HA through load balancing and failover for VLCs on AWS you can use the built-in AWS load balancer. I have tested this scenario so I am going to share the outcome here.   Before starting I ...
    Marco Meli
    created by Marco Meli
  • Threat Intel Integration with MISP and Minemeld

    RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c...
    Eric Partington
    created by Eric Partington
  • Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick