• Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Threat Detection Content Update - May 2020

    Summary:Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live. For retired content, you must manually remove thos...
    Rajas Save
    last modified by Rajas Save
  • Using RSA NetWitness to Detect QuasarRAT

    Delving back into the C2 Matrix to look for some more inspiration for blog posts, we noticed there are a number of Remote Administration Tools (RATs) listed. So we decided to start taking a look at these RATs and...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • ASD & NSA's Guide to Detect and Prevent Web Shell Malware – Endpoint Visibility

    To round out our series explaining how to use the indicators from ASD & NSA's report for detecting web shells (Detect and prevent web shell malware | Cyber.gov.au ) with NetWitness, let's take a look at the e...
    Chris Thomas
    last modified by Chris Thomas
  • Examining Threat Aware Authentication in  v11.3

    One of the features included in the RSA NetWitness 11.3 release is something called Threat Aware Authentication (Respond Config: Configure Threat Aware Authentication).  This feature is a direct integration betwe...
    Josh Randall
    last modified by Josh Randall
  • Running RSA NetWitness in Google Cloud

    As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud.  The RSA NetWitness Platform is already available for AWS and Azure, however is not ...
    Michael Gotham
    last modified by Michael Gotham
  • Postman for NetWitness

    If you've ever done any work testing against an API (or even just for fun), then you've likely come across a number of tools that aim to make this work (or fun) easier.   Postman is one of these tools, and ...
    Josh Randall
    last modified by Josh Randall
  • Detecting C2 in RSA NetWitness: BeEF + Octopus

    Intro Octopus was presented at Black Hat London 2019 by Askar. The github page is available here. It is a pre-operation C2  for Red Teamers, based on HTTP/S and written in python. This blog post will show th...
    Marco Meli
    last modified by Marco Meli
  • Using RSA NetWitness to Detect Chaos C2

    We are back again with another C2 framework called, Chaos: https://github.com/tiagorlampert/CHAOS. CHAOS is a PoC written in Go and comes with a healthy number of features for controlling the remote endpoints. It...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Microsoft 365, MS Threat Intelligence, Azure and Qualys Dashboards for RSA NetWitness Evolved SIEM

    Interested in having a central single pane of glass view across your cloud, on-prem and virtual infrastructure?. Well, then with no shadow of doubt the use of the RSA NetWitness real-time dashboards and charts will co...
    Islam Rashad
    last modified by Islam Rashad
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here.   08APR2020 - UPDATE: adding ...
    Josh Randall
    last modified by Josh Randall
  • ASD & NSA's Guide to Detect and Prevent Web Shell Malware – Network Visibility

    Following on from my last post that focused on analysing web server logs ASD & NSA's Guide to Detect and Prevent Web Shell Malware - Web Server Logs , this time we are going to look at the network b...
    Chris Thomas
    created by Chris Thomas
  • ASD & NSA's Guide to Detect and Prevent Web Shell Malware - Web Server Logs

    Introduction The Australian Signals Directorate (ASD) & US National Security Agency (NSA) have jointly released a useful guide for detecting and preventing web shell malware. If you haven't seen it yet, you can fi...
    Chris Thomas
    last modified by Chris Thomas
  • Customizing Respond Incident Notification Emails

    One of the more common requests and "how do I" questions I've heard in recent months centers around the Emails that the Respond Module can send when an Incident is created or updated.  Enabling this configuration...
    Josh Randall
    last modified by Josh Randall
  • Operationalizing Threat Aware Authentication

    Shout out to @Casey Switzer, @Josh Randall & @Larry Hammond.  Without their help, the lab, configuration and operational considerations would not be possible.   Last year in RSA NetWitness 11.3, a new in...
    Kelly Ahlers
    last modified by Kelly Ahlers
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu
  • RSA NetWitness Meta Dictionary Tool

    The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event...
    Chaitra Kulkarni
    last modified by Chaitra Kulkarni
  • Threat Detection Content Update - April 2020

    Summary: Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remov...
    Rajas Save
    last modified by Rajas Save
  • Tips to Build [Small] RSA NetWitness Platform Virtual Hosts

    Overview To ISO or Not to ISO VM Host Sizing Raw Event Data Storage Install Services Validate Folder Sizes - RSA NetWitness Platform Databases Validate Thresholds - MongoDB Minimu...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • Maze Ransomware Detection with RSA NetWitness

    The Maze ransomware has recently been making the news due to some high-profile infections. In addition to requesting, in some instances, ransoms of 6+ million USD to regain access to the files, the group behind the ma...
    Halim Abouzeid
    last modified by Halim Abouzeid