• Detecting Command and Control in RSA NetWitness: Cobalt Strike

    Introduction Cobalt Strike is a threat emulation tool used by red teams and advanced persistent threats for gaining and maintaining a foothold on networks. This blog post will cover the detection of Cobalt Strik...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • RSA NetWitness Packet Meta in ELK

    In line with some of my other integrations, I recently decided to also create a proof-of-concept solution on how to integrate RSA NetWitness meta data into an ELK stack.   Given that I already had a couple of Py...
    Rui Ataide
    last modified by Rui Ataide
  • Threat Intel Integration with MISP and Minemeld

    RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c...
    Eric Partington
    created by Eric Partington
  • Easy-add Recurring Feeds

    In the past, I've seen a number of people ask how to enable a recurring feed from a hosting server that is using SSL/TLS, particularly when attempting to add a recurring feed hosted on the NetWitness Node0 server...
    Joshua Randall
    last modified by Joshua Randall
  • Contextualizing JA3 Fingerprints

    A couple years ago, a few smart folks over at salesforce came up with the idea of fingerprinting certain characteristics of the "Client Hello" of the SSL/TLS handshake, with the goal to more accurately identify the cl...
    Joshua Randall
    last modified by Joshua Randall
  • RSA Threat Content mapping with MITRE ATT&CK™

    Introduction to MITRE ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (E...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • Introducing the new Engineering Requests dashboard in the RSA Case Management portal

    One of the biggest commitments we at RSA make to our customers is to provide best-in-class security products that help manage digital risk.  Our goal is to do so with maximum reliability while also requiring mini...
    Anya Kricsfeld
    last modified by Anya Kricsfeld
  • A new RSA NetWitness® Platform 11.3 documentation page is live!

    Today RSA Link implemented a new way of presenting documentation to help RSA NetWitness® Platform customers find the information they need quickly and easily. RSA NetWitness Platform 11.3 presents the documentati...
    Susan Ewald
    last modified by Susan Ewald
  • Running RSA NetWitness in Google Cloud

    As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud.  The RSA NetWitness Platform is already available for AWS and Azure, however is not ...
    Michael Gotham
    last modified by Michael Gotham
  • RSA NetWitness Endpoint Application Rules Mapping with MITRE’s ATT&CK™

    Introduction to MITRE’s ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial A...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • Tips to Build [Small] RSA NetWitness Platform Virtual Hosts

    Overview To ISO or Not to ISO VM Host Sizing Raw Event Data Storage Install Services Validate Folder Sizes - RSA NetWitness Platform Databases Validate Thresholds - MongoDB Minimu...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • DGA Detection

    In one of my previous posts (Shannon. Have you seen my Entropy?) I touched on using a custom Java entropy calculator within the ESA to calculate the entropy values for domains to assist with detecting Domain Generatio...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Porting 10.x Notification Templates to 11.x

    One of the changes introduced in 11.x (11.0, specifically) was the removal of the macros.ftl reference in notification templates.  These templates enable customized notifications (primarily syslog and email)...
    Joshua Randall
    last modified by Joshua Randall
  • Detecting DNS Tunnel Activity in RSA NetWitness

    IntroductionThere are many, many ways to exfiltrate data from a network, but one common way to do it is using DNS Exfiltration. With these specific techniques the attackers use the already open port for dns traff...
    Massimiliano Faudarole
    last modified by Massimiliano Faudarole
  • Network Cloud Visibility with AWS Traffic Mirroring

    Introducing RSA NetWitness Platform's support for AWS VPC Traffic Mirroring!   By partnering with AWS and integrating with their AWS VPC Traffic Mirroring, customers are able to access to the right virtual traff...
    Michael Gallegos
    last modified by Michael Gallegos
  • Examining Threat Aware Authentication in  v11.3

    One of the features included in the RSA NetWitness 11.3 release is something called Threat Aware Authentication (Respond Config: Configure Threat Aware Authentication).  This feature is a direct integration betwe...
    Joshua Randall
    last modified by Joshua Randall
  • Re-Aggregate Alerts from Previously Deleted Incidents

    It often happens to me that while I am testing new alerts and incident aggregation rules, I find that the aggregation condition(s) I chose in my Incident Rule are not what I want.  While I could re-create th...
    Joshua Randall
    last modified by Joshua Randall
  • Deleting custom YARA rules in the RSA NetWitness Platform

    An administrator uploads custom YARA content to the RSA NetWitness Platform per instructions in the documentation. Turns out they want to change or delete it, but the only options in the user interface are to disable ...
    Joseph Kavanaugh
    last modified by Joseph Kavanaugh
  • v11.3 Changes to ESA Script Outputs

    In RSA NetWitness 11.3, one of the behind-the-scenes changes to the platform was moving the script notification server from ESA onto the Admin Server.   This change opens up a number of possibilities for scripti...
    Joshua Randall
    last modified by Joshua Randall
  • Calling All Innovation Experts: We Need Your Feedback!

    Greetings fellow innovators!   RSA is in the midst of an internal innovation challenge and we are actively seeking feedback from customers and partners. Specifically, we have published concept summaries and would...
    David Dewald Jr.
    created by David Dewald Jr.