• Detecting Command and Control in RSA NetWitness: Cobalt Strike

    Introduction Cobalt Strike is a threat emulation tool used by red teams and advanced persistent threats for gaining and maintaining a foothold on networks. This blog post will cover the detection of Cobalt Strik...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Detection of an APT33 Attack using RSA NetWitness

    APT33 is a state-sponsored group suspected to be linked to Iran. It has been active since 2013 and has targeted organizations in the aviation and energy sectors mainly across the United States and the Middle East regi...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Threat Intel Integration with MISP and Minemeld

    RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c...
    Eric Partington
    created by Eric Partington
  • RSA Threat Content mapping with MITRE ATT&CK™

    Introduction to MITRE ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (E...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • Introducing the new Engineering Requests dashboard in the RSA Case Management portal

    One of the biggest commitments we at RSA make to our customers is to provide best-in-class security products that help manage digital risk.  Our goal is to do so with maximum reliability while also requiring mini...
    Anya Kricsfeld
    last modified by Anya Kricsfeld
  • A new RSA NetWitness® Platform 11.3 documentation page is live!

    Today RSA Link implemented a new way of presenting documentation to help RSA NetWitness® Platform customers find the information they need quickly and easily. RSA NetWitness Platform 11.3 presents the documentati...
    Susan Ewald
    last modified by Susan Ewald
  • Running RSA NetWitness in Google Cloud

    As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud.  The RSA NetWitness Platform is already available for AWS and Azure, however is not ...
    Michael Gotham
    last modified by Michael Gotham
  • RSA NetWitness Endpoint Application Rules Mapping with MITRE’s ATT&CK™

    Introduction to MITRE’s ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial A...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • DGA Detection

    In one of my previous posts (Shannon. Have you seen my Entropy?) I touched on using a custom Java entropy calculator within the ESA to calculate the entropy values for domains to assist with detecting Domain Generatio...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Porting 10.x Notification Templates to 11.x

    One of the changes introduced in 11.x (11.0, specifically) was the removal of the macros.ftl reference in notification templates.  These templates enable customized notifications (primarily syslog and email)...
    Josh Randall
    last modified by Josh Randall
  • Detecting DNS Tunnel Activity in RSA NetWitness

    IntroductionThere are many, many ways to exfiltrate data from a network, but one common way to do it is using DNS Exfiltration. With these specific techniques the attackers use the already open port for dns traff...
    Massimiliano Faudarole
    last modified by Massimiliano Faudarole
  • Network Cloud Visibility with AWS Traffic Mirroring

    Introducing RSA NetWitness Platform's support for AWS VPC Traffic Mirroring!   By partnering with AWS and integrating with their AWS VPC Traffic Mirroring, customers are able to access to the right virtual traff...
    Michael Gallegos
    last modified by Michael Gallegos
  • Examining Threat Aware Authentication in  v11.3

    One of the features included in the RSA NetWitness 11.3 release is something called Threat Aware Authentication (Respond Config: Configure Threat Aware Authentication).  This feature is a direct integration betwe...
    Josh Randall
    last modified by Josh Randall
  • Re-Aggregate Alerts from Previously Deleted Incidents

    It often happens to me that while I am testing new alerts and incident aggregation rules, I find that the aggregation condition(s) I chose in my Incident Rule are not what I want.  While I could re-create th...
    Josh Randall
    last modified by Josh Randall
  • Deleting custom YARA rules in the RSA NetWitness Platform

    An administrator uploads custom YARA content to the RSA NetWitness Platform per instructions in the documentation. Turns out they want to change or delete it, but the only options in the user interface are to disable ...
    Joseph Kavanaugh
    last modified by Joseph Kavanaugh
  • v11.3 Changes to ESA Script Outputs

    In RSA NetWitness 11.3, one of the behind-the-scenes changes to the platform was moving the script notification server from ESA onto the Admin Server.   This change opens up a number of possibilities for scripti...
    Josh Randall
    last modified by Josh Randall
  • Calling All Innovation Experts: We Need Your Feedback!

    Greetings fellow innovators!   RSA is in the midst of an internal innovation challenge and we are actively seeking feedback from customers and partners. Specifically, we have published concept summaries and would...
    David Dewald Jr.
    created by David Dewald Jr.
  • Event Reconstruction Now Inside Respond Case Management

    One of the most powerful features to make its way into RSA NetWitness Platform version 11.3 is also one of the most subtle in the interface.  11.3 now saves analysts one more step during incident response by inte...
    Sean Ennis
    last modified by Sean Ennis
  • Google G Suite Integration with the RSA NetWitness Platform

    G Suite (formerly known as Google Business Suite or Google Apps for Business) is now supported for log collection using the RSA NetWitness Platform.  Collection is achieved via the G Suite Reports API (v1) a...
    Mitch Hanks
    last modified by Mitch Hanks
  • Visual Process Analysis With RSA NetWitness Endpoint

    Starting in version 11.3, the RSA NetWitness Platform introduced the ability to analyze endpoint data captured by the RSA NetWitness Endpoint Agent (both the free "Insights" version and the full version). Fo...
    Sean Ennis
    last modified by Sean Ennis