• DGA Detection

    In one of my previous posts (Shannon. Have you seen my Entropy?) I touched on using a custom Java entropy calculator within the ESA to calculate the entropy values for domains to assist with detecting Domain Generatio...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Porting 10.x Notification Templates to 11.x

    One of the changes introduced in 11.x (11.0, specifically) was the removal of the macros.ftl reference in notification templates.  These templates enable customized notifications (primarily syslog and email)...
    Josh Randall
    last modified by Josh Randall
  • Detecting DNS Tunnel Activity in RSA NetWitness

    IntroductionThere are many, many ways to exfiltrate data from a network, but one common way to do it is using DNS Exfiltration. With these specific techniques the attackers use the already open port for dns traff...
    Massimiliano Faudarole
    last modified by Massimiliano Faudarole
  • Network Cloud Visibility with AWS Traffic Mirroring

    Introducing RSA NetWitness Platform's support for AWS VPC Traffic Mirroring!   By partnering with AWS and integrating with their AWS VPC Traffic Mirroring, customers are able to access to the right virtual traff...
    Michael Gallegos
    last modified by Michael Gallegos
  • Examining Threat Aware Authentication in  v11.3

    One of the features included in the RSA NetWitness 11.3 release is something called Threat Aware Authentication (Respond Config: Configure Threat Aware Authentication).  This feature is a direct integration betwe...
    Josh Randall
    last modified by Josh Randall
  • Re-Aggregate Alerts from Previously Deleted Incidents

    It often happens to me that while I am testing new alerts and incident aggregation rules, I find that the aggregation condition(s) I chose in my Incident Rule are not what I want.  While I could re-create th...
    Josh Randall
    last modified by Josh Randall
  • Deleting custom YARA rules in the RSA NetWitness Platform

    An administrator uploads custom YARA content to the RSA NetWitness Platform per instructions in the documentation. Turns out they want to change or delete it, but the only options in the user interface are to disable ...
    Joseph Kavanaugh
    last modified by Joseph Kavanaugh
  • v11.3 Changes to ESA Script Outputs

    In RSA NetWitness 11.3, one of the behind-the-scenes changes to the platform was moving the script notification server from ESA onto the Admin Server.   This change opens up a number of possibilities for scripti...
    Josh Randall
    last modified by Josh Randall
  • Calling All Innovation Experts: We Need Your Feedback!

    Greetings fellow innovators!   RSA is in the midst of an internal innovation challenge and we are actively seeking feedback from customers and partners. Specifically, we have published concept summaries and would...
    David Dewald Jr.
    created by David Dewald Jr.
  • Event Reconstruction Now Inside Respond Case Management

    One of the most powerful features to make its way into RSA NetWitness Platform version 11.3 is also one of the most subtle in the interface.  11.3 now saves analysts one more step during incident response by inte...
    Sean Ennis
    last modified by Sean Ennis
  • Google G Suite Integration with the RSA NetWitness Platform

    G Suite (formerly known as Google Business Suite or Google Apps for Business) is now supported for log collection using the RSA NetWitness Platform.  Collection is achieved via the G Suite Reports API (v1) a...
    Mitch Hanks
    last modified by Mitch Hanks
  • Visual Process Analysis With RSA NetWitness Endpoint

    Starting in version 11.3, the RSA NetWitness Platform introduced the ability to analyze endpoint data captured by the RSA NetWitness Endpoint Agent (both the free "Insights" version and the full version). Fo...
    Sean Ennis
    last modified by Sean Ennis
  • Top Level Domain (TLD) Lua Parser for Logs

    The TLD parser has been updated to now deploy on Log Decoders.     The parser looks for the following keys from log devices to parse out the same information as packets: Alias.host Host.src Host.dst...
    Eric Partington
    last modified by Eric Partington
  • Building the Notifications of Your Dreams in the RSA NetWitness Platform

    Overview Sending a notification based on a critical or time-sensitive event seen in your environment is table stakes functionality for any detection platform. Alerting someone in a timely manner is important, but bui...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • Health and Wellness Policy - Alerting on Uptime

    A recent customer question about alerting on Uptime values from the REST API got me digging into the Health and Wellness Policies for a better solution.   The request was to alert when the uptime value for speci...
    Eric Partington
    last modified by Eric Partington
  • Purging unwanted data from the RSA NetWitness Platform

    Unfortunately sometimes sensitive data can find its way where it is not wanted. It should not, but it happens. Perhaps your IT Person decided connecting the high side network to the low side was a good idea. Mayb...
    William Hart
    last modified by William Hart
  • Domain Fronting Malware

    Customers frequently ask me about malware that uses domain fronting and how to detect it. Simply put, domain fronting is when malware or an application pretends to be going to one domain but instead is going somewhere...
    Rui Ataide
    last modified by Rui Ataide
  • Why You Shouldn't Worry About Risk

    (Authored by Steve Schlarman, Portfolio Strategist, RSA) It was Mark’s big shot.  He finally had a meeting with Sharon, the CIO.  Her schedule was so busy it was legendary and for her to spend time wit...
    Denise Sposato
    last modified by Denise Sposato
  • HTTP Error code 522

    Interesting blog post from ISC SANS Handlers blog about http error code 522 (Connection timed out)   https://isc.sans.edu/diary/522%2BError%2BCode%2Bfor%2Bthe%2BWin/21377   Which got me thinking, could RSA...
    Eric Partington
    last modified by Eric Partington
  • Introduction to MITRE’s ATT&CK™ and Mapping to ESA Rules

    Introduction to MITRE’s ATT&CK™   Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from I...
    Prakhar Pandey
    last modified by Prakhar Pandey