• How To Contribute Your Parsers to the RSA NetWitness GitHub

    Here's the steps you'll need to follow to initiate a fork of the RSA NetWitness Log Parsers Repository  Create GitHub account for free https://www.GitHub.com  Locate the RSA NetWitness project https://gi...
    Eric Partington
    last modified by Eric Partington
  • Threat Detection Content Update - June 2020

    Summary: Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remov...
    Rajas Save
    last modified by Rajas Save
  • RSA NetWitness Query Syntax Compared to Wireshark Display Filters

    Wireshark has been around for a long time and the display filters that exist are good reference points to learn about network (packet) traffic as well as how to navigate around various parts of sessions or streams. &#...
    Eric Partington
    last modified by Eric Partington
  • Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Using RSA NetWitness to Detect Void-RAT

    Carrying on with the theme of Remote Access Tools (RATs), in this blog post will be covering Void-RAT. This tool is still in development and currently at alpha release so doesn't come with as many features as oth...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Creating Custom Match Condition and Group By Fields for Respond in 11.x

    I've seen and heard a fair bit of discussion recently about whether it's possible to create custom matchCondition and groupBy fields within the new 11.x Respond Server.  "We have the capability within 10.x," the ...
    Josh Randall
    last modified by Josh Randall
  • Tips to Build [Small] RSA NetWitness Platform Virtual Hosts

    Overview To ISO or Not to ISO VM Host Sizing Raw Event Data Storage Install Services Validate Folder Sizes - RSA NetWitness Platform Databases Validate Thresholds - MongoDB Minimu...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • Auto-updating Context Hub Lists from ESA Alerts

    The RSA NetWitness Platform has multiple new enhancements as to how it handles Lists and Feeds in v11.x.  One of the enhancements introduced in the v11.1 release was the ability to use Context Hub Lists as Blackl...
    Josh Randall
    last modified by Josh Randall
  • Building the Notifications of Your Dreams in the RSA NetWitness Platform

    Overview Sending a notification based on a critical or time-sensitive event seen in your environment is table stakes functionality for any detection platform. Alerting someone in a timely manner is important, but bui...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • iDRAC Firmware Upgrade and Feature Overview

    This month we did a live demonstration of upgrading the firmware on an iDRAC of version 8 and version 9. Sadly I wasn't able to make videos for this one, but here are Dell's official walkthrough videos: (Please keep i...
  • Threat Detection Content Update - May 2020

    Summary:Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live. For retired content, you must manually remove thos...
    Rajas Save
    last modified by Rajas Save
  • Using RSA NetWitness to Detect QuasarRAT

    Delving back into the C2 Matrix to look for some more inspiration for blog posts, we noticed there are a number of Remote Administration Tools (RATs) listed. So we decided to start taking a look at these RATs and...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • ASD & NSA's Guide to Detect and Prevent Web Shell Malware – Endpoint Visibility

    To round out our series explaining how to use the indicators from ASD & NSA's report for detecting web shells (Detect and prevent web shell malware | Cyber.gov.au ) with NetWitness, let's take a look at the e...
    Chris Thomas
    last modified by Chris Thomas
  • Examining Threat Aware Authentication in  v11.3

    One of the features included in the RSA NetWitness 11.3 release is something called Threat Aware Authentication (Respond Config: Configure Threat Aware Authentication).  This feature is a direct integration betwe...
    Josh Randall
    last modified by Josh Randall
  • Running RSA NetWitness in Google Cloud

    As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud.  The RSA NetWitness Platform is already available for AWS and Azure, however is not ...
    Michael Gotham
    last modified by Michael Gotham
  • Postman for NetWitness

    If you've ever done any work testing against an API (or even just for fun), then you've likely come across a number of tools that aim to make this work (or fun) easier.   Postman is one of these tools, and ...
    Josh Randall
    last modified by Josh Randall
  • Detecting C2 in RSA NetWitness: BeEF + Octopus

    Intro Octopus was presented at Black Hat London 2019 by Askar. The github page is available here. It is a pre-operation C2  for Red Teamers, based on HTTP/S and written in python. This blog post will show th...
    Marco Meli
    last modified by Marco Meli
  • Using RSA NetWitness to Detect Chaos C2

    We are back again with another C2 framework called, Chaos: https://github.com/tiagorlampert/CHAOS. CHAOS is a PoC written in Go and comes with a healthy number of features for controlling the remote endpoints. It...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Microsoft 365, MS Threat Intelligence, Azure and Qualys Dashboards for RSA NetWitness Evolved SIEM

    Interested in having a central single pane of glass view across your cloud, on-prem and virtual infrastructure?. Well, then with no shadow of doubt the use of the RSA NetWitness real-time dashboards and charts will co...
    Islam Rashad
    last modified by Islam Rashad
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here.   08APR2020 - UPDATE: adding ...
    Josh Randall
    last modified by Josh Randall