• Using RSA NetWitness to Detect C&C: WEASEL

    I was doing some hunting through our lab traffic today and came across some strange looking traffic, it turned out to be Rui Ataide playing around with a new DNS C2. It is named WEASEL and can be found ...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • Amazon Detective and RSA NetWitness Platform Integration

    Amazon Detective is an Amazon Web Services (AWS) threat hunting platform (pre-release at the time of this writing) that offers a deep, cloud-native view of AWS resource data and history, optionally in the context of a...
    Mitch Hanks
    last modified by Mitch Hanks
  • Using RSA NetWitness to Detect Command and Control: PoshC2 v5.0

    Command and Control platforms are constantly evolving. In one of my previous blog posts, I detailed how to detect PoshC2 v3.8:   Using RSA NetWitness to Detect Command and Control: PoshC2   Since then, Net...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Detecting a MuddyWater APT using the RSA NetWitness Platform

    MuddyWater MuddyWater is a state-sponsored threat group suspected to be linked to Iran. It has mainly been targeting organizations in the Telecommunications, Government and Oil sectors across the Middle East region. ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • RSA NetWitness Packet Meta in ELK

    In line with some of my other integrations, I recently decided to also create a proof-of-concept solution on how to integrate RSA NetWitness meta data into an ELK stack.   Given that I already had a couple of Py...
    Rui Ataide
    last modified by Rui Ataide
  • Detecting Command and Control in RSA NetWitness: Cobalt Strike

    Introduction Cobalt Strike is a threat emulation tool used by red teams and advanced persistent threats for gaining and maintaining a foothold on networks. This blog post will cover the detection of Cobalt Strik...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Detection of an APT33 Attack using RSA NetWitness

    APT33 is a state-sponsored group suspected to be linked to Iran. It has been active since 2013 and has targeted organizations in the aviation and energy sectors mainly across the United States and the Middle East regi...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Threat Intel Integration with MISP and Minemeld

    RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c...
    Eric Partington
    created by Eric Partington
  • Easy-add Recurring Feeds

    In the past, I've seen a number of people ask how to enable a recurring feed from a hosting server that is using SSL/TLS, particularly when attempting to add a recurring feed hosted on the NetWitness Node0 server...
    Josh Randall
    last modified by Josh Randall
  • Contextualizing JA3 Fingerprints

    A couple years ago, a few smart folks over at salesforce came up with the idea of fingerprinting certain characteristics of the "Client Hello" of the SSL/TLS handshake, with the goal to more accurately identify the cl...
    Josh Randall
    last modified by Josh Randall
  • RSA Threat Content mapping with MITRE ATT&CK™

    Introduction to MITRE ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (E...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • Introducing the new Engineering Requests dashboard in the RSA Case Management portal

    One of the biggest commitments we at RSA make to our customers is to provide best-in-class security products that help manage digital risk.  Our goal is to do so with maximum reliability while also requiring mini...
    Anya Kricsfeld
    last modified by Anya Kricsfeld
  • A new RSA NetWitness® Platform 11.3 documentation page is live!

    Today RSA Link implemented a new way of presenting documentation to help RSA NetWitness® Platform customers find the information they need quickly and easily. RSA NetWitness Platform 11.3 presents the documentati...
    Susan Ewald
    last modified by Susan Ewald
  • Running RSA NetWitness in Google Cloud

    As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud.  The RSA NetWitness Platform is already available for AWS and Azure, however is not ...
    Michael Gotham
    last modified by Michael Gotham
  • RSA NetWitness Endpoint Application Rules Mapping with MITRE’s ATT&CK™

    Introduction to MITRE’s ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial A...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • Tips to Build [Small] RSA NetWitness Platform Virtual Hosts

    Overview To ISO or Not to ISO VM Host Sizing Raw Event Data Storage Install Services Validate Folder Sizes - RSA NetWitness Platform Databases Validate Thresholds - MongoDB Minimu...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • DGA Detection

    In one of my previous posts (Shannon. Have you seen my Entropy?) I touched on using a custom Java entropy calculator within the ESA to calculate the entropy values for domains to assist with detecting Domain Generatio...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Porting 10.x Notification Templates to 11.x

    One of the changes introduced in 11.x (11.0, specifically) was the removal of the macros.ftl reference in notification templates.  These templates enable customized notifications (primarily syslog and email)...
    Josh Randall
    last modified by Josh Randall
  • Detecting DNS Tunnel Activity in RSA NetWitness

    IntroductionThere are many, many ways to exfiltrate data from a network, but one common way to do it is using DNS Exfiltration. With these specific techniques the attackers use the already open port for dns traff...
    Massimiliano Faudarole
    last modified by Massimiliano Faudarole