Log in to follow, share, and participate in this community. I was doing some hunting through our lab traffic today and came across some strange looking traffic, it turned out to be Rui Ataide playing around with a new DNS C2. It is named WEASEL and can be found ... Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating... Amazon Detective is an Amazon Web Services (AWS) threat hunting platform (pre-release at the time of this writing) that offers a deep, cloud-native view of AWS resource data and history, optionally in the context of a... Command and Control platforms are constantly evolving. In one of my previous blog posts, I detailed how to detect PoshC2 v3.8: Using RSA NetWitness to Detect Command and Control: PoshC2 Since then, Net... MuddyWater MuddyWater is a state-sponsored threat group suspected to be linked to Iran. It has mainly been targeting organizations in the Telecommunications, Government and Oil sectors across the Middle East region. ... In line with some of my other integrations, I recently decided to also create a proof-of-concept solution on how to integrate RSA NetWitness meta data into an ELK stack. Given that I already had a couple of Py... Introduction Cobalt Strike is a threat emulation tool used by red teams and advanced persistent threats for gaining and maintaining a foothold on networks. This blog post will cover the detection of Cobalt Strik... APT33 is a state-sponsored group suspected to be linked to Iran. It has been active since 2013 and has targeted organizations in the aviation and energy sectors mainly across the United States and the Middle East regi... RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c... In the past, I've seen a number of people ask how to enable a recurring feed from a hosting server that is using SSL/TLS, particularly when attempting to add a recurring feed hosted on the NetWitness Node0 server... A couple years ago, a few smart folks over at salesforce came up with the idea of fingerprinting certain characteristics of the "Client Hello" of the SSL/TLS handshake, with the goal to more accurately identify the cl... Introduction to MITRE ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (E... One of the biggest commitments we at RSA make to our customers is to provide best-in-class security products that help manage digital risk. Our goal is to do so with maximum reliability while also requiring mini... Today RSA Link implemented a new way of presenting documentation to help RSA NetWitness® Platform customers find the information they need quickly and easily. RSA NetWitness Platform 11.3 presents the documentati... As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud. The RSA NetWitness Platform is already available for AWS and Azure, however is not ... Introduction to MITRE’s ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial A... Overview
To ISO or Not to ISO
VM Host Sizing
Raw Event Data Storage
Validate Folder Sizes - RSA NetWitness Platform Databases
Validate Thresholds - MongoDB
Minimu... In one of my previous posts (Shannon. Have you seen my Entropy?) I touched on using a custom Java entropy calculator within the ESA to calculate the entropy values for domains to assist with detecting Domain Generatio... One of the changes introduced in 11.x (11.0, specifically) was the removal of the macros.ftl reference in notification templates. These templates enable customized notifications (primarily syslog and email)... IntroductionThere are many, many ways to exfiltrate data from a network, but one common way to do it is using DNS Exfiltration. With these specific techniques the attackers use the already open port for dns traff...