Parsing Suricata JSON logs with NW To successfully parse Suricata JSON logs via syslog collector we need to use LUA parser in NetWitness Log Decoder. Suricata LUA parser in this example is mapping only specific fields from JSON logs to metakeys. In ca... 
Recently Published Knowledge Base Articles for RSA NetWitness® Logs & Network Date Range: Sunday, August 4th-- Saturday, August 10th Article Title Author Last Published Date 000035681 - Decoder Capture Rate Zero on Health & Wellness due to parser stuck in RSA NetWitness Platform Wonc... 
Recently Published Knowledge Base Articles for RSA NetWitness® Endpoint Date Range: Sunday, August 4th-- Saturday, August 10th Article Title Author Last Published Date 000037760 - ConsoleServer Service will not start after system has been recovered from Backup in RSA NetWitness End... Centralized Backup & Restore of NetWitness Version 11.2+ (A Wrapper Script for NRT) Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA replacement of a device. Solution – ... 
Refresh ESA Meta Key Schema Some customers have seen issues with their Meta Key References (meta key schema) after an upgrade of the ESA service. In the following screenshot, we see a clean version of the meta key schema -- however, in your envi... 
Consolidating your backups and maximizing NRT (NetWitness Recovery Tool) Changes are inevitable and no one knows when a restore is going to be needed. Today backup and restore processes are standard, required, and are part of nearly all basic deployment strategies. W... 
Creating and using an external repo in 11.x Scenario - Due to a slow or unstable WAN link between host(s) and the NW Admin Server (node-zero) host, installs and/or upgrades are failing to complete successfully. Solution – External Repo Create an extern... SNMP with Netwitness Appliances – Put it all together 11.x Scenario – You or your customer would like to link SNMP to the Netwitness for system monitoring purposes (Solarwinds, Nagios, etc.). Why SNMP? SNMP is an “agentless” method of monitoring netw... RSA NetWitness® Platform Versions Click on a link below to visit the page for each product version. RSA NetWitness® Logs & Network | RSA NetWitness® Investigator | RSA NetWitness® Endpoint | RSA NetWitness® Orche... RSA NetWitness Working Groups RSA NetWitness Working Groups RSA NetWitness Working Groups provide a mechanism for collaboration by the product team with our customers. Working Groups are formed to address specific areas of the RS... 
NetWitness Services List Hey NetWitness Users, I recently received a pretty comprehensive listing of the various service names and locations of the NetWitness services! I wanted to ensure I got this info out to the ... 
Recently Published Knowledge Base Articles for RSA NetWitness® Orchestrator Date Range: Sunday, January 20th -- Saturday, January 26th Article Title Author Last Published Date 000036240 - Why do I get an "Unauthorized" message when attempting to access the RSA NetWitnes... Threat Detection Content Update - October 2018 Summary: Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remov... 
How to use non-root user to run root privilege commands in Netwitness server putty This document helps to allow non-root user to run root privilege commands without root password. 1. Login to Netwitness server putty as root user. 2. Create new user account using command useradd testin... 
LogRhythm - RSA NetWitness Suite Integration Guide The 'NetWitness-LogRhythm' integration guide contains references on how to enable basic right-click functionality to pivot from LogRhythm to Netwitness via the Critical Start Plugin, how to forward Audit Logs, &a... 
Interpreting Regex for IP range This document outlines the procedure to interpret the regex used for IP range in EPL syntax. {1,3} represents 3 digit number [0-9] represents range number starting from 0 to 9 [0-9]{1,3} represen... RSA University On-Demand Subscriptions for the RSA NetWitness Platform Start your learning journey to Business-Driven Security with RSA University’s new On-Demand Subscription. This offering provides learners a flexible way to access the training they need when they need ... 
Notepad++ Syntax Highlighting This might help some of you that write application rules in NWR format using Notepad++ to colorize some syntax elements of nwr files GitHub - epartington/rsa_nw_nwr_notepadpp: NetWitness Apprule syntax highlig... 
Proxy configuration validation for Netwitness Suppose, the proxy details configured using SA Cfg: HTTP Proxy Settings Panel document. However, the Proxy test connection fails as CMS server was not reachable. Then, Please run below command in SA ...
