• RSA Unknown Value

    Hi,   What is the meaning of - in front of the values.Please help. Thanks!
    Prasanna Madhushanka
    last modified by Prasanna Madhushanka
  • How to add LogDecoder Space and update Database

    I am using Netwitness 10.6.   During the install it says I will have to update disk space.   I have added a disk to the Virtual host for my LogDecoder.   Where does LogDecoder store log files?...
    James Williams
    last modified by James Williams
  • SIGRed - 17 Year old DNS Vulnerability

    I'm sure many have heard about the recent DNS vulnerability titled SIGRed. This one looks pretty bad. https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • NW Respond integration with TheHive

    I use the TheHive - https://thehive-project.org/  as our Incident Case management tool of choice. I've started the investigation process of integrating NetWitness and the TheHive together for alerts and recording...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Endpoint agents log collection to a VLC

    We have a number of endpoints that exist in DMZ environments that are serviced by a VLC for log collection from syslog devices. The hosts in the DMZ can only talk to the VLC and cannot talk back to any other NetWitne...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Sizing VM Azure

    I have a VM deployment scenario for logs and packets in Azure. I'm not able to design a scenario well to reflect on the correct implementation of this machine in Azure. If anyone can help me get an idea, I'd appr...
  • NetWitness Endpoint agent on CentOS 6

    Hi Team,   A quick heads up for those installing NetWitness Endpoint agent on CentOS 6. If you are using prelink process within the host, you might need to disable it to improve stability of the endpoint agent a...
    Tim Tsang
    created by Tim Tsang
  • Helpful "How To" Videos

    I have created a few "how to videos" that I hope you find helpful.  They are posted to YouTube and I have included the links below.   They are as follows:   Demo of the new ESI tool -->https://yout...
    Dave Glover
    last modified by Dave Glover
  • Unknown device type

    All,   New user question.   I am using nxlog to send windows event logs to netwitness.  I see that the data is being sent. I am not sure about the difference between the local collector and the decode...
    James Williams
    last modified by James Williams
  • Troubleshooting UEBA Event Collection

    After setting up UEBA You need to make sure you are collecting the following Event IDs from  Hosts as well as Network Events   Active Directory Model -> device.class = 'windows hosts' && referenc...
    Dave Glover
    last modified by Dave Glover
  • How to send on-prem Active Directory Audit Logs to Netwitness

    Hi Sir/Madam,   I want to integrate Active Directory with Netwitness. I know I can add AD in context hub service. But what I want is sending AD Audit logs to Log decoder. I can't find such a thing in Internet. C...
    Kyi Thin
    last modified by Kyi Thin
  • Incidents "GroupBy" clause

    Hello all,   We're currently using version 11.1 of RSA NW and in the Incidents rule we have a new aggregation value that's handy: "Destination User Account".   In the past, we've been having problems creat...
    Pedro Queiros
    last modified by Pedro Queiros
  • Creating a Dashboard in RSA

    Hi, We use RSA Netwitness 11.3 version and we have a requirement to create a dashboard to display the status of existing incidents created by our SOC Staff. Is this possible? if yes please guide how to create the das...
    Prasanna Madhushanka
    last modified by Prasanna Madhushanka
  • Alert Creating

    Como eu poderia criar um alerta de tentativa de acesso as portas 389 e 636 por alguém usando o usuário anônimo?   How could I alert an attempt to access ports 389 and 636 where someone would ...
  • Enabling Remote Management of the RSA NetWitness Platform

    With the increase in demand for working remotely and limitations around travel it’s never been more important to have secure, reliable, remote access to your RSA NetWitness Platform.  For our customers who ...
    Tim Tsang
    created by Tim Tsang
  • Detailed example: how to extract pcap for any query and extract meta values for any sessions using REST SDK API

    During Forensic investigation using RSA/NetWitness system, one often need to save raw packet data and meta values from particular interested sessions into pcap or xml/JSON files before the captured data is rolled out ...
    RSA Admin
    last modified by RSA Admin
  • Session Length , Attachment Size

    Hello Everyone,   I am looking for below queries on packet data.Can anyone help me please 1. Longest sessions  2. Top attachment sizes   Thank You.   Regards, Amjad.
    Amjad khan
    created by Amjad khan
  • Recommendation of Packet Hybrid Server

    Some time ago it was recommended to maintain separate packet concentrator and packet decoder virtual machines. I'm curious if that advise is still valid or if moving to a Packet Hybrid is now the recommendation deplo...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • 503 Error with message 'No record found for selection of trigger' in 11.4.1.0

    I just had an interesting upgrade experience. On our test environment I did an upgrade from NetWitness 11.4.0.1 to 11.4.1.0 and got stuck with the UI not coming up. After some investigation the culprit showed in /var/...
    Richard van den Berg
    last modified by Richard van den Berg
  • NetWitness 11 virtual demo environment with limited resources

    Hello, I'm looking for a way to install NetWitness 11  demo system on vmware with limited resources, so I would be grateful for any suggestions how to do it properly. Is it possible to lower amount of ...
    Marcin Filipiak
    last modified by Marcin Filipiak