• Creating a Dashboard in RSA

    Hi, We use RSA Netwitness 11.3 version and we have a requirement to create a dashboard to display the status of existing incidents created by our SOC Staff. Is this possible? if yes please guide how to create the das...
    Prasanna Madhushanka
    last modified by Prasanna Madhushanka
  • Alert Creating

    Como eu poderia criar um alerta de tentativa de acesso as portas 389 e 636 por alguém usando o usuário anônimo?   How could I alert an attempt to access ports 389 and 636 where someone would ...
  • Enabling Remote Management of the RSA NetWitness Platform

    With the increase in demand for working remotely and limitations around travel it’s never been more important to have secure, reliable, remote access to your RSA NetWitness Platform.  For our customers who ...
    Tim Tsang
    created by Tim Tsang
  • Detailed example: how to extract pcap for any query and extract meta values for any sessions using REST SDK API

    During Forensic investigation using RSA/NetWitness system, one often need to save raw packet data and meta values from particular interested sessions into pcap or xml/JSON files before the captured data is rolled out ...
    RSA Admin
    last modified by RSA Admin
  • Session Length , Attachment Size

    Hello Everyone,   I am looking for below queries on packet data.Can anyone help me please 1. Longest sessions  2. Top attachment sizes   Thank You.   Regards, Amjad.
    Amjad khan
    created by Amjad khan
  • Recommendation of Packet Hybrid Server

    Some time ago it was recommended to maintain separate packet concentrator and packet decoder virtual machines. I'm curious if that advise is still valid or if moving to a Packet Hybrid is now the recommendation deplo...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • 503 Error with message 'No record found for selection of trigger' in 11.4.1.0

    I just had an interesting upgrade experience. On our test environment I did an upgrade from NetWitness 11.4.0.1 to 11.4.1.0 and got stuck with the UI not coming up. After some investigation the culprit showed in /var/...
    Richard van den Berg
    last modified by Richard van den Berg
  • NetWitness 11 virtual demo environment with limited resources

    Hello, I'm looking for a way to install NetWitness 11  demo system on vmware with limited resources, so I would be grateful for any suggestions how to do it properly. Is it possible to lower amount of ...
    Marcin Filipiak
    last modified by Marcin Filipiak
  • VLC Shovel Fail

    I deployed a new Log Decoder and added it to one of our VLC's but shovel is failing. The second LD added successfully. However, trying to find out why this particular LD shovel is failing. I cannot find a KB related t...
    Dwayne Fryer
    last modified by Dwayne Fryer
  • Retaining Archiver post Decommissioning

    Quick question – if I need to decommission the entire RSA NetWitness platform / servers, but still need access to Archiver logs for a certain duration, what all components will I have to keep alive?  ...
    Visham Rawat
    created by Visham Rawat
  • Raw logs and Meta from Archiver to Splunk

    We've got a requirement to move all our raw logs and meta stored on the Archiver to the Splunk platform.   Now, I see there's a document on the Community that speaks of RSA NetWitness and Splunk. I’ve g...
    Visham Rawat
    last modified by Visham Rawat
  • Custom idle period for specific user

    I'm facing this problem on RSA NetWitness: I've to give a custom idle period to a specific user. I cannot found a way to set the idle individually. The only way according to the rsa_nw_11.3_sys_security_user_mgmt_gui...
    Simone Pizzini
    last modified by Simone Pizzini
  • Log Parser tool on Linux

    Currently the Log Parser Tool is built for Windows and Mac.     Using Wine 4.x you can install and run the Log Parser tool on Linux (Mint and Ubuntu)   To install and run the LPT on linux you nee...
    Dave Glover
    last modified by Dave Glover
  • lost endpoint event alert details after 11.4 upgrade

    Internal Use - Confidential   Hi folks,   Looking for some guidance troubleshooting an issue that cropped up in a training NW Endpoint environment after upgrading from 11.3.0.0 to 11.4.   Looking at ...
    Eric Crawford
    created by Eric Crawford
  • File collection method to be used instead of Syslog collection method

    Task to accomplish: - Fortinet logs to be sent to log collector through file collection method (currently supported method is syslog). Require it to get parsed properly with file collection method like it is parsing t...
    Harshad Tuwar
    last modified by Harshad Tuwar
  • RSA Netwitness Logs and Network Product Information

    Hi,   Thank you for your question.   The NetWitness Logs and Packets is a previous product name we used for our platform, the databases and back-up features depend on the product version. What version/rele...
    Don Croad
    created by Don Croad
  • Unable to deploy ESA rule

    I get the following error while deploying the rule. I've check the syntax and it says rule is valid.   ESA was unable to deploy one or more rules, and these rules were disabled. Common issues include: missing me...
    Visham Rawat
    last modified by Visham Rawat
  • Difference between bytes, rbytes and bytes.src metakey

    I see bytes.src metakey is said to capture Bytes Sent. rbytes metakey is said to capture Bytes Received, and yet it is always empty. I do also see bytes metakey, the value of which is always greater than b...
    Visham Rawat
    last modified by Visham Rawat
  • BULK CLOSE

    Hi Team,   Recently did the version upgrade of the RSA to 11.3.2.0, Would like to know whether we have the option to add the notes to all the incidents selected while bulk closing them together. Is there any opt...
    support soc
    last modified by support soc
  • Upgrading "New" v10.6.6 Log Gear to v11.2.0

    RSA, We just deployed some new log gear and I need assistance with getting this gear upgraded to v11.2.0. I have attempted to upgrade the devices with our v11.2.0 ISO and build stick but the issue comes into place wh...
    Dwayne Fryer
    last modified by Dwayne Fryer