• Excel import to RSA Netwitness and compare it with the traffic

    Hi, may i know how can we import the ioc in excel sheet into RSA Netwitness, and compare the excel sheet with the current traffic in the RSA Netwitness to check whether the folllowing ioc in excel sheet is being ...
    Xue YQ
    last modified by Xue YQ
  • RSA SA 10.6.6 Backup - Error backing /etc directory

    Upgrade from RSA SA 10.6.6 to NetWitness 11.3. I've run the backup script, and am getting the following error for 4 of my 18 machines, others are fine.   2019-09-10 18:32:47 +0100 | 29554 | Backing up ETC(/etc) ...
    Visham Rawat
    last modified by Visham Rawat
  • Netwitness Investigator 10.6 debug mode

    In previous versions of Netwitness Investigator 9.x, there was a debug mode made available for load times. After configuring for debug mode it is possible to find the load times of each meta value and the total l...
    James Stone
    last modified by James Stone
  • Drop behind sessions on Concentrator

    Is there no way to drop the behind sessions from being processed on the Concentrator? For instance, we can delete the rdq files from the Log Decoder. Is there no similar way on the Concentrator?
    Visham Rawat
    last modified by Visham Rawat
  • Concentrator - Aggregation Settings

    What exactly is Aggregate Hours?   The description says - "the hours back to begin aggregation, the milliseconds between rounds of aggregation, and maximum number of sessions per aggregation round."   W...
    Visham Rawat
    last modified by Visham Rawat
  • Trap OID for Netwitness Admin Server

    Dears,    Does anyone knows which trap OID we should use in legacy and global notification server settings for SNMP server.    I am getting snmp traps in my SNMP server which is IBM Tivoli also k...
    rajbir singh
    last modified by rajbir singh
  • RSA SA to NetWitness Migration - Downtime

    In upgrading from RSA SA 10.6.6 to NetWitness 11.3 - the downtime begins as soon as we run the backup script, right? We've got to stop the aggregation and processing of logs prior to executing backup. Also, the ...
    Visham Rawat
    created by Visham Rawat
  • External Backup Host for Upgrade to 11.3

    Is there an alternative to setting up an external CentOS backup host for the backup procedure prior to migration to 11.3?   I was informed that we can use the SA Head Unit as the backup host. Can this be done? ...
    Visham Rawat
    last modified by Visham Rawat
  • Upgrade RSA SA to NetWitness - Backup and Migration

    Just want to confirm a couple of points, and hopefully I have the right understanding!   The Backup process for upgrading RSA SA 10.6.6 to RSA NetWitness 11.3 basically captures all the configuration for all RS...
    Visham Rawat
    last modified by Visham Rawat
  • New video for installing and configuring an Endpoint Relay Server

    The NetWitness Platform IDD team just added a new video for installing and configuring a Relay Server (How to Install and Configure an Endpoint Relay Server). See the NetWitness Platform Documentation page under Video...
    RSA Product Team
    created by RSA Product Team
  • Ports for Windows server log collection

    Which ports do I need to open for collecting logs from windows servers? Far as I know it's 5985 or 5986, bi-directional, between the windows event source and rsa sa log collector. Do I also need to open port 80 or 44...
    Visham Rawat
    last modified by Visham Rawat
  • About Archivers

    How can we include a metakey for storage on the Archiver? I see the device.host is not included. Unable to generate historical reports on this metakey.   Also, when we query the Archiver for session size (in by...
    Visham Rawat
    last modified by Visham Rawat
  • 1 Decoder to Multiple Concentrators

    Can we have multiple Concentrators aggregating from 1 Decoder? I hope this doesn't result in duplication of events? If we have let's say 2 Concentrators aggregate from a Decoder actively, only those events which haven...
    Visham Rawat
    last modified by Visham Rawat
  • Sources and Destinations metas logic

    Hi If we look at winevent_nic parser and take 4732 event as example (User was added to group) than user who perfromed action is placed in user.dst meta and user which was added to group (new member) is placed to user....
    Nikolay Klender
    created by Nikolay Klender
  • Error

    Hi All,   Can anyone explain, how to add list while creating any rule? while creating a rule its showing the error as shown below in attached snapshot .
  • RSA Upgrade

    We have two RSA solution in DC and DR and we are planning to upgrade DC RSA first after one week we will go to DR RSA.  In this case DC RSA first then DC RSA( will communicate DR RSA (10....
    Ved Shar
    created by Ved Shar
  • Group Policy

    I need to create use case for group policy change in AD server. Please suggest on this.
    Ved Shar
    last modified by Ved Shar
  • Patch Auditing With RSA Endpoint

    Is there an easy way to check which Microsoft KB's are installed using the RSA Endpoint agents? I can see installed Windows Patches under System Information in Hosts for a specific device, but I can't seem to find a w...
    Michail Piskoun
    last modified by Michail Piskoun
  • Meta count (>100000 - X%)

    I want to know the exact (event logs) count for a particular metakey-value.   Now, as per my understanding for the 'Event Outcome' metakey, the (event logs) count for the 'failure' metavalue is 37,003 eve...
    Visham Rawat
    last modified by Visham Rawat
  • Edit a Parsed meta value and remove unwanted data

    I need to edit a parsed meta value and remove an unwanted data from the parsed data.can some one help me with this.   example:-   raw log value:- obj = getval "nijo.d@xxxx.com"    meta par...
    Nijo David
    last modified by Nijo David