• Inquiry about NWe licenses

    I have a customer who bought Netwitness for Log as solution. In the last days, we were with them and they ask us about the integration of a very hardenred windows envieroment. I told them to let me think about it for ...
    Maximiliano Cittadini
    last modified by Maximiliano Cittadini
  • ESA Rule - event A not preceded by event B

    Hi, I have a case when I want to create an alert for a specific event only if another event did not preceded that specific event. To give more context: if an email gateway 'reputation' event happened for an ...
    Tamas Szilagyi
    last modified by Tamas Szilagyi
  • RSA Charge 2020 Conference: October 5-8, Orlando FL

    RSA Charge 2020, October 5-8, the largest gathering of security and risk professionals, is now open for Early Bird registration by visiting the RSA Charge 2020 website. The website should be your 'go-to' for all RSA C...
    Denise Sposato
    created by Denise Sposato
  • SNMP with Netwitness Appliances - SNMPv1,2 and 3 – Put it all together 11.x

    Updated for snmpv3: 01/14/2020 Scenario – You or your customer would like to link SNMP to the Netwitness for system monitoring purposes (Solarwinds, Nagios, etc.).   Why SNMP? SNMP is an “agentless...
    Thomas Jones
    last modified by Thomas Jones
  • Using the RSA NetWitness Platform to Detect Lateral Movement: SCShell (DCE/RPC)

    A couple of months ago, Mr-Un1k0d3r released a lateral movement tool that solely relies on DCE/RPC (https://github.com/Mr-Un1k0d3r/SCShell). This tool does not create a service and drop a file like PsExec or simi...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • RSA NetWitness Meta Dictionary Tool

    The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event...
    Chaitra Kulkarni
    last modified by Chaitra Kulkarni
  • Failed to install services on NetWitness server

    Hi all, I'm new with NW and I have a couple of basic questions.   I'm trying to deploy NW on AWS so, for now, I succeed to install and login to the NW platform using the Lite Version. Q: How can I get the full v...
    Yotam Ben Ezra
    last modified by Yotam Ben Ezra
  • Using the RSA NetWitness Platform to Detect C&C: goDoH

    DNS over HTTPS (DoH) was introduced to increase privacy and help prevent against the manipulation of DNS data by utilising HTTPS to encrypt it. Mozilla and Google have been testing versions of DoH since June 2018, and...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • How do you set up reporting to monitor for local user in the SAadministrator group?

    I would like to see how I can create a report to monitor user's activity while using netwitness. I specifically want to monitor users in the SAadministrator group. Users are authenticating using PAM and the user's rol...
    Eric Schwartz
    last modified by Eric Schwartz
  • How Can I use LDAP to authenticate my users to ssh access on NW Appliances?

    How Can I use LDAP to authenticate my users to ssh access on NW Appliances? I have an "AD" group used to access all tools by ssh. I am using this way to all security solutions here, but the RSA I am using a loca...
  • Where can I find information about importing IP watchlists into NW

    I have a list of IOC IPs and want to stand up a rule and alert.  Does anyone know where I can find information on this process?  I'm a VERY green n00b who starts training next month.   Thanks
    Paul Bagnell
    last modified by Paul Bagnell
  • Import / Export Data

    Im trying to reduce a xfs partition.   Unfortunely when i try to create packet of the metadb/packetdb/index, etc the xfsdump is not installed.   Is there any way taht i can create backup and then export da...
    Renato Goncalves
    last modified by Renato Goncalves
  • Detecting Gh0st RAT in the RSA NetWitness Platform

    In order to defend their network effectively, analysts need to understand the threat landscape, and more specifically how individual threats present themselves in their tools. With that in mind, I started researching ...
    John Simmons
    last modified by John Simmons
  • ESA rule broken at 11.3

    We recently upgraded from NetWitness 10.6.6 to 11.3. Several rules got disabled during the upgrade and they no longer work. I suppose it is mainly because directory meta changed type from string to string[], so that i...
    Bohdan Rylko
    last modified by Bohdan Rylko
  • Failed to install services on NetWitness server

    Hi all, I'm new with NW and I have a couple of basic questions.   I'm trying to deploy NW on AWS so, for now, I succeed to install and login to the NW platform using the Lite Version. Q: How can I get the ful...
    Yotam Ben Ezra
    last modified by Yotam Ben Ezra
  • How do I generate reports of historical throughput statistics?

    I need to gather data about the utilization of our Netwitness 11.  Has anybody created reports that provide numbers of sessions, logs, packets, bandwidth, etc. captured by the decoders?   /D
    Dion Stempfley
    last modified by Dion Stempfley
  • Parsing Suricata JSON logs with NW

    To successfully parse Suricata JSON logs via syslog collector we need to use LUA parser in NetWitness Log Decoder. Suricata LUA parser in this example is mapping only specific fields from JSON logs to metakeys. In ca...
    Miha Mesojedec
    last modified by Miha Mesojedec
  • Configuration VM Log Hybrid in Azure

    I need to prepare a VM on Azure and I am unsure what settings for this environment. Does anyone have any suggestions? It will be a VM Log Hybrid, 1000 EPS, with maximum storage of 3 days of information.
    Andre Santos
    created by Andre Santos
  • Filter on Packet Decoder

    Hello all, Could you help? We need to set filtering  on packet decoder. In Decoder Configuration on Adapter we set Berkeley Packet Filter. But we don't see the decrease of incoming traffic. Could you help -...
    Denis Shinkarenko
    last modified by Denis Shinkarenko
  • ESM Syslog Template & Parsing

    Hi All,   We have recently moved to v11.3.1.1 on Netwitness and I am trying ot use the default Event Source monitoring to send syslog to one of our decoders when a device is inactive for a certain period of time...
    Shishir Kumar
    last modified by Shishir Kumar