Log in to follow, share, and participate in this community. Here is my situation. I have a feed from a commercial threat intel provider that matches IPs and domains to threat actors. I'm in the investigate module, investigating an alert on a dst.ip address that is alerting to... Dears; if the main RSA SA appliance for any reason got failed, and we need to rediscover and install RSA services (loghybrid and log packet, ESA...etc) to another different RSA SA VM appliance which is ready and runn... I am creating EPL rule, where I want to take 2 type of events - one type has user.src and the second type has different identification of user in custom meta, for which I add user.src using a custom feed, but it can h... Hi Friends, I am getting Getting Error in when i try to deploy below Esper Rule in ESA "unknown method Collection.toLowerCase()" .Can anyone Help? This happened after upgrade from 11.x to 11.3.1.... The NetWitness Platform IDD team just added a new video for installing and configuring a Relay Server (How to Install and Configure an Endpoint Relay Server). See the NetWitness Platform Documentation page under Video... To successfully parse Suricata JSON logs via syslog collector we need to use LUA parser in NetWitness Log Decoder. Suricata LUA parser in this example is mapping only specific fields from JSON logs to metakeys. In ca... I want to deploy rule for Mirai Botnet. Event Device Type is Customdns, Event.threat_Category is Malware and Event.threat_subtype is Mirai Aggregation is 2500 Events in 1 minute. but still I am getting many alerts. Wh... It’s official: digital transformation is having a palpable impact on companies’ risk profiles, according to the results of our landmark RSA® Digital Risk Report, the first definitive survey of organiz... Which ports do I need to open for collecting logs from windows servers? Far as I know it's 5985 or 5986, bi-directional, between the windows event source and rsa sa log collector. Do I also need to open port 80 or 44... How can we include a metakey for storage on the Archiver? I see the device.host is not included. Unable to generate historical reports on this metakey. Also, when we query the Archiver for session size (in by... RSA, Can someone please guide me to a document that has the CPU requirements for new log gear we are actively trying to deploy? I was hoping to find a document that is similar to the Virtual guide for requirements. T... I would decrypt SSL packets from website server powered by Apache, I set supported TLSv1.2 and supported cipher TLS_RSA_WITH_AES_256_CBC_SHA256 but when I trying upload key I receiving errors as below, ... I am using RSA SA 10.6.5.2 There are many scheduled report which result in empty output/result. Output action is set as SMTP email. I would like to see email of the report(s) only if the report is NOT empty.... We cannot figure this out as the ESPER command of 'output every n' does not work for what we are looking for. Not sure if we are going to need to create a persistent table that keeps rewriting itself. ... Date Range: Sunday, August 4th-- Saturday, August 10th Article Title Author Last Published Date 000035681 - Decoder Capture Rate Zero on Health & Wellness due to parser stuck in RSA NetWitness Platform Wonc... Date Range: Sunday, August 4th-- Saturday, August 10th Article Title Author Last Published Date 000037760 - ConsoleServer Service will not start after system has been recovered from Backup in RSA NetWitness End... Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA replacement of a device. Solution – ... Can we have multiple Concentrators aggregating from 1 Decoder? I hope this doesn't result in duplication of events? If we have let's say 2 Concentrators aggregate from a Decoder actively, only those events which haven... How can I write a rule w/reference ID 4741 FOLLOWED BY reference ID 5139?