• Where can I find information about importing IP watchlists into NW

    I have a list of IOC IPs and want to stand up a rule and alert.  Does anyone know where I can find information on this process?  I'm a VERY green n00b who starts training next month.   Thanks
    Paul Bagnell
    last modified by Paul Bagnell
  • Import / Export Data

    Im trying to reduce a xfs partition.   Unfortunely when i try to create packet of the metadb/packetdb/index, etc the xfsdump is not installed.   Is there any way taht i can create backup and then export da...
    Renato Goncalves
    last modified by Renato Goncalves
  • Detecting Gh0st RAT in the RSA NetWitness Platform

    In order to defend their network effectively, analysts need to understand the threat landscape, and more specifically how individual threats present themselves in their tools. With that in mind, I started researching ...
    John Simmons
    last modified by John Simmons
  • ESA rule broken at 11.3

    We recently upgraded from NetWitness 10.6.6 to 11.3. Several rules got disabled during the upgrade and they no longer work. I suppose it is mainly because directory meta changed type from string to string[], so that i...
    Bohdan Rylko
    last modified by Bohdan Rylko
  • Failed to install services on NetWitness server

    Hi all, I'm new with NW and I have a couple of basic questions.   I'm trying to deploy NW on AWS so, for now, I succeed to install and login to the NW platform using the Lite Version. Q: How can I get the ful...
    Yotam Ben Ezra
    last modified by Yotam Ben Ezra
  • How do I generate reports of historical throughput statistics?

    I need to gather data about the utilization of our Netwitness 11.  Has anybody created reports that provide numbers of sessions, logs, packets, bandwidth, etc. captured by the decoders?   /D
    Dion Stempfley
    last modified by Dion Stempfley
  • Parsing Suricata JSON logs with NW

    To successfully parse Suricata JSON logs via syslog collector we need to use LUA parser in NetWitness Log Decoder. Suricata LUA parser in this example is mapping only specific fields from JSON logs to metakeys. In ca...
    Miha Mesojedec
    last modified by Miha Mesojedec
  • Configuration VM Log Hybrid in Azure

    I need to prepare a VM on Azure and I am unsure what settings for this environment. Does anyone have any suggestions? It will be a VM Log Hybrid, 1000 EPS, with maximum storage of 3 days of information.
    Andre Santos
    created by Andre Santos
  • Filter on Packet Decoder

    Hello all, Could you help? We need to set filtering  on packet decoder. In Decoder Configuration on Adapter we set Berkeley Packet Filter. But we don't see the decrease of incoming traffic. Could you help -...
    Denis Shinkarenko
    last modified by Denis Shinkarenko
  • ESM Syslog Template & Parsing

    Hi All,   We have recently moved to v11.3.1.1 on Netwitness and I am trying ot use the default Event Source monitoring to send syslog to one of our decoders when a device is inactive for a certain period of time...
    Shishir Kumar
    last modified by Shishir Kumar
  • Using RSA NetWitness to Detect Credential Harvesting: lsassy

    A couple of days ago on Github, Hackndo released a tool (https://github.com/Hackndo/lsassy) that is capable of dumping the memory of LSASS using LOLBins (Living of the Land Binaries) - typically we would see attackers...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Why i can't see any index columns ? (Archer/NetWitness integration)

    i'm trying to do the integration (Archer/NetWitness), i'm following the guide that is provided in the official site, but i'm stucked in the part that i need to create a custom feed, when i'm in the "define columns" ta...
    Newton Gomes
    last modified by Newton Gomes
  • BULK CLOSE

    Hi Team,   Recently did the version upgrade of the RSA to 11.3.2.0, Would like to know whether we have the option to add the notes to all the incidents selected while bulk closing them together. Is there any opt...
    support soc
    last modified by support soc
  • Recently Published Knowledge Base Articles for RSA NetWitness® Platform

    Date Range: Sunday, December 22nd -- Saturday, December 28th   Article Title Author Last Published Date 000038245 - Unable to export Application Rules in RSA NetWitness Platform 11.x when there are more than...
    RSA Link Team
    last modified by RSA Link Team
  • Recently Published Knowledge Base Articles for RSA NetWitness® Endpoint

    Date Range: Sunday, December 22nd -- Saturday, December 28th   Article Title Author Last Published Date 000029763 - RSA NetWitness Endpoint RSA Live configuration error, Could not establish trust relationshi...
    RSA Link Team
    last modified by RSA Link Team
  • Host stuck on 'Rebooting'

    I just updated to 11.3.2.0 from 11.3.1.1. One of my hosts is stuck on 'rebooting'. It will time out after a while When trying to reboot from the GUI nothing happens on the host and the status of 'rebooting' will jus...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Tips to Build [Small] RSA NetWitness Platform Virtual Hosts

    Overview To ISO or Not to ISO VM Host Sizing Raw Event Data Storage Install Services Validate Folder Sizes - RSA NetWitness Platform Databases Validate Thresholds - MongoDB Minimu...
    Sean Griesheimer
    last modified by Sean Griesheimer
  • Chef-solo fails on Endpoint Log Hybrid

    When running the following command on my endpoint log hybrid. It fails with the subsequent errors.   chef-solo --no-color --logfile "/var/log/netwitness/config-management/chef-solo.log" --format doc --config /var...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • SA - Visio Stencils

    Dears,   can someone provide me with the SA stencils?
    Bechara Abou Rahal
    last modified by Bechara Abou Rahal
  • Question on Netwitness custom parser

    Hello all,   Recently, I configured a new custom parser for a customer, and successfully modified all index-concentrator-custom, index-logdecoder-custom and  table-map-custom files, across three separate co...
    Jose Lopez-Villela
    last modified by Jose Lopez-Villela