• NetWitness Services List

    Hey NetWitness Users,      I recently received a pretty comprehensive listing of the various service names and locations of the NetWitness services!  I wanted to ensure I got this info out to the ...
    Robert Dredger
    last modified by Robert Dredger
  • Using RSA NetWitness to Detect C&C: Covenant

    Introduction Having recently moved into the IR team – where I now have to actually do stuff as opposed to just talking about stuff in technical sales – I have found that the best way to get up to speed wi...
    Chris Thomas
    created by Chris Thomas
  • Easy-add Recurring Feeds

    19DEC2019 Update (with props to Leonard Chvilicek for pointing out several issues with the original script) implemented more accurate java version & path detection for JDK variable implemented 30 second timeo...
    Josh Randall
    last modified by Josh Randall
  • Collected log size

    Hello. Is there a way to limit the individual size of the logs that NetWitness 11.2 collect?    Thanks.
    Teyocoyani Orozco
    last modified by Teyocoyani Orozco
  • Contextualizing JA3 Fingerprints

    19DEC2019 Update: Modified the original ESA rule (ja3context.txt) with additional/better logic to match destination port numbers between the Endpoint and Network sessions. Additionally, I recommend disabling the "Aler...
    Josh Randall
    last modified by Josh Randall
  • Using RSA NetWitness to Detect C&C: ReverseTCP Shell

    In this blog post, I am going to cover a C&C framework called ReverseTCP Shell,. This was recently posted to GitHub by ZHacker: GitHub - ZHacker13/ReverseTCPShell: PowerShell ReverseTCP Shell - Framework   ...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Endpoint datastore location

    Much like with the packetdb, sessiondb, metadb, index etc. Where is the data stored for the Endpoint server or client scans? I want to make sure that it's on a partition that has enough space for the client scan dat...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Custom TCP Shell and Mobile Messaging Apps

    During a recent customer engagement, I found the "customtcp shell" meta with some very interesting sessions.  All of the traffic was using what appeared to be custom encryption and the destination IP was based in...
    John Simmons
    last modified by John Simmons
  • Upgrading "New" v10.6.6 Log Gear to v11.2.0

    RSA, We just deployed some new log gear and I need assistance with getting this gear upgraded to v11.2.0. I have attempted to upgrade the devices with our v11.2.0 ISO and build stick but the issue comes into place wh...
    Dwayne Fryer
    last modified by Dwayne Fryer
  • RSA NetWitness VLC Load Balancing + Failover

    Open video

    Naushad Kasu
    last modified by Naushad Kasu
  • VLC Load Balancing + Failover Video Files

    Naushad Kasu
    last modified by Naushad Kasu
  • Help with CEF custom fields

    Hi all, I have a customer who is running Kaspersky and he doesn't have access to the SQL Express instance (it seems that the kaspersky solution install and creates it own db engine with sql express, with a custom admi...
    Maximiliano Cittadini
    last modified by Maximiliano Cittadini
  • tcp.srcport Index/Meta(s) Overflown

    We have several appliances that report tcp.srcport is overflown. We are familiar with this concept for meta keys that have limited index sizes like payload or filename, but tcp.srcport in defined correctly in index-co...
    Richard van den Berg
    last modified by Richard van den Berg
  • To what compression ratios do the different compression settings translate?

    What compression ratios do the different levels of meta.compression.level and packet.compression.level effectively translate to with the different packet.compression and meta.compression values?   I.e. if w...
    Tomi Reiman
    last modified by Tomi Reiman
  • No syslog collection option on the VLC

    The syslog collection option isn't showing up for the remote log collector. Not sure why? The other 9 collection methods show, but syslog doesn't on the VLC.
    Visham Rawat
    last modified by Visham Rawat
  • syslog log collection not shown under log collection.

    syslog log collection not shown under log collection.
    Kanishka Bansal
    last modified by Kanishka Bansal
  • APT Emulation Using CALDERA

    Over the past year, I have posted multiple blogs whereby I perform APT (Advanced Persistent Threat) emulation and analyse the forensic footprint left behind after the attack using the NetWitness platform. In this post...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • SDK form gone in 11.3.1.0?

    When accessing the RESTful API as described in SDK Commands I was used to seeing the /sdk form as displayed on page 15 of that PDF: However, in 11.3.1.0 the form is no longer there. Only the static links shown on p...
    Richard van den Berg
    last modified by Richard van den Berg
  • Restricting view access to Hosts

    Is it possible to restrict the ability to view groups of hosts in NetWitness endpoint by permissions? Ie. Analyst A is only allowed to see hosts that are assigned to USA, Analyst B are allowed to see hosts in the EME...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • HTTP_lua Parser: missing expected meta

    Is anyone else having issues finding expected meta from the HTTP_lua parser?   Particularly I'm concerned that the latest version of the parser may not be parsing out these pieces of meta <below> but there...
    David Gassman
    last modified by David Gassman