• Decoder won't start

    Good day!   We have an issue with the RSA Decoder/ By the monitoring system, we recieve that the service status is green and ready, but the health status says Capture stopped with the red sign, how we can ident...
    Aleksey Martyanov
    last modified by Aleksey Martyanov
  • RSA Packet Concentrator S6

    Need to know some model and details of RSA Packet Concentrator S6 
    Jinson Abraham
    last modified by Jinson Abraham
  • How many characters does Netwitness query filtering able to afford? 

    My rules is to check for hits from the list, which the list might contains quite a huge data.  For example the rule is: ip.dst = $[list] List:,,......, etc. When I drill in to particular hits, ...
    Xue YQ
    last modified by Xue YQ
  • Inquiry about NWe licenses

    I have a customer who bought Netwitness for Log as solution. In the last days, we were with them and they ask us about the integration of a very hardenred windows envieroment. I told them to let me think about it for ...
    Maximiliano Cittadini
    last modified by Maximiliano Cittadini
  • RSA Conference 2020: February 24-28, San Francisco

    Check out the RSA Conference 2020 - you won't want to miss this event;   EVENT INFORMATION   REGISTRATION   -- Register by Jan. 24 and SAVE $900. 
    Denise Sposato
    created by Denise Sposato
  • Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • ESA Rule - event A not preceded by event B

    Hi, I have a case when I want to create an alert for a specific event only if another event did not preceded that specific event. To give more context: if an email gateway 'reputation' event happened for an ...
    Tamas Szilagyi
    last modified by Tamas Szilagyi
  • RSA Charge 2020 Conference: October 5-8, Orlando FL

    RSA Charge 2020, October 5-8, the largest gathering of security and risk professionals, is now open for Early Bird registration by visiting the RSA Charge 2020 website. The website should be your 'go-to' for all RSA C...
    Denise Sposato
    created by Denise Sposato
  • SNMP with Netwitness Appliances - SNMPv1,2 and 3 – Put it all together 11.x

    Updated for snmpv3: 01/14/2020 Scenario – You or your customer would like to link SNMP to the Netwitness for system monitoring purposes (Solarwinds, Nagios, etc.).   Why SNMP? SNMP is an “agentless...
    Thomas Jones
    last modified by Thomas Jones
  • Using the RSA NetWitness Platform to Detect Lateral Movement: SCShell (DCE/RPC)

    A couple of months ago, Mr-Un1k0d3r released a lateral movement tool that solely relies on DCE/RPC (https://github.com/Mr-Un1k0d3r/SCShell). This tool does not create a service and drop a file like PsExec or simi...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • RSA NetWitness Meta Dictionary Tool

    The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event...
    Chaitra Kulkarni
    last modified by Chaitra Kulkarni
  • Failed to install services on NetWitness server

    Hi all, I'm new with NW and I have a couple of basic questions.   I'm trying to deploy NW on AWS so, for now, I succeed to install and login to the NW platform using the Lite Version. Q: How can I get the full v...
    Yotam Ben Ezra
    last modified by Yotam Ben Ezra
  • Using the RSA NetWitness Platform to Detect C&C: goDoH

    DNS over HTTPS (DoH) was introduced to increase privacy and help prevent against the manipulation of DNS data by utilising HTTPS to encrypt it. Mozilla and Google have been testing versions of DoH since June 2018, and...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • How do you set up reporting to monitor for local user in the SAadministrator group?

    I would like to see how I can create a report to monitor user's activity while using netwitness. I specifically want to monitor users in the SAadministrator group. Users are authenticating using PAM and the user's rol...
    Eric Schwartz
    last modified by Eric Schwartz
  • How Can I use LDAP to authenticate my users to ssh access on NW Appliances?

    How Can I use LDAP to authenticate my users to ssh access on NW Appliances? I have an "AD" group used to access all tools by ssh. I am using this way to all security solutions here, but the RSA I am using a loca...
  • Detecting DNS tunneling in RSA NetWitness: DNS2TCP

    When performing network forensics, all protocols should be analysed, however, some tend to be more commonly abused than others; one of these being DNS. While not as flexible as say HTTP, it does flow through, and outs...
    Marco Faggian
    created by Marco Faggian
  • Where can I find information about importing IP watchlists into NW

    I have a list of IOC IPs and want to stand up a rule and alert.  Does anyone know where I can find information on this process?  I'm a VERY green n00b who starts training next month.   Thanks
    Paul Bagnell
    last modified by Paul Bagnell
  • Import / Export Data

    Im trying to reduce a xfs partition.   Unfortunely when i try to create packet of the metadb/packetdb/index, etc the xfsdump is not installed.   Is there any way taht i can create backup and then export da...
    Renato Goncalves
    last modified by Renato Goncalves
  • Detecting Gh0st RAT in the RSA NetWitness Platform

    In order to defend their network effectively, analysts need to understand the threat landscape, and more specifically how individual threats present themselves in their tools. With that in mind, I started researching ...
    John Simmons
    last modified by John Simmons
  • ESA rule broken at 11.3

    We recently upgraded from NetWitness 10.6.6 to 11.3. Several rules got disabled during the upgrade and they no longer work. I suppose it is mainly because directory meta changed type from string to string[], so that i...
    Bohdan Rylko
    last modified by Bohdan Rylko