• SDK form gone in 11.3.1.0?

    When accessing the RESTful API as described in SDK Commands I was used to seeing the /sdk form as displayed on page 15 of that PDF: However, in 11.3.1.0 the form is no longer there. Only the static links shown on p...
    Richard van den Berg
    last modified by Richard van den Berg
  • Restricting view access to Hosts

    Is it possible to restrict the ability to view groups of hosts in NetWitness endpoint by permissions? Ie. Analyst A is only allowed to see hosts that are assigned to USA, Analyst B are allowed to see hosts in the EME...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • HTTP_lua Parser: missing expected meta

    Is anyone else having issues finding expected meta from the HTTP_lua parser?   Particularly I'm concerned that the latest version of the parser may not be parsing out these pieces of meta <below> but there...
    David Gassman
    last modified by David Gassman
  • Packet Lua Parser - assistance

    I'm working on a packet parser that I could use some Community help with. Essentially I'm trying to find a token and then register that token as meta in an existing key. Additionally, if more than one token is found ...
    David Gassman
    last modified by David Gassman
  • DNS resolution of Relay server

    I have made a host entry on the netwitness endpoint server for the relay server but the platform is not resolving it from the UI. although it perfectly resolves from the CLI.    
    Mayank Sharma
    created by Mayank Sharma
  • Data Retention Scheduler best practices

    What are the best practices when using the Data Retention Scheduler for NW Packet decoders/concentrators? We typically set the retention to 30 to 90 days. The default for "Run" is every 15 minutes which seems quite lo...
    Richard van den Berg
    last modified by Richard van den Berg
  • Custom TCP Shell and Mobile Messaging Apps

    During a recent customer engagement, I found the "customtcp shell" meta with some very interesting sessions.  All of the traffic was using what appeared to be custom encryption and the destination IP was based in...
    John Simmons
    last modified by John Simmons
  • APT Emulation Using CALDERA

    Over the past year, I have posted multiple blogs whereby I perform APT (Advanced Persistent Threat) emulation and analyse the forensic footprint left behind after the attack using the NetWitness platform. In this post...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Using RSA NetWitness to Detect C&C: WEASEL

    I was doing some hunting through our lab traffic today and came across some strange looking traffic, it turned out to be Rui Ataide playing around with a new DNS C2. It is named WEASEL and can be found ...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • To what compression ratios do the different compression settings translate?

    What compression ratios do the different levels of meta.compression.level and packet.compression.level effectively translate to with the different packet.compression and meta.compression values?   I.e. if w...
    Tomi Reiman
    last modified by Tomi Reiman
  • RSA NetWitness® Platform Versions

    Click on a link below to visit the page for each product version. RSA NetWitness® Logs & Network | RSA NetWitness® Investigator | RSA NetWitness® Endpoint | RSA NetWitness® Orche...
    RSA Link Team
    last modified by RSA Link Team
  • How to Perceived duplicated Traffic

    Hello everyone!   The Team here surged with a question regarding the possibility to check on Netwitness wether ir not there is duplicated Traffic. It is more like, using Netwitness to point Network maps being ob...
    Henrique Braz
    last modified by Henrique Braz
  • Collected log size

    Hello. Is there a way to limit the individual size of the logs that NetWitness 11.2 collect?    Thanks.
    Teyocoyani Orozco
    last modified by Teyocoyani Orozco
  • Expand the display of the meta key

    Dear !  As far as I know, the meta key display will be 256 characters, is there any way to expand it or not?  
    chien nguyen
    last modified by chien nguyen
  • RSA archer and NW compatibility

    I'm upgrading to RSA NW 11.3.1 from NW 11.2 and using RSA Archer V6.3 Is my rsa archer V6.3 is compatible with NW 11.3.1 or I need to upgrade archer also..??
    Rahul Chauhan
    last modified by Rahul Chauhan
  • Brotli compression

    We are seeing a lot of sessions come through with Brotli compression.   Is there any thoughts about uncompressing this traffic so that the Netwitness parsers can leverage the uncompressed packet? Notice the ...
    Paul Calamari
    last modified by Paul Calamari
  • Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • NWE: Alert when process dump created

    In NetWitness endpoint, I deployed the Endpoint bundle pack to ESA, I was surprised to find that there wasn't an alert generated when a process dump file was created.   Is there an alert within RSA live to ale...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • How do you set up Windows Exchange server CAS logs to NetWitness?

    I am running NetWitness version 11.3.1.0 and was trying to set up collecting and reporting on CAS logs into the SIEM. We are collecting exchange server logs. Is there a way to do this?
    Eric Schwartz
    created by Eric Schwartz