Respond Risk-Score Calculation Hi, Any idea how risk score is being calculated at Respond Server for any Incident? Got to know that there is some internal algorithm for this. Really very curious to know this in detailed explanation. ... 
Webinar: The Evolving Integration of Integrated Risk Management into Business Risk Management, Wed., July 24 @ 1:30 EDT Keeping up with new and changing threat-sources, technologies, products and services, markets, and extended eco-systems creates enormous demands on information security teams. Deciding what is most important and alloc... 
cef parser handling change to date in payload I have a situation where the date value is in the CEF payload and is coming in like this: timestamp=2019-07-15T18:53:34.313Z If I assign this value to <ExtensionKey cefName="timestamp" metaName="event_time"/> ... 
How to Perceived duplicated Traffic Hello everyone! The Team here surged with a question regarding the possibility to check on Netwitness wether ir not there is duplicated Traffic. It is more like, using Netwitness to point Network maps being ob... 
Event Stream Engine Under ADMIN > Services > (Select an ESA service) > Actions icon > View > Config. we have Event Stream Engine -> Max Patterns Sub expressions ...How to use this parameter. How do we know what ... 
Drop in Windows Events After installing 10.6.6.1 Good Morning. I installed 10.6.6.1 on June 12th. Last week I noticed that an ESA rule had not fired and on investigating I can see that there was a correlation between the upgrade and a drop in Windows events.... 
Centralized Backup & Restore of NetWitness Version 11.2+ (A Wrapper Script for NRT) Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA replacement of a device. Solution – ... 
Consolidating your backups and maximizing NRT (NetWitness Recovery Tool) Changes are inevitable and no one knows when a restore is going to be needed. Today backup and restore processes are standard, required, and are part of nearly all basic deployment strategies. W... 
Sources and Destinations metas logic Hi If we look at winevent_nic parser and take 4732 event as example (User was added to group) than user who perfromed action is placed in user.dst meta and user which was added to group (new member) is placed to user.... 
Recently Published Knowledge Base Articles for RSA NetWitness® Logs & Network Date Range: Sunday, July 7th -- Saturday, July 13th Article Title Author Last Published Date 000037677 - ESA email notifications are failing to send when an invalid subject template is selected Michae... 
RSA Upgrade We are planning to upgrade RSA 10 to 11 series version so I have some doubt on below questions. Please help me on these questions- 1. We have 4 series physical appliance. can we upgrade 11.2.1.1 version ... 
How do I enter an IP range in EPL using RegEx? Hello everybody, I hope you can help me out. I have created a rule in EPL that should trigger whenever the corresponding event occurs in one of the metafields. I would also like to receive an alarm if a certain IP ra... 
Retrieve session metadata using REST API Can I retrieve all metadata of a network session using the REST API? If so, can someone explain to me how this works? I want to use the sessionid as unique identifier. Cheers, Niels. 
Health and Wellness Policy - Alerting on Uptime A recent customer question about alerting on Uptime values from the REST API got me digging into the Health and Wellness Policies for a better solution. The request was to alert when the uptime value for speci... 
ESA rule broken at 11.3 We recently upgraded from NetWitness 10.6.6 to 11.3. Several rules got disabled during the upgrade and they no longer work. I suppose it is mainly because directory meta changed type from string to string[], so that i... 
Error Hi All, Can anyone explain, how to add list while creating any rule? while creating a rule its showing the error as shown below in attached snapshot . 
Meta Key Information Hi everyone, Can someone help me to get the list of all meta keys along with the respective field names ! RSA Upgrade We have two RSA solution in DC and DR and we are planning to upgrade DC RSA first after one week we will go to DR RSA. In this case DC RSA first then DC RSA(11.2.1.1) will communicate DR RSA (10.... Netwitness 11.3 STIG hardening Hi, i want to apply STIG to my Netwitness 11.3. And i found that there is no guide line. 
PE imphash Inspection - Yara on Malware Analysis I recently imported some custom yara rules into the Malware Analysis appliance. These particular rules had a large condition set that relied on pe.imphash() so first off the .yara file has an import for pe, just... 