• How To Contribute Your Parsers to the RSA NetWitness GitHub

    Here's the steps you'll need to follow to initiate a fork of the RSA NetWitness Log Parsers Repository  Create GitHub account for free https://www.GitHub.com  Locate the RSA NetWitness project https://gi...
    Eric Partington
    last modified by Eric Partington
  • Using RSA NetWitness to Detect Ninja C2

    A new C2 framework was recently added to the C2 Matrix called, Ninja. It was built on top of the leaked MuddyC3 framework used by an Iranian APT group called, MuddyWater. It can be run on Windows, Linux, macOS, a...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • NetWitness 11 virtual demo environment with limited resources

    Hello, I'm looking for a way to install NetWitness 11  demo system on vmware with limited resources, so I would be grateful for any suggestions how to do it properly. Is it possible to lower amount of ...
    Marcin Filipiak
    last modified by Marcin Filipiak
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    08APR2020 - UPDATE: adding a couple notes and example typespecs after some additional experimenting over the past week You may find the process easier to simply copy an existing 11.4 typespec in the...
    Josh Randall
    last modified by Josh Randall
  • Purging unwanted data from the RSA NetWitness Platform

    Unfortunately sometimes sensitive data can find its way where it is not wanted. It should not, but it happens. Perhaps your IT Person decided connecting the high side network to the low side was a good idea. Mayb...
    William Hart
    last modified by William Hart
  • Custom File Blacklists in NWE 11.4.x and above

    Every SOC analyst should spend at least part of his/her day reading various blog posts and white papers on attacker profiles and their tools and techniques. Attackers often repeat at least certain aspects of their act...
  • Zoom Meeting UNC Abuse and Detection with RSA NetWitness

    With the sudden surge in popularity for Zoom meetings, an increase interest has been seen by white/grey/black hats to identify potential vulnerabilities and weaknesses. One of the recent popular security weaknesses i...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • RSA Managing Disruption Webinar: Fighting Fraud Amid Gobal Business Disruption, Tues., April 21 @ 11:00 am EDT

    Summary Organizations are escalating their efforts to move consumers to digital channels in response to the global need to minimize branch and face-to-face activity. But as transaction volumes in digital channels kick...
    Denise Sposato
    created by Denise Sposato
  • NTP settings of RSA Netwitness 11.3

    Hi, currently RSA runs in UTC and we need to set it to IST. We have added NTP server to RSA but it not worked. Is there any way to set time to IST?  
    Prasanna Madhushanka
    last modified by Prasanna Madhushanka
  • RSA IR - Recommendations for Users Working from Home

    1       Introduction The efforts of people around the globe have suddenly forced many workers to stay at home. For a significant portion of these workers that also means working remotely ...
  • RSA IR - Best Practices for Organizations (A Starting Point)

    1       Introduction The efforts of people around the globe have suddenly forced many workers to stay at home. For a significant portion of these workers that also means working remotely ...
  • Is it possible to get a report of existing incidents in RSA system?

    Hi, we are using RSA netwitness  (version and we have a requirement to get a detail report about all existing incidents that we are created. is there any way to get this report?
  • values-over-time chart if rule has 'Summarize=Custom'

    My rule returns the value we expect (number of different "ip.src" that generated events of the type indicated in the "where" field). Is it possible to use this rule in a values-over-time chart to display the number of...
  • Network Decoder Truncation Options

    The ability to capture network events while keeping only the header portion and truncating the payload has been available for quite some time. This has always been a great option when the lack of analytical value of t...
    William Hart
    created by William Hart
  • Work From Home - The Paradigm Shift in Cyber Defense

    INTRODUCTION By now, you may have already started to work from home instead of your usual workplace, like many of your co-workers and peers. As the situation continues to evolve, there is a rapidly increasing trend fo...
    Choon Hian Koh
    last modified by Choon Hian Koh
  • GeoIP Update

    Hi All,   As geoIp gets updated with the version update which comes in month(s) and maxmind update their database once in a three week. So there is lack of updated database in SA due to which sometimes we gets t...
    Mohd Saad Khan
    last modified by Mohd Saad Khan
  • Bulk Data Export From RSA Netwitness Archiver

    Hi Team,   Currently we using RSA Netwitness in our organization. So we have archiver which is deployed for log retention. At present we having 5 months of log data stored in archiver. We have the below...
    Devaraj Mohan
    last modified by Devaraj Mohan
  • Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    NOTE:  Updated to support You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep...
    John Snider
    last modified by John Snider
  • Profiling Attackers Series

    I have recently been posting a number of blogs regarding the usage of the RSA NeWitness Platform to detect attackers within your environment. As the list of the blogs grow, it is becoming increasingly difficult to nav...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick
  • Using RSA NetWitness to Detect HTTP Asynchronous Reverse Shell (HARS)

    I recently reviewed HTTP Asynchronous Reverse Shell (HARS) for The C2 Matrix, which should be posted soon! They also have a Google Docs spreadsheet here: C2Matrix - Google Sheets. I’ve been following t...
    Lee Kirkpatrick
    last modified by Lee Kirkpatrick