• Respond Risk-Score Calculation

    Hi,  Any idea how risk score is being calculated at Respond Server for any Incident? Got to know that there is some internal algorithm for this. Really very curious to know this in detailed explanation.   ...
    Deepak Shukla
    last modified by Deepak Shukla
  • Webinar:  The Evolving Integration of Integrated Risk Management into Business Risk Management, Wed., July 24 @ 1:30 EDT

    Keeping up with new and changing threat-sources, technologies, products and services, markets, and extended eco-systems creates enormous demands on information security teams. Deciding what is most important and alloc...
    Denise Sposato
    created by Denise Sposato
  • cef parser handling change to date in payload

    I have a situation where the date value is in the CEF payload and is coming in like this: timestamp=2019-07-15T18:53:34.313Z If I assign this value to <ExtensionKey cefName="timestamp" metaName="event_time"/> ...
    Renee Russell
    created by Renee Russell
  • How to Perceived duplicated Traffic

    Hello everyone!   The Team here surged with a question regarding the possibility to check on Netwitness wether ir not there is duplicated Traffic. It is more like, using Netwitness to point Network maps being ob...
    Henrique Braz
    created by Henrique Braz
  • Event Stream Engine

    Under ADMIN > Services > (Select an ESA service) > Actions icon > View > Config.   we have Event Stream Engine -> Max Patterns Sub expressions ...How to use this parameter. How do we know what ...
    Vikram Singh Rajawat
    last modified by Vikram Singh Rajawat
  • Drop in Windows Events After installing 10.6.6.1

    Good Morning.   I installed 10.6.6.1 on June 12th. Last week I noticed that an ESA rule had not fired and on investigating I can see that there was a correlation between the upgrade and a drop in Windows events....
    David Waugh
    last modified by David Waugh
  • Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA replacement of a device. Solution – ...
    John Snider
    last modified by John Snider
  • Consolidating your backups and maximizing NRT (NetWitness Recovery Tool)

    Changes are inevitable and no one knows when a restore is going to be needed.  Today backup and restore processes  are standard, required, and are part of nearly all basic deployment strategies.  W...
    Thomas Jones
    last modified by Thomas Jones
  • Sources and Destinations metas logic

    Hi If we look at winevent_nic parser and take 4732 event as example (User was added to group) than user who perfromed action is placed in user.dst meta and user which was added to group (new member) is placed to user....
    Nikolay Klender
    created by Nikolay Klender
  • Recently Published Knowledge Base Articles for RSA NetWitness® Logs & Network

    Date Range: Sunday, July 7th -- Saturday, July 13th   Article Title Author Last Published Date 000037677 - ESA email notifications are failing to send when an invalid subject template is selected Michae...
    RSA Link Team
    last modified by RSA Link Team
  • RSA Upgrade

    We are planning to upgrade RSA 10 to 11 series version so I have some doubt on below questions. Please help me on these questions-    1. We have 4 series physical appliance. can we upgrade 11.2.1.1 version ...
    Ved Shar
    created by Ved Shar
  • How do I enter an IP range in EPL using RegEx?

    Hello everybody, I hope you can help me out. I have created a rule in EPL that should trigger whenever the corresponding event occurs in one of the metafields. I would also like to receive an alarm if a certain IP ra...
    Hidayat Lal Baz
    last modified by Hidayat Lal Baz
  • Retrieve session metadata using REST API

    Can I retrieve all metadata of a network session using the REST API? If so, can someone explain to me how this works? I want to use the sessionid as unique identifier. Cheers, Niels.
    Niels Van Eijck
    last modified by Niels Van Eijck
  • Health and Wellness Policy - Alerting on Uptime

    A recent customer question about alerting on Uptime values from the REST API got me digging into the Health and Wellness Policies for a better solution.   The request was to alert when the uptime value for speci...
    Eric Partington
    last modified by Eric Partington
  • ESA rule broken at 11.3

    We recently upgraded from NetWitness 10.6.6 to 11.3. Several rules got disabled during the upgrade and they no longer work. I suppose it is mainly because directory meta changed type from string to string[], so that i...
    Bohdan Rylko
    last modified by Bohdan Rylko
  • Error

    Hi All,   Can anyone explain, how to add list while creating any rule? while creating a rule its showing the error as shown below in attached snapshot .
  • Meta Key Information

    Hi everyone,   Can someone help me to get the list of all meta keys along with the respective field names !
    mohammed arifuddin
    last modified by mohammed arifuddin
  • RSA Upgrade

    We have two RSA solution in DC and DR and we are planning to upgrade DC RSA first after one week we will go to DR RSA.  In this case DC RSA first then DC RSA(11.2.1.1) will communicate DR RSA (10....
    Ved Shar
    created by Ved Shar
  • Netwitness 11.3 STIG hardening

    Hi,   i want to apply STIG to my Netwitness 11.3. And i found that there is no guide line.
    Xuanang Li
    last modified by Xuanang Li
  • PE imphash Inspection - Yara on Malware Analysis

    I recently imported some custom yara rules into the Malware Analysis appliance.  These particular rules had a large condition set that relied on pe.imphash() so first off the .yara file has an import for pe, just...
    Chuck Kimber
    created by Chuck Kimber