• Drop in Windows Events After installing 10.6.6.1

    Good Morning.   I installed 10.6.6.1 on June 12th. Last week I noticed that an ESA rule had not fired and on investigating I can see that there was a correlation between the upgrade and a drop in Windows events....
    David Waugh
    created by David Waugh
  • RSA Upgrade

    We are planning to upgrade RSA 10 to 11 series version so I have some doubt on below questions. Please help me on these questions-    1. We have 4 series physical appliance. can we upgrade 11.2.1.1 version ...
    Ved Shar
    created by Ved Shar
  • How do I enter an IP range in EPL using RegEx?

    Hello everybody, I hope you can help me out. I have created a rule in EPL that should trigger whenever the corresponding event occurs in one of the metafields. I would also like to receive an alarm if a certain IP ra...
    Hidayat Lal Baz
    last modified by Hidayat Lal Baz
  • Retrieve session metadata using REST API

    Can I retrieve all metadata of a network session using the REST API? If so, can someone explain to me how this works? I want to use the sessionid as unique identifier. Cheers, Niels.
    Niels Van Eijck
    last modified by Niels Van Eijck
  • ESA rule broken at 11.3

    We recently upgraded from NetWitness 10.6.6 to 11.3. Several rules got disabled during the upgrade and they no longer work. I suppose it is mainly because directory meta changed type from string to string[], so that i...
    Bohdan Rylko
    last modified by Bohdan Rylko
  • Meta Key Information

    Hi everyone,   Can someone help me to get the list of all meta keys along with the respective field names !
    mohammed arifuddin
    last modified by mohammed arifuddin
  • Netwitness 11.3 STIG hardening

    Hi,   i want to apply STIG to my Netwitness 11.3. And i found that there is no guide line.
    Xuanang Li
    last modified by Xuanang Li
  • PE imphash Inspection - Yara on Malware Analysis

    I recently imported some custom yara rules into the Malware Analysis appliance.  These particular rules had a large condition set that relied on pe.imphash() so first off the .yara file has an import for pe, just...
    Chuck Kimber
    created by Chuck Kimber
  • Netwitness Behavior regarding  wrong checksum packets

    Hello,   Are there documents/articles specifing Netwitness packet capture behavior and parsing regarding traffic with wrong checksums? Are those packets dropped?   This question arised due to tests using ...
    Henrique Braz
    created by Henrique Braz
  • WinSCP Post v11.2 Upgrade Error

    RSA, We recently upgraded to v11.2 and now WinSCP is not connecting to any of the upgraded devices. Therefore, we are not able to SCP any files. I recall there is key exchange or similar that needs to be done. Can so...
    Dwayne Fryer
    last modified by Dwayne Fryer
  • RSA 11  UI

    Hi Team,   where i will able to view my ESA alerts summary and graph  in RSA Version 11 .    Likewise i able to view the same in 10.6.6 under alerts >>>>summary . I hav tried a lot no...
    Rahul Rawat
    last modified by Rahul Rawat
  • Integrating a MySQL db with NetWitness 11

    Hello,   i'm trying to pull some logs from a MySQL db (version 5.7.26-0ubuntu0.18.04.1) following the guide Here. I did all the procedure correctly, downloading the new version of odbc driver (8.0.16-1.el7.x86_...
    Luca Bernabei
    created by Luca Bernabei
  • GPO Rule

    I'm new to this SIEM and writing rules. How would I write a simple rule to report when changes have been made to GPO?
    Roger Feagin
    last modified by Roger Feagin
  • Forwarding Logs to another Collector

    We are migrating our environment to another datacenter and i have a few questions:   1- Its possible to forward the IP from the VLC to another Collector/Decoder Destination? 2- It is possible to forward the dev...
    Renato Goncalves
    last modified by Renato Goncalves
  • Auditing of analyst and admin activities on SA console

    Is there an option to log and monitor analyst and admin activities on the SA console? The requirement is that any activity performed by analysts or the admin itself (local or LDAP) be logged and available for auditing.
    Visham Rawat
    last modified by Visham Rawat
  • Can I build a url to display an event based on sessionid?

    I want to build a url that shows a NetWitness user the event details in the investigate module. So something like: https://nwserver/investigation/<serviceid>/events?sessionid="<id>"   Is this possible?
    Niels Van Eijck
    last modified by Niels Van Eijck
  • ESA Hard disk Format

    Hi Team,   We need to format ESA hard disk.Can you Please tell me which type of cable(Hard disk to USB) it required to do this activity?
    Abhishek Samdole
    last modified by Abhishek Samdole
  • Problem adding destination with a Windows Legacy Collector

    Community:  I'm facing an issue trying to add two different WLCs to two different Log Collectors with Netwitness 10.6.6. In both cases when I configure the destination of the collection the GUI throws me the fol...
    Maximiliano Cittadini
    last modified by Maximiliano Cittadini
  • NetWitness: Respond->Alerts

    Has anyone encountered this issue?   Under Respond->Alerts, noticed an odd attribute for Source, it appears as Missing translation: respond.alert.source.
    David Honeycutt
    last modified by David Honeycutt
  • Reset a DAC Raid Configuration

    How can we reset a Powervault DAC  Raid to it's initial configuration (all the disk Unconfigured). when we are switching the DAC from an Appliance to Another?
    Rachid Griech
    last modified by Rachid Griech