• Multi tennant - restricting access to NW data

    I have a question about the multi tenant capability of NetWitness and looking for resources on how to configure. in the case of a deployment of NW for lets say different MSSP customers would it be easier to have a lo...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Use Case related to inactive users

    Hi, I want to ask regarding the possibility to create use case (to get alert) where we want to track situation where some specific user did not logged into the system (for example on Windows machine) more t...
    Petar Nikovic
    last modified by Petar Nikovic
  • rsa netwitness log forwarding format change

    i have a requriement to forward logs to other entity in specific format, is it possible to format logs during forwarding
    afsar pasha
    last modified by afsar pasha
  • McAfee ePO ODBC integration

    Hello.   I would like to know, regarding McAfee ePO integration via ODBC for Netwitness, the answer to the next questions:   1. What are the specific SQL tables consulted by the Event Source configuration?...
    Sergio Gonzales
    last modified by Sergio Gonzales
  • Adding Journals to multiple Incidents at a time

    Hello,   We are currently upgraded to version from   I'm currently looking after support for adding Journals to multiple Incidents at a time, This feature was available in 10.X versions. ...
    Siem sdc
    last modified by Siem sdc
  • active directory user principal name

    active directory configuration
    Jouni Juntunen
    last modified by Jouni Juntunen
  • context hub

    can we create a rules under monitor tab against the list in the context hub? I have the black list in the context hub, but I would like to know whether the event contains any traffic that contains data in the list.
    Xue YQ
    last modified by Xue YQ
  • Active Directory - Login Failed after Upgrade SA Server from 10.6.6 to 11.3

    Hello,   after upgrading to v.11.3 AD users are unable to login. Investigating on admin-server.log we found the following messeges generated after trying to authenticate with an AD user.
    NOC Torino
    last modified by NOC Torino
  • Windows nwConsole

    Where can i download the latest Windows nwConsole?
    Giuseppe Criaco
    last modified by Giuseppe Criaco
  • Rule Packet Decoder + Log Decoder

    Hi,   I need to create one rule, when my Packet Decoder detects one threat following by my Log Source (such as Firewall) action such DROP/BLOCK.   I did like this, but the rule is wrong. Could you help me?...
    Samanta Santos
    last modified by Samanta Santos
  • nwConsole download

    Where can i download latest Window nwConsole?
    Giuseppe Criaco
    last modified by Giuseppe Criaco
  • Retention Rules & Purge logs from Archiver

    Hello,   I need to filter logs to be storage on Archiver. I need to disscard any log from device ip and any log from device type 'winevent_nic' and from the device type 'winevent_snare' just need to keep...
    Omar Garcia Gilio
    last modified by Omar Garcia Gilio
  • has anyone gotten MS Exchange CAS logs into Netwitness?

    I am trying to see if it is feasible to parse MS Exchange CAS logs into NetWitness. I am running 11.3.1 and run Exchange 2016. If anyone can steer me in the right direction, I would appreciate it.   Thanks&...
    Eric Schwartz
    last modified by Eric Schwartz
  • /var/netwitness drive is 100%

    Hello Guys,   Log decoder /var/netwitness drive is full.      can some one please suggest, How to fix this issue.   Thanks, Suresh K
    suresh K suresh K
    last modified by suresh K suresh K
  • TrendMicro ScanMail for Microsof Exchange 12.5 SP1 Event Source

    Hello,   Is there an updated document for adding TrendMicro ScanMail for Microsof Exchange 12.5 SP1 as  Event Source in RSA NetWitness ?   Thank You
  • Migrate to new appliance

    Hello,   Is it proper way to migrate collected data (metadb, packetdb, sessiondb) to new appliance? For example we have appliances series 4 (SA Server, LogHybrid) 10.6.x (or 11) version and want to migrate our d...
    Alexey Fedorov
    last modified by Alexey Fedorov
  • Advance EPL rules for login during silent hour

    Hi, May I know whether we can put more than 1 Meta keys in the identifier? example: @RSAAlert(oneInSeconds=0, identifiers={"user_dst","host_src","event_time"}) @Name ("Privilege users {user_dst} login to {host_src}...
    Xue YQ
    last modified by Xue YQ
  • Report showing Respond > Incidents > INC-000000 > Journal notes

    Is anyone aware of how to create a Report (CSV) that includes the Journal notes from each Incident in RESPOND?
    David Honeycutt
    last modified by David Honeycutt
  • The IIOC score of several endpoints is "0"

    For a period of 3 weeks now, I have the  IIOC score of several endpoints I manage to be zero. Please what can I do, I need to carry out some assessments on the hosts and it is taking forever to troubleshoot. So...
  • Cannot find rsa-nw-hive-jdbc-*.rpm anywhere

    After upgrading to the latest Hive version has to be installed as per the update instruction. I cannot find the  package rsa-nw-hive-jdbc-1.0.0-1.x86_64 anywhere on the NW admin host. I also could find i...
    Maxim Siyazov
    created by Maxim Siyazov