RN 11.3.1: What's New

Document created by RSA Information Design and Development on Jul 9, 2019
Version 1Show Document
  • View in full screen mode

What’s New

The NetWitness Platform release provides the following enhancements.

Broker, Concentrator, Decoder, and Log Decoder Improvements

Save Interval for Core Service Indexes Has Been Reduced to Improve Memory Consumption

The default save interval for Core service indexes has been reduced from 600 million to 200 million when it is set to auto. This allows large indexes to be saved more frequently, which reduces the index slice size and consequently reduces memory consumption in the index.

Expanded Detection of Encrypted Channels

To help you identify encrypted channels, the Network Decoder can produce the JA3 value of TLS clients and the JA3S value of TLS servers that are observed in a network session. The values that are produced conform to the values generated by the open source JA3 tools (https://github.com/salesforce/ja3). For more information, see "JA3 and JA3S TLS Fingerprints" in the Decoder and Log Decoder Configuration Guide for RSA NetWitness Platform.

Event Source Monitoring

Event Source Monitoring View Moved

For NetWitness Platform 11.3.1, the features in the Event Source Monitoring view (ADMIN > Health & Wellness > Event Source Monitoring) have been moved to the ADMIN > Event Sources > Discovery view. For more information, see "About Event Source Management" in the Event Sources Management User Guide for RSA NetWitness Platform.


Centralized Audit Logging

NetWitness Platform collects audit logs from all services and aggregates the logs into a single file in a centralized location for faster access and easy analysis. Standard filters determine and control the logs that must be aggregated. For more information, see "Centralized Audit Logging" in the System Configuration Guide for RSA NetWitness Platform.

Improved Audit Logging Text

Audit logging is improved to provide further granularity on the action taken, or the recipient of the action when that context is necessary. Audit logging descriptions for users logging on and off hosts have been improved in audit logs. You can view audit logs in the NetWitness Platform User Interface (select a log service and then View > Logs) or in the REST API (select /logs and then /logs/download, and then choose a time frame and the type of logs to be audited). For more information, see "Configure Global Audit Logging" in the System Configuration Guide for RSA NetWitness Platform, and the RESTful API User Guide for RSA NetWitness Platform.

Apply Version Updates from the User Interface without Direct Internet Access

After you update NetWitness Platform to 11.3.1, you can apply future version updates from the Hosts view in the User Interface (UI) without a NetWitness Platform connection to the Internet (for example, no Live connection). For detailed instructions on how to do this, refer to “Apply Update from Hosts View without RSA Live Update Repo Connection (No Web Access)" in the Hosts and Services Getting Started Guide for RSA NetWitness Platform.


In 11.3.1, RSA added support for Audit Rules in the DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) Control Group. For more information, see the "DISA STIG" topic in the System Maintenance Guide for RSA NetWitness Platform.

Health and Wellness

Monitor Lockbox Status for Warehouse Connector

A new Health & Wellness statistic for Warehouse Connector is added to indicate the status of its Lockbox. In addition, an out-of-the-box rule is added so that a Health & Wellness alarm is raised when the Lockbox does not exist or cannot be opened.

Monitor Risk Process Improved for Host and Files

This applies to customers who are using NetWitness Endpoint. New statistics and policies are added in Health & Wellness to monitor the health of Risk scores for hosts and files.

Monitor Health of Relay Servers

This applies to customers who are using NetWitness Endpoint. New statistics are added in Health & Wellness to monitor the health of relay servers.

Monitor System Resources for Virtual Log Collectors

A new statistic and policy are added in Health & Wellness to monitor the virtual system resource status for Virtual Log Collector configurations. The new out-of-the-box rule provides an indication of a VLC system that may be under-resourced for the current load.

Monitor Message Broker System Resources for Virtual Log Collectors

A new statistic and policy are added in Health & Wellness to monitor the message broker status for Virtual Log Collector configurations. The new out-of-the-box rule provides an indication of a when the message broker system’s resources are near capacity, which indicates the VLC may be under-resourced for the current load.

Monitor Message Broker Queues for Log Collectors

A new policy is added in Health & Wellness to monitor when the message broker queue status reaches more than 50k messages for 10 minutes. The new out-of-the-box rule provides an indication of when there is a potential problem with the connection or processing of the upstream VLC or Log Decoder system, so that it can be remedied before system resources are affected.

Improved Message Broker Logging

Improved log rotation management and reduced the amount of information logged for the message broker to reduce disk usage.

Improved Message Broker Resource Management

Improved the H&W message broker system resource limits to match the system’s available resources to reduce disk usage and memory resource issues.

Event Stream Analysis (ESA)

To Avoid Unnecessary Processing Overhead, the Ignore Case Option Is Not Available for Meta Keys that Are Not Real Strings

To avoid unnecessary processing overhead, the Ignore Case option has been removed from the ESA Rule Builder - Build a Statement dialog for meta keys that do not contain text data values. The Ignore Case option allows meta values being compared to match regardless of case differences existing between the two values (for example, "JOHN SMITH" matches "John Smith" if Ignore Case is in effect). Adding Ignore Case on meta keys that do not contain alphabetic values causes additional processing to occur for no added benefit. For example, using Ignore Case on IP Addresses (for example, ip_src and ip_dst) provides no value and causes a slowdown in processing. Effective in 11.3.1, only meta keys listed as Text fields in the NetWitness Core database index files will continue to have the Ignore Case option available.

Likewise, when using the advanced EPL Rules with ESA, care should be taken to only add the case-insensitive toLowerCase() function on meta keys as needed. The toLowerCase() function can cause significant performance decreases. Consider checking the Investigate Events view or the Event Analysis view to see the actual character case for meta fields and avoid unnecessary usage of the function.

Note: During an upgrade or update to version 11.3.1, NetWitness Platform does not modify existing rules, advanced EPL rules, or content rules for the Ignore Case option. If an existing Rule Builder rule has the Ignore Case option selected for a meta key that no longer has the option available, an error occurs if you try to edit the statement and try to save it again without clearing the checkbox.

ESA Automatically Adjusts the ESA Rule Statement Operator if an ESA Rule References a Meta Key that Changed from String to String Array

To support Endpoint and UEBA content as well as changes to ESA rules from Live, a data change from single-value (string) to multi-value (string array) was made for several meta keys within the ESA Correlation service in 11.3.

The following default string array meta keys included in the “multi-valued” parameter on the ESA Correlation service are required in version 11.3 and later and should not be removed:

action , alert , alert.id , alias.host , alias.ip , alias.ipv6 , analysis.file , analysis.service , analysis.session , boc , browserprint , cert.thumbprint , checksum , checksum.all , checksum.dst , checksum.src , client.all , content , context , context.all , context.dst , context.src , dir.path , dir.path.dst , dir.path.src , directory , directory.all , directory.dst , directory.src , email , email.dst , email.src , eoc , feed.category , feed.desc , feed.name , file.cat , file.cat.dst , file.cat.src , filename.dst , filename.src , filter , function , host.all , host.dst , host.orig , host.src , host.state , inv.category , inv.context , ioc , ip.orig , ipv6.orig , netname , OS , param , param.dst , param.src , registry.key , registry.value , risk , risk.info , risk.suspicious , risk.warning , threat.category , threat.desc , threat.source , user.agent , username

When updating or upgrading to NetWitness Platform 11.3 or later, some ESA Rules from Live must be updated to use array syntax and redeployed. For more information, see the Event Stream Analysis (ESA) tasks in the upgrade or update instructions.

After updating to 11.3 or later, some ESA Rule Builder rules that reference meta key types that changed in 11.3 from string to string array do not convert properly, fail to deploy, and must be updated manually. This can occur if the operator in the rule statement is also not adjusted for a string array type. In NetWitness Platform 11.3.1, ESA now automatically adjusts the operator in the rule statement when there is a change from string to string array.

Note: Advanced EPL rules may become disabled and are not automatically updated so they must be fixed manually.

To change the string type meta keys to string array type meta keys manually in 11.3.1, see “Configure Meta Keys as Arrays in ESA Correlation Rule Values” in the ESA Configuration Guide for RSA NetWitness Platform.

View Error Messages for Disabled ESA Rules in the NetWitness Platform User Interface

Administrators can check the status of ESA Rules in the ESA Rules section of the ESA rule deployment (go to CONFIGURE > ESA Rules > Rules tab, select a deployment in the options panel on the left, and go to the ESA Rules section). If a disabled rule has an error message, it now shows in the Status field. Hover over the rule to view the error message tooltip without going to the error log. For more information, see the Alerting with ESA Correlation Rules User Guide for RSA NetWitness Platform.

NetWitness Endpoint

RSA NetWitness Relay Enables Offline Reporting of NetWitness Endpoint Protected Hosts

Relay Servers (referred to as RAR in prior versions of RSA NetWitness Endpoint) extend NetWitness Platform’s visibility into endpoints while connected outside the corporate network. By configuring a relay in either the cloud or DMZ, any NetWitness Endpoint protected hosts can connect to the Relay Server to send updates on host activity and receive any time-sensitive response actions.  For more information, see the NetWitness Endpoint Configuration Guide for RSA NetWitness Platform.

Data Retention for Risk Scores

Analysts can retain risk score data for a specified amount of time before it is deleted. Data retention for risk scores is enabled by default, with the retention period configured for 30 days, to free up the disk space periodically. However, the amount of time risk score data is retained is configurable. For more information, see the NetWitness Respond Configuration Guide for RSA NetWitness Platform.


Configurable Event Analysis View Event Limit in the ADMIN > System > Investigation Panel

To optimize performance in Event Analysis, administrators can configure the default number of events loaded in the Events panel and then configure a lower limit for different user roles. For details, see "Configure Event Analysis View Settings" in the System Configuration Guide for RSA NetWitness Platform.

Result Messaging Provides Clarity on the Reason that Events Were Not Found in Investigate

To eliminate the potential for analysts to interpret false negative results as accurate, messaging in the Event Analysis view differentiates between no matches in the data set and other reasons for no data being found. The lack of events returned may be due to a meta key that is not recognized or data that is not indexed.

Configurable Clearing of the Reconstruction Cache in the Event Analysis View to Save Disk Space

Any Event Analysis view reconstruction cache older than 24 hours is automatically cleared every 24 hours at 3 a.m. to avoid filling up disk space and to clear data from the Investigate user interface. The administrator can change the interval to an interval greater than 24 hours. For additional information, see "Configure the Reconstruction Cache Clearing Interval for the Event Analysis View" in the System Configuration Guide for RSA NetWitness Platform.


Simplified Update Process for Incident Rule Schema

Instead of backing up the aggregation_rule_schema file manually before it is overwritten during an update, NetWitness Platform now automatically creates a backup file before refreshing the aggregation_rule_schema file. Any prior customizations can be copied from the automatic backup file to the new schema file.

If you added custom keys in the var/lib/netwitness/respond-server/data/aggregation_rule_schema.json file for use in the groupBy clause for 11.x, you can modify the /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json file and add the custom keys from the automatic backup file. The backup file is located in /var/lib/netwitness/respond-server/data and it is in the following format: aggregation_rule_schema.json.bak-<time of the backup>.

NetWitness UEBA

Support for Linux as a Data Source

NetWitness UEBA now supports RedHat Linux as a data source.

Support for Failed Authentication of Network Logons

NetWitness UEBA supports alerts for failed authentication of network logons (Type 3) taken from Windows event 4625.

Increased Scale of Support for Customers with Large Numbers of Endpoint and Log Events

NetWitness UEBA has increased its scale of support for customers with large numbers of users (for example, 100,000 users) who generate large quantities of log and endpoint events.

Previous Topic:Introduction
Next Topic:Fixed Issues
You are here
Table of Contents > What's New