The NetWitness Platform 220.127.116.11 release provides new features and enhancements for every role in the Security Operation Center. These are a few examples: usability improvements to the layout and labeling of the Respond and Incidents List views, improved native network parsers to identify HTTP/2 sessions, update to CentOS 7.6 to take advantage of the latest security updates and improvements, improved endpoint visibility into remote console events, and support for WinRM in User and Entity Behavior Analytics. These sections provide the complete list of enhancements to specific capabilities:
- Incident Response
- Core Services (Broker, Concentrator, Decoder, Archiver)
- Endpoint Investigation
- User and Entity Behavior Analytics
- Event Stream Analysis
- Log Collection
- Warehouse Connector
Key Incident Information and Workflow Actions are More Readily Accessible in the Respond View
Key information and actions in the Respond view are now more readily available, such as where to add notes, create tasks, and find related indicators.
Usability improvements to the Respond view layout and labeling provide the following benefits:
- Enables analysts to work more quickly and efficiently to resolve incidents.
- Reduces the amount of analyst training required.
- Reduces time to value.
Incidents List View Improvements
To access the Incidents List view, go to Respond > Incidents.
- Clicking on a row automatically selects the checkbox so that you can take actions on that row, such as changing the priority, status, or assignee. This reduces clicks and improves consistency with other tables in NetWitness Platform.
Incident Details View Improvements
To access the Incident Details view, go to Respond > Incidents and in the Incident List view, click the link in the ID or Name column for that incident.
- Journal and Tasks are more visible and easier to locate.
- The Journal is open by default on the right-side panel.
- The labeled ‘Journal & Tasks’ button enables easy access to notes and tasks without the need for training.
- The Related Indicators are now located on the left-side panel near the incident Indicators, where they are frequently used.
- The Indicators panel is now open by default when an analyst opens a new incident since it provides the analyst more valuable information than the Overview panel.
- In the nodal graph, you can now see file hash nodes for User and Entity Behavior Analytics (UEBA) events.
For more information, see the NetWitness Respond User Guide.
Network Parsers Identify and Tag HTTP/2 Sessions
NetWitness Platform native network parsers have been improved to identify HTTP/2 sessions and correctly tag them with the service=80 meta type. Currently, HTTP/2 support is limited to identification only.
Community ID Support
The Network Decoder generates Community ID flow hash values that are compatible with the Community ID specification defined by https://github.com/corelight/community-id-spec.
Upgrade to CentOS 7.6 Version
RSA upgraded the Operating System (OS) version for NetWitness Platform from CentOS 7.4 to CentOS 7.6. This upgrade was required to keep current with the latest security updates and improvements in CentOS 7.6.
Visibility into Remote Console Events
Analysts can obtain complete visibility into commands remotely executed by an attacker on a compromised host using the reverse shell technique. The Windows agent has a new capability to capture and report commands passed to the cmd.exe, powershell.exe process instances using anonymous pipes. Analysts can view these console events with the context as console.remote in the Investigate > Navigate and Event Analysis views. For more information, see the NetWitness Endpoint User Guide.
Support for REST APIs
To enhance Security Orchestration Automation and Response capability and to integrate with other applications, NetWitness Platform provides a set of REST APIs for hosts and files. For more information, see the NetWitness Platform API User Guide.
Additional Data Source Support
NetWitness UEBA supports the WinRM (Windows Remote Management) data source, which enables data collection from NetWitness Endpoint agents. This enables the analyst to collect endpoint logs from remote systems and perform analytics to discover, investigate, and monitor risky behaviors across all users and entities in the network environment.
RSA made key performance improvements for ESA Correlation rule deployments:
- Improved analysis performance (EPS) when there are a large number of data sources.
- Improved aggregation speed, especially for data sources that suffer from high latency.
- Position Tracking for data sources now records every minute, reducing risk in error scenarios.
- Rules now deploy faster with better completion progress feedback.
- Improved resiliency and error handling during ESA rule deployment when data sources are slow or down.
Plugin Transform Parameter <includeNullValueParameters> does not Replace Null Tokens to Empty String
RSA has added a parameter to the Transform XML File. This file is used for creating and configuring plugins. The new parameter is includeEmptyValueParameters. If you set this parameter to true, empty parameters, as well as empty lists, are included in the output of the transform. If set to false, which is the default, parsing excludes empty parameters in the output of the transform.
Additionally, the existing parameter includeNullValueParameters has been updated to behave as expected. Previously this parameter was incorrectly including or excluding empty value parameters and doing nothing for null valued parameters. This parameter now, if set to true, includes null tokens items in the output of the transform. If set to false, which is the default, parsing excludes null value parameters in the output of the transform.
Aggregate Metadata and Raw Logs for a Log Session into an AVRO File
NetWitness Platform aggregates raw logs and metadata from Log Decoder into a single AVRO file for faster access and easy analysis. The new parameter is export.logAndsession.avro.enabled. If set to yes, the raw logs and metadata are stored in a file named sessions-withlogs-*.avro under sessions directory. If set to no, which is the default, they are stored in two separate folders under sessions and logs. For more information, see the Warehouse Connector Configuration Guide.