This section describes the new features that you can enable in 11.4.1. For a complete list of new features in this release, see the Release Notes for RSA NetWitness Platform 11.4.1. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
Customer Experience Improvement Program
The RSA NetWitness Platform Customer Experience Improvement Program (CEIP) is an initiative to continuously improve RSA NetWitness Platform. When enabled by the customer, the CEIP performs analytics about how individual users work in RSA NetWitness Platform without interrupting their workflow or personally identifying users. RSA considers these analytics when making decisions about new features and enhancements to prioritize in upcoming releases. For more information, see "Configure the Customer Experience Improvement Program" in the System Configuration Guide.
Improved Email Reconstruction in the Events View
Analysts can now reconstruct email sessions directly in the Events view. For more information, see "Reconstruct an Event in the Events View" in the Investigate User Guide.
Intra-session and Related Events Grouped in the Events View
To more easily detect relationships in captured data, you can group events from split and related sessions in the Events and Legacy Events views. The user interface helps you identify the leading event and subsequent events by nesting subsequent events under the leading event. For more information, see "Group Events from Split and Related Sessions in the Events and Legacy Events Views" in the Investigate User Guide.
Configurable Event Analysis View Event Limit
To optimize performance in Event Analysis, administrators can configure the default number of events loaded in the Events panel, and then configure a lower limit for different user roles. For more information, see "Configure Event Analysis View Settings" in the System Configuration Guide for RSA NetWitness Platform.
Faster and Easier Query Building in the Events View
The user interface for creating filters and building queries continues to evolve to support faster creation of filters with several new time-saving features. For more information, see "Filter Events in the Events View" in the Investigate User Guide.
Configure Custom Certificates on Log Collectors and Log Decoders
You can configure custom certificates for the syslog listener on Log Collectors and Log Decoders. This enables you to put your own trusted certificate in place for the syslog listener, while all other functionality uses the pre-installed certificates. For more information, see "(Optional) Configure Custom Certificates on Log Collectors" in the Log Collection Configuration Guide and "(Optional) Configure Custom Certificates on Log Decoders" in the Decoder Configuration Guide.
Event Source Visualization and Search Improvements
You can search event sources using IP or hostname addresses, or by Name, on Log Collectors to easily view required sources. Historical graphs and other information have been moved to Event Sources Management from Health & Wellness. For more information, see the Event Sources Management User Guide.
SSO Authentication is Supported for Analyst UI Deployments
Single Sign-On (SSO) is supported for analysts in a multiple NetWitness Platform User Interface instances deployment.
Simplified Management of the deploy_admin Account
The deploy_admin account is a password-based system account that is used on every NetWitness Platform host, and must be kept synchronized between all hosts. It can require periodic updating depending on your deployment environment policies. Starting with 11.4.1, the deploy_admin password is centrally managed with the nw-manage script on the NW Server. The nw-manage script execution updates the password on all NetWitness Platform component hosts that use the deploy_admin account. For more information, see "Manage the deploy_admin Account" in the System Maintenance Guide.
Change the IP Address of the Warm Standby NW Server
If your secondary NW Server must have a different IP address from your primary NW Server, you can use a manual procedure for failover that enables you to change the IP address of the Warm Standby NW Server. This procedure is documented in "Fail Over Primary NW Server to Secondary NW Server with Different IP Address" in the Deployment Guide.
Support to Forward High-Risk Usernames to RSA SecurID Access
With the NetWitness Platform Integration with RSA SecurID Access, the NetWitness Respond server can now also send the Active Directory username of high-risk users from incidents to RSA SecurID Access. To configure this metadata on the Respond Server, see the Respond Configuration Guide.
ESA Rule Deployment Troubleshooting Metrics are Available Through Nw-Shell
You can use Nw-Shell to view ESA Correlation Server metrics for each of your ESA rule deployments. These metrics show the number of sessions behind for the deployment data sources as well as the memory usage for the rules in the deployment. For more information, see “Obtain Correlation Server Metrics for ESA Rule Deployment Troubleshooting Using Nw-Shell” in the Alerting with ESA Correlation Rules User Guide.