Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Upgrade Guide 11.5: Upgrade Overview

Document created by RSA Information Design and Development Employee on Sep 9, 2020Last modified by RSA Information Design and Development Employee on Nov 24, 2020
Version 5Show Document
  • View in full screen mode

RSA NetWitness Platform provides enhancements and fixes for all products in NetWitness Platform. The instructions in this guide apply to both physical and virtual hosts (including AWS, Azure Public Cloud, and Google Cloud Platform) unless stated to the contrary.

In 11.5, NetWitness Platform has several new features in the user interface. Administrative tasks are consolidated as icons in the upper right corner to keep administration, configuration, notifications, jobs, and user preferences together. The following figure shows the new top-level navigation. For additional information, refer to "NetWitness Platform Basic Navigation" in the NetWitness Platform Getting Started Guide.

Upgrade Paths

The following upgrade paths are supported for NetWitness Platform

  • RSA NetWitness Platform 11.3.x.x to *
  • RSA NetWitness Platform 11.4.x.x to

* If you are upgrading from 11.2.x.x,, or, you must upgrade to before you can upgrade to 11.5.

If you are upgrading from NetWitness Platform version 10.6.6.x, you must upgrade to before you can upgrade to 11.5.

For upgrading from 10.6.6.x to, see the following guides that apply to your environment:

For upgrading from 11.2.x.x,, or, see the Upgrade Guide for RSA NetWitness Platform This guide applies to both physical and virtual hosts (including AWS and Azure Public Cloud).

Running in Mixed Mode

Running in mixed mode occurs when some services are upgraded to the latest version and some services are on older versions. See "Running in Mixed Mode" in the RSA NetWitness Platform Hosts and Services Getting Started Guide for further information.

Note: If you are running Endpoint Log Hybrid in mixed mode, make sure Endpoint Broker is on the same version as one of the Endpoint Servers.

Upgrade Considerations for ESA Hosts

Mixed mode is not supported for ESA hosts in NetWitness Platform version 11.5 and later.

IMPORTANT: The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.

Upgrade Considerations for ESA Analytics

The Event Stream Analytics Server (ESA Analytics) service is not supported or available in NetWitness Platform version 11.5 and later. The Whois Lookup Configuration and ESA Analytics Mapping panels are no longer in the user interface (Admin > System).

Note: Event Stream Analysis (ESA) is not end of life. ESA Correlation rules and the ESA Correlation service are supported. ESA Analytics, which is used for Automated Threat Detection, is different from ESA Correlation Rules and is EOL. In its place, you can use ESA Correlation as is offers more functional capabilities and better performance.

Upgrade Considerations for STIX Custom Feeds

The custom feeds created before version 11.5 are processed automatically. On upgrade, the data sources created for ADHOC, REST and TAXII server and the feeds are pulled automatically. See "Create a STIX Custom Feed" in the RSA NetWitness Platform Live Service Management Guide and "Configure STIX as a Data Source" in the RSA NetWitness Platform Context Hub Configuration Guidefor further information.

Change to Column Groups in the Events View

To improve consistency when loading results in the Events view, the number of columns in a column group is limited to 40.

If you are upgrading from version 11.4 or later, after you upgrade to 11.5, column groups migrated to the Events view from the Legacy Events view still function with more than 40 columns. However, when you edit those groups, you receive a warning that tells you to reduce the number of columns below the limit of 40 columns.

Upgrade or install Windows Legacy Collection

Refer to the Windows Legacy Collection Guide for RSA NetWitness 11.x (

Note: After you update or install Windows Legacy Collection, reboot the system to ensure that Log Collection functions correctly.

Feedback on Product Documentation

You can send an email to to provide feedback on NetWitness Platform documentation.

You are here
Table of Contents > Overview