The RSA NetWitness Platform 11.5.1 release provides new features and enhancements for every role in the Security Operation Center.
The following upgrade paths are supported for NetWitness Platform 22.214.171.124:
- RSA NetWitness Platform 11.3.x.x to 126.96.36.199*
- RSA NetWitness Platform 11.4.x.x to 188.8.131.52
- RSA NetWitness Platform 184.108.40.206 to 220.127.116.11
- RSA NetWitness Platform 18.104.22.168 to 22.214.171.124
* If you are upgrading from 126.96.36.199, or 188.8.131.52, you must upgrade to 184.108.40.206 before you can upgrade to 220.127.116.11.
If you are upgrading from NetWitness Platform version (10.6.6.x) or (11.2.x.x or below), you must upgrade to 18.104.22.168 before you can upgrade to 22.214.171.124. For more information, see the guides that apply to your environment.
For more information on upgrading to 126.96.36.199, see Upgrade Guide for RSA NetWitness Platform 11.5.1.
The following sections are a complete list and description of enhancements to specific capabilities:
- Investigation - SIEM and Network Detection & Response
- Endpoint Investigation
- User Entity Behavior Analytics
- Incident Response
- Endpoint Configuration
- Broker, Concentrator, Decoder and Log Decoder Services
- Administration and Configuration
- Log Collection
- Logstash Integration
To locate the documents referred to in this section, go to the RSA NetWitness Platform 11.x Master Table of Contents: https://community.rsa.com/docs/DOC-81328. Product Documentation has links to the documentation for this release.
JSON Viewer for Logs
The JSON log data in the Events page renders in an easy-to-read JSON format instead of the raw block format using the Render JSON toggle switch. It allows analysts to identify nodes, node values, and position of the node in the tree. By default, the switch is enabled, and JSON snippets in a log event are detected and displayed in an expanded tree format. The system supports rendering of logs with a mix of text and JSON to display in both Respond and Investigate views.
For more information, see the "View a JSON String in Tree Format in the Text Tab" topic in the NetWitness Investigate User Guide.
Investigation Using the Event Time
Analysts can directly query and sort events using event time (the time the event occurred) instead of collection time (the time the Decoder received the event). This eliminates the need to find the log or the Endpoint events relevant to the actual time range, thus, saving time and effort of the analyst as the events are displayed as they happen. For more information, see the NetWitness Investigate User Guide.
Manual Column Width Adjustments Automatically Apply
When analysts manually adjust the width of a column in the Events panel, the column width is preserved as a personal preference and is applied every time the column is used in the Events list, overriding any default column width. For more information, see the NetWitness Investigate User Guide.
Option to Add Multiple Filters Prior to Query
An analyst can build a query with multiple filters pivoting through the meta available in the Events Filter panel. For more information, see “Drill into Meta Values” in the NetWitness Investigate User Guide.
New Icons for Meta Keys
The Events page includes new unique icons for every meta key displayed in the Events query bar, Filter Events panel, and Event Meta reconstruction panel to help analysts recognize items while visually scanning the data available on the page. The icons use color to indicate meta key search capability and are categorized based on the family of metadata. For more information, see the NetWitness Investigate User Guide.
Springboard Panel Enhancements
- The panel rendering time is improved and the memory usage is reduced. For example, when the administrator adds or scroll across the panel, only the displayed panels are loaded and not the hidden panels.
- Includes User’s Trending Data (24 hours) and Trending Data (7 days) options in the UEBA panels.
Includes drop-down filter options for menus such as Data Source and Meta key.
For more information, see the "Managing the Springboard" topic in the NetWitness Platform Getting Started Guide.
Expanded Network Visibility with Endpoint Data Enrichment
Network events are further enriched with additional host information. It includes alerts and process details associated with the enriched host values. This additional data enables an analyst to investigate an event more efficiently.Example 1
An analyst can use the Process Tree option to see the origin of a process and associated process information.
An analyst can see the Alerts section to see the alerts triggered on a host. This section provides information on alerts, incidents, and events count associated with the host.
For more information, see "Examine Event Details in the Events View" in the NetWitness Investigate User Guide.
Improved Meta Group Usage while Filtering Events
Analysts can efficiently use meta groups to control the options available in the Filter Events panel. It includes the following enhancements:
The last meta group is used instead of resetting to the default meta key group.
Ability to change the default view (AUTO, OPEN, CLOSE, or HIDDEN) for all the meta keys at once.
The default meta group displays the list of meta keys and can be cloned.
For more information, see the NetWitness Investigate User Guide.
Below is an example showing the option to change the default view for all meta keys.
Performance Improvements while Filtering Events
To decrease the time taken to load the panel, estimations for the events count (>) and size (~) are enabled by default. Analysts can also view the debug information that provides the time it takes for the services to present the meta key values. It helps analysts to identify the services that might be causing the latency. For more information, see the NetWitness Investigate User Guide.
Option to Download Files from Multiple Events
In the Events view, analysts can securely download bulk files for multiple events versus per individual event. The downloaded files are present in a password protected zip file to limit exposure to potentially malicious files. For more information, see the NetWitness Investigate User Guide.
Below is an example showing the new Download Files option.
Enhanced Events Query Experience
Analysts can resume a canceled query, to load more meta keys in the Events Filter panel. When the Filter Events panel is being loaded, new messages indicate which meta keys are going to load next. It will also indicate if the query is canceled. For more information, see the NetWitness Investigate User Guide.
User Experience Improvements while Filtering Events
During review of meta key values, analysts can see the unit of measure when the values are sorted based on the event size. If analysts want to shift focus to one specific meta key, they can change their view so all other meta keys in the meta group are closed. For more information, see the NetWitness Investigate User Guide.
Extended Linux Agent Support with SUSE
Introduced agent support for SUSE Linux Enterprise Server 12 SP5 and later. This enables RSA NetWitness to detect threats on resources running on SUSE Linux Enterprise Server. For more information, see the NetWitness Endpoint Agent Installation Guide.
User Profile Baselines
Modeled Behaviors for users provides analysts with insights on the usual daily activities of users monitored by UEBA. UEBA monitors abnormal user behaviors to identify risky users and this requires data to be processed over a certain period of time during which the usual behavior is captured. Unlike alerts for users, Modeled Behaviors reflect the activities of the user within a day of the service configuration. For example, if a user fails multiple times by logging in with incorrect credentials within an hour, analysts can view these behaviors as Failed Authentications for the user, even if an anomaly was not triggered. This allows Analysts to explore user behaviors, even if they don't rise to a critical level. For more information, refer to “View Modeled Behaviors” in the NetWitness UEBA User Guide.
Improved the User Entity Behavior Analytics Incident Rule
The User Entity Behavior Analytics incident rule captures user entity behavior grouped by both UEBA Classifier ID and UEBA Entity Name. The incident name automatically created by the rule contains the a user-friendly UEBA Entity Name instead of UEBA Classifier ID.
In addition, the User Entity Behavior Analytics incident rule default priority threshold ranges are consistent with the severity ranges in NetWitness UEBA.
|Priority Threshold||Default Value|
For example, with the Critical priority set to 98, incidents with a risk score of 98 or higher are assigned a Critical priority for this rule.
For more information, see “Update the User Entity Behavior Analytics Incident Rule Priority Thresholds, Grouping Options, and Title” in Set Up and Verify Default Incident Rules.
Added Option to Select CPU Utilization for Manual Scans
On-demand host scans provide analysts the flexibility of choosing the CPU utilization. Analysts can use the CPU Maximum slider to select the CPU percentage so that the agent can limit the usage within the specified range. The Endpoint agents use the selected CPU percentage to get the latest snapshot. It ensures a quick snapshot creation and optimal CPU performance. For more information, see “Scan Hosts” in the NetWitness Endpoint User Guide.
Expanded Selective Network Data Collection
Administrators can choose to collect from 41 new protocols available in the collection policies. A new detail panel displays a preview of the policy with the following information:
Decoders that received the policy
Protocol rules in the policy
Last policy update (time and user)
For more information, see "Supported Protocols for Selective Network Data Collection" topic in Decoder Configuration Guide for RSA NetWitness Platform.
Improved search experience with N-gram free-text search
The N-gram functionality is enabled by default to improve the free-text search experience. It allows analysts to search sub-strings of text providing more accurate results with a minimal index size increase compared to previous N-gram implementations. By default, this only applies to unparsed logs that are processed by the log tokenizer on the Log Decoder to generate word metadata.
For more information, see "ngrams" in the Core Database Tuning Guide for RSA NetWitness Platform.
RAID Configuration for PowerVault and DACs
When allocating PowerVault storage to a Decoder / Log Decoder, users have a configuration option to include a hot-spare. For more information see "Storage Configuration Tasks" topic in Storage Guide for RSA NetWitness Platform .
Enhanced JSON Log Mapping (BETA)
JSON Log Mapping is enhanced to automatically add mappings for the JSON nodes in a log. You only have to choose the meta value and no longer have to manually enter the name and the path of the mapping.
After you complete the JSON log mappings, the JSON nodes and values are highlighted in green in the JSON tree, this allows you to identify which nodes are mapped. Once you map the JSON nodes that are needed, you can quickly remove the unmapped JSON nodes. For more information see "Auto Discover JSON Mappings" topic in Log Parser Customization Guide for RSA NetWitness Platform
NetWitness Export Connector
NetWitness Platform version 11.5.1 introduces "NetWitness Export Connector 1.0", an input plugin for Logstash that can be used to export NetWitness Platform events and routes the data where you want, in a streaming fashion that gives you the flexibility to unlock a variety of downstream use cases. For more information, see NetWitness Export Connector - Installation and Configuration Guide for RSA NetWitness Platform.
Enhanced License Details
- Admins can check the compliance status of newly introduced Meta-only licenses.
- Usage data for Throughput license is consolidated and organized to show details of multiple statistics that are used to measure the compliance of the network throughput licenses. For more information, see the Licensing Management Guide.
Throughput License Calculation Changes
NetWitness Platform version 11.5.1 includes fixes to the metrics used in reporting for Network (Packet) Throughput usage. License metrics includes the overall network traffic analyzed and the raw network data stored after the analysis. Your Network Throughput License usage may increase, which may cause license violation banners in some situations. The Out-of-Compliance notifications for Network Throughput licenses has been temporarily adjusted to delay the display of the license violation banner by 45-days. For more information, see the Licensing Management Guide.