000035244 - Why are some IIOCs disabled (or set to not active) in RSA NetWitness Endpoint?

Document created by RSA Customer Support Employee on Jun 20, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035244
Applies ToRSA Product Set: ECAT, NetWitness Endpoint
RSA Product/Service Type: Console
RSA Version/Condition: 4.3.x ,4.2.x, 4.1.x
IssueWhy are some IIOCs disabled (or set to not active) and if an inactive IIOC is activated, it will revert back to inactive after upgrade?

The reason why some IIOCs are set to inactive is explained on page 103 of the RSA NetWitness Endpoint 4.3 User Guide
To be more specific, when an IIOC is added to the list; two factors are considered: How much value will it add to the product (i.e. how useful it will be in the general sense) and what type of impact it will have on the overall performance.

The list of inactive IIOCs may vary with each upgrade. If one has activated an IIOC, it will revert back to inactive after upgrade.
To note: If an IIOC has been set to generate an alert, the status will not change when the system is upgraded.
(For example, if you have set an IIOC as active and alertable and then upgrade RSA NetWitness Endpoint, the IIOC will be set back to default and the IIOC will still be alertable.)
In the screenshot below, prior to an upgrade the "Uncommon executable extension" IIOC was activated and set to be alertable.  After upgrading, the IIOC reverted back to inactive but is still marked as alertable.

Screenshot of in-active IIOC, with one that alertable