Beacons to pendo.io
I just upgraded our servers to NetWitness 184.108.40.206 and noticed almost every page sends beacons to pendo.io:
Did NetWitness always do this? Is this new in 220.127.116.11?
What annoys me most about this is the referer header gives away our NetWitness URL including possible sensitive path (we use deep linking to the investigate module from other applications):
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate, br
- Community Thread
- Forum Thread
- RSA NetWitness Endpoint
- RSA NetWitness Platform
I did some research using NetWitness (it is such a great tool) and it seems the beaconing to pendo.io was introduced (or significantly expanded) in NetWitness 18.104.22.168.
Well spotted and great use of the tool 🙂
It's to do with the Customer Experience Improvement Program that can be disabled under Admin > System > Info.
It seems to default *on* instead of *off* but I will let others comment on that.
Hope that helps!
Thanks! I found the CEIP setting and disabled it. I'm pretty sure we disabled this before in 11.3. Was it set to "on" again during the 11.4 upgrade? That's not cool.
Ok, I found in https://community.rsa.com/docs/DOC-111790 that in 11.4.1 the first admin login should receive a pop-up to enable this feature. We have 2 separate environments and there is no way we would have accidentally enabled CEIP in both of them. Seems like the pop-up idea didn't work but CEIP was enabled anyway. I'm glad we caught this now though.