The RSA NetWitness Platform 11.5.2 release provides new features and enhancements for every role in the Security Operation Center.

Upgrade Paths

The following upgrade paths are supported for NetWitness Platform

  • RSA NetWitness Platform 11.3.x.x to*
  • RSA NetWitness Platform 11.4.x.x to
  • RSA NetWitness Platform 11.5.x.x to

* If you are upgrading from, or, you must upgrade to before you can upgrade to

If you are upgrading from NetWitness Platform version (10.6.6.x) or (11.2.x.x or below), you must upgrade to before you can upgrade to For more information, see the guides that apply to your environment.

For more information on upgrading to, see Upgrade Guide for RSA NetWitness Platform 11.5.2.


The following sections are a complete list and description of enhancements to specific capabilities:

To locate the documents referred to in this section, go to the RSA NetWitness Platform 11.x Master Table of Contents. Product Documentation has links to the documentation for this release.


Enhanced License Status

If your deployment is in a breach state, you can bring the state back to normal by keeping the usage in a compliant state for 7 consecutive days.

Endpoint Investigation

Extended Windows Agent Support for Windows 10 version 20H2

Extended agent support for Windows 10 version 20H2 (32 and 64-bit). For more information, see the NetWitness Endpoint Agent Installation Guide.

Investigation - SIEM and Network Detection & Response

Enhanced Query Builder UI

The following UI enhancements make the query bar more responsive and user friendly. These enhancements provide a visual aid that helps analysts to utilize filters more efficiently.

  • A filter awaiting input is highlighted with a blue color border. You can click X to delete the filter in the edit mode.

  • An invalid filter is highlighted with a red color border.

  • Guided filters display the associated new meta key icons.

  • Filters display unique icons that help analysts to distinguish among them. For example, in the following figure, the text search filter and the free-form filter are prefixed with unique icons.1152_RN.png

For more information on how to use filters and query bar, see the "Filter Results in the Events View" topic in the NetWitness Investigate User Guide.

Broker, Concentrator, Decoder and Log Decoder Services

Network Virtualization Enhancements

To further support enterprises that use network virtualization to segment their networks, the Decoder automatically performs decapsulation of the Virtual Extensible LAN (VXLAN) protocol. There is no configuration required to enable this functionality. When Decoder ingests network traffic available on UDP-4789, it analyzes the traffic for VXLAN and parses the decapsulated Ethernet frames.