The RSA NetWitness Platform Customer Experience Improvement Program (CEIP) is an initiative to continuously improve RSA NetWitness Platform. When a customer enables this program, the CEIP performs analytics about how individual users work in RSA NetWitness Platform without interrupting their workflow or personally identifying users. As part of this program, RSA gains insights on your deployment and license usage and analytics on pages viewed and actions taken. RSA uses these analytics when making decisions about new features and enhancements to prioritize in upcoming releases. For more information, see Configure the Customer Experience Improvement Program.
Note: In Version 11.4.0.x and earlier, RSA Live Feedback had an option to enable Additional Feedback Insights. This option is no longer available as a separate configurable option because it is included as part of CEIP.
Enhanced Performance for Faster Event Investigation
Extensive performance enhancements in Investigate provide faster page loads, reconstructions, and right-click response time within a tab in the Events view.
Improved Email Reconstruction in the Events View
The email reconstruction in the Events view has been redesigned for ease of use so that an analyst can reconstruct email sessions directly from the Events view, similar to the email reconstruction flow in the Legacy Events view. For more information, see Reconstruct an Event in the Events View.
Intra-session and Related Events Grouping in the Events View
In the Events view, events from split sessions and related sessions are listed in the order they were parsed by default. As a result, related events are not always listed together. Split sessions exist for one of these reasons:
The original event was split into sub-parts by creating additional events for each transaction inside the original event.
The original session was split as it was ingested into the Network Decoder because the size was larger than the Assembler Maximum Size (default=32 MB).
The original session was split as it was ingested into the Network Decoder because the time was longer than the Assembler Timeout Session (default=60 sec).
Related events are not the same as split sessions. Related events are grouped together to highlight events that are worthy of scrutiny based on a pattern. Each event has the same source IP address, the same destination IP address, the same source port, and the same destination port.
Faster and Easier Query Building in the Events View
The user interface for creating filters and building queries continues to evolve to support faster creation of filters. For more information, see Filter Results in the Events View.
The powerful auto-completion features and suggested values of Guided Mode and the ability to type or paste a free-form query are fully integrated without switching modes. The parser interprets typed and pasted text to create either simple or free-form filters in the query bar. If you type a meta key-operator-value sequence and you continue typing without pressing Enter, the Free-Form option is automatically used so that you can continue typing the query.
A new option to copy the entire query to the local clipboard is available. You can select a single filter, right-click it, and then Copy entire query. You can share the clipboard contents with other analysts or paste it in the query bar.
While creating a filter in the Events view query bar, you can use keyboard commands to select all filters (Cmd-A for MacOS, Ctrl-A for Windows) and then copy the selection to the clipboard (Cmd-C for MacOS, Ctrl-C for Windows). The clipboard text is available to share with other analysts or to paste in the query bar using Cmd-V or Ctrl-V).
To improve the user experience when typing a query, the filter entry form accepts the following operators typed with no separating space after the meta key: !=, =, <, <=, >, and >=. Filters in the query bar need a space between the meta key and the operator, and between the operator and the value. Most operators must be typed with a separating space in the filter entry form in order to use the auto-suggest functions for operators and values. When you type one of these operators with no separating space, a value is auto-suggested as usual and a space is added between the meta key and the operator.
New Ability to View Unsorted Events List in the Events View
In addition to sorting events in ascending and descending order, you can set a preference to list events unsorted, as processed by the Core services. Unsorted is faster because it streams back the events as soon as a match is found versus waiting for all Core services to respond and then displaying them in the chosen order. When Unsorted is selected, the oldest portion of events is matched and then listed unsorted. For more information, see Configure the Events View.
Better Column Sorting Controls
The column sorting controls and in the Events list are easier to see and use. More prominent arrows allow selection of ascending or descending sort order for a column, and you can revert to an unsorted column easily by clicking the already selected sort arrow a second time. For more information, see Use Columns and Column Groups in the Events List.
Decoder, Log Decoder, and Log Collector Services
Configure Custom Certificates on Log Decoders
You can configure custom certificates for the syslog listener on Log Decoders. This enables you to put your own trusted certificate in place for the syslog listener, while all other functionality uses the pre-installed certificates. For more information, see (Optional) Configure Custom Certificates on Log Decoders.
Configure Custom Certificates on Log Collectors
You can configure custom certificates for the syslog listener on Log Collectors. This enables you to put your own trusted certificate in place for the syslog listener, while all other functionality uses the pre-installed certificates. For more information, see (Optional) Configure Custom Certificates on Log Collectors.
Search for Event Sources Using Address (IP/Hostname) or Name on Log Collectors
Log Collectors can contain a lot of pre-configured event sources for a specific collection protocol (for example File). You can search for specific event sources, by address (IP/hostname) or Name, to more easily find one or more particular event sources. For more information, see Log Collection Event Sources Tab.
Metadata Generated with SHA-256 Fingerprints of SSL/TLS Certificate
The Network Decoder can generate metadata with SHA-256 fingerprints of the SSL/TLS certificate (in addition to SHA-1 hash format) that are available for investigations and analytics. For more information, see "TLS Certificate Hashing" in Decrypt Incoming Packets.
Event Source Historical Graphs Moved from Health & Wellness to Event Source Management
All event source information, except Historical Graphs, was previously moved from the Health & Wellness view to the Event Sources Manage view. In 11.4.1, the graphs have been moved. Previously, these graphs were accessed in the Event Source Monitoring tab of the Admin > Health & Wellness view. Now, they are available in the Manage tab of the Admin > Event Sources view. For details, see Historical Graph for System Stats.
SSO Authentication is Supported for Analyst UI Deployments
Single Sign-On (SSO) is supported for analysts in a multiple NetWitness Platform User Interface instances deployment.
Simplified Management of the deploy_admin Account
The deploy_admin account is a password-based system account that is used on every NetWitness Platform host, and must be kept synchronized between all hosts. It can require periodic updating depending on your deployment environment policies. Starting with 11.4.1, the deploy_admin password is centrally managed with the nw-manage script on the NW Server. The nw-manage script execution updates the password on all NetWitness Platform component hosts that use the deploy_admin account. For more information, see Manage the deploy_admin Account.
Change the IP Address of the Warm Standby NW Server
If your secondary NW Server must have a different IP address from your primary NW Server, you can use a manual procedure for failover that enables you to change the IP address of the Warm Standby NW Server. This procedure is documented in "Fail Over Primary NW Server to Secondary NW Server with Different IP Address" in Warm Standby NW Server Host.
Support to Forward High-Risk Usernames to RSA SecurID Access
With the NetWitness Platform Integration with RSA SecurID Access, the NetWitness Respond server can now also send the Active Directory username of high-risk users from incidents to RSA SecurID Access. To configure this metadata on the Respond Server, see Configure Threat Aware Authentication.
ESA (Event Stream Analysis)
ESA Rule Deployment Troubleshooting Metrics are Available Through Nw-Shell
You can use Nw-Shell to view ESA Correlation Server metrics for each of your ESA rule deployments. These metrics show the number of sessions behind for the deployment data sources as well as the memory usage for the rules in the deployment. For more information, see "Obtain Correlation Server Metrics for ESA Rule Deployment Troubleshooting Using Nw-Shell" in Troubleshoot ESA.