The RSA NetWitness Platform 11.5.1 release provides new features and enhancements for every role in the Security Operation Center.

Upgrade Paths

The following upgrade paths are supported for NetWitness Platform

  • RSA NetWitness Platform 11.3.x.x to*
  • RSA NetWitness Platform 11.4.x.x to
  • RSA NetWitness Platform to
  • RSA NetWitness Platform to

* If you are upgrading from, or, you must upgrade to before you can upgrade to

If you are upgrading from NetWitness Platform version (10.6.6.x) or (11.2.x.x or below), you must upgrade to before you can upgrade to For more information, see the guides that apply to your environment.

For more information on upgrading to, see Upgrade Guide for RSA NetWitness Platform 11.5.1.


The following sections are a complete list and description of enhancements to specific capabilities:

To locate the documents referred to in this section, go to the RSA NetWitness Platform 11.x Master Table of Contents: Product Documentation has links to the documentation for this release.

Investigation - SIEM and Network Detection & Response

JSON Viewer for Logs

The JSON log data in the Events page renders in an easy-to-read JSON format instead of the raw block format using the Render JSON toggle switch. It allows analysts to identify nodes, node values, and position of the node in the tree. By default, the switch is enabled, and JSON snippets in a log event are detected and displayed in an expanded tree format. The system supports rendering of logs with a mix of text and JSON to display in both Respond and Investigate views.

For more information, see the "View a JSON String in Tree Format in the Text Tab" topic in the NetWitness Investigate User Guide.

Below is an example of the Render JSON switch enabled.

Investigation Using the Event Time

Analysts can directly query and sort events using event time (the time the event occurred) instead of collection time (the time the Decoder received the event). This eliminates the need to find the log or the Endpoint events relevant to the actual time range, thus, saving time and effort of the analyst as the events are displayed as they happen. For more information, see the NetWitness Investigate User Guide.


Manual Column Width Adjustments Automatically Apply

When analysts manually adjust the width of a column in the Events panel, the column width is preserved as a personal preference and is applied every time the column is used in the Events list, overriding any default column width. For more information, see the NetWitness Investigate User Guide.

Option to Add Multiple Filters Prior to Query

An analyst can build a query with multiple filters pivoting through the meta available in the Events Filter panel. For more information, see “Drill into Meta Values” in the NetWitness Investigate User Guide.

New Icons for Meta Keys

The Events page includes new unique icons for every meta key displayed in the Events query bar, Filter Events panel, and Event Meta reconstruction panel to help analysts recognize items while visually scanning the data available on the page. The icons use color to indicate meta key search capability and are categorized based on the family of metadata. For more information, see the NetWitness Investigate User Guide.

Below is an example of the new icons.

Springboard Panel Enhancements

  • The panel rendering time is improved and the memory usage is reduced. For example, when the administrator adds or scroll across the panel, only the displayed panels are loaded and not the hidden panels.
  • Includes User’s Trending Data (24 hours) and Trending Data (7 days) options in the UEBA panels.
  • Clicking on a Springboard panel row name or clicking Inv-OpenRelatedEvens.png at the top of the panel, takes you to a new tab for quick hunting and investigation.

  • Includes drop-down filter options for menus such as Data Source and Meta key.

    For more information, see the "Managing the Springboard" topic in the NetWitness Platform Getting Started Guide.

Expanded Network Visibility with Endpoint Data Enrichment

Network events are further enriched with additional host information. It includes alerts and process details associated with the enriched host values. This additional data enables an analyst to investigate an event more efficiently.

Example 1

An analyst can use the Process Tree option to see the origin of a process and associated process information.


Example 2

An analyst can see the Alerts section to see the alerts triggered on a host. This section provides information on alerts, incidents, and events count associated with the host.


For more information, see "Examine Event Details in the Events View" in the NetWitness Investigate User Guide.

Note: Expanded Network Visibility is a policy setting that enables Insights and Advanced agents to monitor the network events. It can optimize the frequency of sending endpoint events for network (packet) correlation. For more information on how to enable the Expanded Network Visibility policy, see Creating Groups and Policies in the NetWitness Endpoint Configuration Guide.

Improved Meta Group Usage while Filtering Events

Analysts can efficiently use meta groups to control the options available in the Filter Events panel. It includes the following enhancements:

  • The last meta group is used instead of resetting to the default meta key group.

  • Ability to change the default view (AUTO, OPEN, CLOSE, or HIDDEN) for all the meta keys at once.

  • The default meta group displays the list of meta keys and can be cloned.

For more information, see the NetWitness Investigate User Guide.

Below is an example showing the option to change the default view for all meta keys.


Performance Improvements while Filtering Events

To decrease the time taken to load the panel, estimations for the events count (>) and size (~) are enabled by default. Analysts can also view the debug information that provides the time it takes for the services to present the meta key values. It helps analysts to identify the services that might be causing the latency. For more information, see the NetWitness Investigate User Guide.

Option to Download Files from Multiple Events

In the Events view, analysts can securely download bulk files for multiple events versus per individual event. The downloaded files are present in a password protected zip file to limit exposure to potentially malicious files. For more information, see the NetWitness Investigate User Guide.

Below is an example showing the new Download Files option.


Enhanced Events Query Experience

Analysts can resume a canceled query, to load more meta keys in the Events Filter panel. When the Filter Events panel is being loaded, new messages indicate which meta keys are going to load next. It will also indicate if the query is canceled. For more information, see the NetWitness Investigate User Guide.

User Experience Improvements while Filtering Events

During review of meta key values, analysts can see the unit of measure when the values are sorted based on the event size. If analysts want to shift focus to one specific meta key, they can change their view so all other meta keys in the meta group are closed. For more information, see the NetWitness Investigate User Guide.

Endpoint Investigation

Extended Linux Agent Support with SUSE

Introduced agent support for SUSE Linux Enterprise Server 12 SP5 and later. This enables RSA NetWitness to detect threats on resources running on SUSE Linux Enterprise Server. For more information, see the NetWitness Endpoint Agent Installation Guide.

User Entity Behavior Analytics

User Profile Baselines

Modeled Behaviors for users provides analysts with insights on the usual daily activities of users monitored by UEBA. UEBA monitors abnormal user behaviors to identify risky users and this requires data to be processed over a certain period of time during which the usual behavior is captured. Unlike alerts for users, Modeled Behaviors reflect the activities of the user within a day of the service configuration. For example, if a user fails multiple times by logging in with incorrect credentials within an hour, analysts can view these behaviors as Failed Authentications for the user, even if an anomaly was not triggered. This allows Analysts to explore user behaviors, even if they don't rise to a critical level. For more information, refer to “View Modeled Behaviors” in the NetWitness UEBA User Guide.


Incident Response

Improved the User Entity Behavior Analytics Incident Rule

The User Entity Behavior Analytics incident rule captures user entity behavior grouped by both UEBA Classifier ID and UEBA Entity Name. The incident name automatically created by the rule contains the a user-friendly UEBA Entity Name instead of UEBA Classifier ID.

In addition, the User Entity Behavior Analytics incident rule default priority threshold ranges are consistent with the severity ranges in NetWitness UEBA.

Priority ThresholdDefault Value

For example, with the Critical priority set to 98, incidents with a risk score of 98 or higher are assigned a Critical priority for this rule.


For more information, see “Update the User Entity Behavior Analytics Incident Rule Priority Thresholds, Grouping Options, and Title” in Set Up and Verify Default Incident Rules.

Endpoint Configuration

Added Option to Select CPU Utilization for Manual Scans

On-demand host scans provide analysts the flexibility of choosing the CPU utilization. Analysts can use the CPU Maximum slider to select the CPU percentage so that the agent can limit the usage within the specified range. The Endpoint agents use the selected CPU percentage to get the latest snapshot. It ensures a quick snapshot creation and optimal CPU performance. For more information, see “Scan Hosts” in the NetWitness Endpoint User Guide.


Broker, Concentrator, Decoder and Log Decoder Services

Expanded Selective Network Data Collection

Administrators can choose to collect from 41 new protocols available in the collection policies. A new detail panel displays a preview of the policy with the following information:

  • Decoders that received the policy

  • Protocol rules in the policy

  • Last policy update (time and user)

For more information, see "Supported Protocols for Selective Network Data Collection" topic in Decoder Configuration Guide for RSA NetWitness Platform.


Improved search experience with N-gram free-text search

The N-gram functionality is enabled by default to improve the free-text search experience. It allows analysts to search sub-strings of text providing more accurate results with a minimal index size increase compared to previous N-gram implementations. By default, this only applies to unparsed logs that are processed by the log tokenizer on the Log Decoder to generate word metadata.

For more information, see "ngrams" in the Core Database Tuning Guide for RSA NetWitness Platform.

Administration and Configuration

RAID Configuration for PowerVault and DACs

When allocating PowerVault storage to a Decoder / Log Decoder, users have a configuration option to include a hot-spare. For more information see "Storage Configuration Tasks" topic in Storage Guide for RSA NetWitness Platform .

Log Collection

Enhanced JSON Log Mapping (BETA)

JSON Log Mapping is enhanced to automatically add mappings for the JSON nodes in a log. You only have to choose the meta value and no longer have to manually enter the name and the path of the mapping.


After you complete the JSON log mappings, the JSON nodes and values are highlighted in green in the JSON tree, this allows you to identify which nodes are mapped. Once you map the JSON nodes that are needed, you can quickly remove the unmapped JSON nodes. For more information see "Auto Discover JSON Mappings" topic in Log Parser Customization Guide for RSA NetWitness Platform

Logstash Integration

NetWitness Export Connector

NetWitness Platform version 11.5.1 introduces "NetWitness Export Connector 1.0", an input plugin for Logstash that can be used to export NetWitness Platform events and routes the data where you want, in a streaming fashion that gives you the flexibility to unlock a variety of downstream use cases. For more information, see NetWitness Export Connector - Installation and Configuration Guide for RSA NetWitness Platform.


Enhanced License Details

  • Admins can check the compliance status of newly introduced Meta-only licenses.
  • Usage data for Throughput license is consolidated and organized to show details of multiple statistics that are used to measure the compliance of the network throughput licenses. For more information, see the Licensing Management Guide.

Throughput License Calculation Changes

NetWitness Platform version 11.5.1 includes fixes to the metrics used in reporting for Network (Packet) Throughput usage. License metrics includes the overall network traffic analyzed and the raw network data stored after the analysis. Your Network Throughput License usage may increase, which may cause license violation banners in some situations. The Out-of-Compliance notifications for Network Throughput licenses has been temporarily adjusted to delay the display of the license violation banner by 45-days. For more information, see the Licensing Management Guide.