Mary Roark

Summary of RSA NetWitness Logs and Packets 10.6.4

Discussion created by Mary Roark Employee on Aug 1, 2017

We are excited to announce the General Availability (GA) of RSA NetWitness Logs and Packets 10.6.4.


We continue to enhance reporting, visibility capabilities - especially into the CLOUD and improve SIEM Log parsing and integration capabilities so that more business and security context is available to analysts. And with an eye to the future 10.6.4 will support “mixed-mode” implementations to facilitate upgrades to v11.0. Check out the new OOB reports for RSA SecureID and Threat Hunting!


  • One of the key capabilities  is that that RSA NetWitness Suite 11.0 will work with 10.6.4 components.   This “mixed-mode” operations enables customers to upgrade over time as desired vs all at once.    


Highlight of New Capabilities:


Expanded Visibility

  • Proxy Support for AWS CloudTrail Collection


    • Customer Challenge – Administrators had limited options to support collection from CloudTrail in environments where proxies were in use.
    • 10.6.4 Enhancements – Configuration support for CloudTrail integration includes options to configure proxies.


Improvements for SIEM and Log Parsing

  • Identification of logging devices in Windows environments


    • Customer Challenge – Devices not tagged for the Device IP in windows environments resulting in loss of visibility for the analyst.
    • 10.6.4 Enhancements – Device IP for windows collection persisted to the Log Decoder in cases where the customer has configured collection with a host name.


  • Expanded support for customized CEF (Common Event Format) parsing


    • Customer Challenge – A single default CEF template file that could be edited but was overwritten when the host was upgraded.
    • 10.6.4 Enhancements – Flexibility for customers to add a custom CEF config file allowing an administrator to make changes and add new CEF parsers without editing the default CEF parser.


  • Normalization of Event Time


    • Customer Challenge – Event Time field represented differently including missing values dependent on logging source.
    • 10.6.4 Enhancements – Provides a single normalized event time regardless of log source.
    • Can now handle scenarios where event time may be missing fields such as the year.  


Analytics and Detection


REPORTING: New OOTB Dashboards for RSA SecurID and Threat Hunting

  • Customer Challenge – Administrators have to figure out what to configure and set up for charts and dashboards based on interpretation of content we’re providing through RSA Live.


    • 10.6.4 Enhancements –
      • RSA SecurID OOTB Dashboard allows analysts to monitor specific identities and their behaviors. It empowers organizations to monitor two-factor environments that utilize RSA's SecurID for authenticating to protected resources.


      • Threat Hunting - OOTB dashboard displays a summary of the events that have been categorized according to the meta keys as described in the ‘RSA NetWitness Hunting Guide’ and ‘RSA NetWitness Hunting Feed’ documents.


  • Improvements for Alert Configurations in ESA
    • Support for STIX integrations for v1.0 and v1.1 and v1.2


        • Customer Challenge – Previous support for STIX limited to v1.2.
        • 10.6.4 Enhancements – Flexibility for administrators to choose what fields they want to map for different STIX sources.
        • Refer to the Create a Custom Feed topic in the Live Services Management Guide.
        • We added backwards compatibility for v1.0 and 1.1 for additional flexibility for customers



        • Support to leverage additional fields for email alerts giving analysts better context around an alert.
          • Customer Challenge – Alerts configured to send emails were limited to a fixed set of values that could be included in the subject line resulting in the analyst not having context into the alert.
          • 10.6.4 Enhancements – Capability to utilize different variables as part of an emailed alert allowing analysts to quickly get context.
        • Capability to leverage rule output as a contributor to an alert name. Currently the alert name is hard-coded and this capability allows additional context for analysts based on the rule name without requiring them to dive into the details.
          • Customer Challenge – Alerts from ESA utilized a hard-coded name resulting in a lack of context for the analyst into the alert.
          • 10.6.4 Enhancements – Flexibility to leverage additional fields as part of an alert name thereby providing the analyst with additional context into an alert.



      • Enhanced Functionality in Custom Feed Files - The custom feed files are forwarded to Decoder or Log Decoder only when there is a change in the CSV file.



       Quick Links


      Product Advisory:


      Release Notes:




      Looking forward to comments and questions!!!