I just upgraded our servers to NetWitness 11.4.1.2 and noticed almost every page sends beacons to pendo.io:
https://cdn.pendo.io/agent/releases/2.58.0/guide.css
https://cdn.pendo.io/agent/static/5573cea1-9980-41fc-5e47-9708e86ba7ad/pendo.js
https://data.pendo.io/data/guide.js/5573cea1-9980-41fc-5e47-9708e86ba7ad?jzb=eJxljj9vszAQxr-[cut]
Did NetWitness always do this? Is this new in 11.4.1.2?
What annoys me most about this is the referer header gives away our NetWitness URL including possible sensitive path (we use deep linking to the investigate module from other applications):
Host: cdn.pendo.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://netwitness.local/admin/services/139/security
Connection: keep-alive
I did some research using NetWitness (it is such a great tool) and it seems the beaconing to pendo.io was introduced (or significantly expanded) in NetWitness 11.4.1.0.