RSA NetWitness Platform

Massimiliano Crescenzi in RSA NetWitness Platform2 months ago (Show more)

"Join conditions must match" in ESA Rule condition

Hello community, I am new to using the RSA NetWitness product. I started reading the ESA Rule documentation to try create a custom correlation but I have problems. (Version Product 11.4.0.0) I create a ContextHub List containing malicious hash (SHA256). I add the CH list in ESA Rule tab --> Settings --> Enrichment Souces After this I created… (Show more)

1 replyShow more activity

Solayappan Adaikkalavan

(to Massimiliano Crescenzi) 11 hours ago (Show more Show less)

Hello Massimiliano Crescenzi, Looks like when mapping String[] to a Context Hub list in Basic Rule Builder, we see an exception. Its should be fixed in the next release. For the time being you should be able to accomplish the same from an advanced rule builder by using @UsesEnrichment(name='<ContexthubList>') Please check…

Actions

Leonard Chvilicek

in RSA NetWitness Platform3 days ago (Show more)

NetWitness Retention Script: Understanding The Numbers

Overview If you are looking at retention requirements for compliance, making decisions about the architecture, or to retain a decent investigation history, NetWitness retention is always at the top of these discussions. As we all find out over time, retention is something that needs to be monitored for trends so informed decisions can be made to… (Show more)

Matteo Zaccagnino in RSA NetWitness Platform4 days ago (Show more)

ODBC event collection looping over same records

Hi everyone, I am experiencing problems with an ODBC event source in the Log Collector. The event collection was fine until this morning when I saw that the ODBC Event Source was looping back and forth between two different timestamps (the following is the result of tail /var/log/messages | grep XXX): Jan 19 09:50:20 hostname… (Show more)

Jeremy Kerwin in RSA NetWitness Platform4 days ago (Show more)

Adding python library to use with Alert Notifications

I'm looking to write a few python scripts to use as notifications for an external system (mainly TheHive). I'd like to use TheHive4Py library as part of that script and I'd like to know if there will be any issue if I install the Python library TheHive4Py in NetWitness Thanks.

David Pelletier in RSA NetWitness Platform4 days ago (Show more)

NW Log Parser Tool question

Hi, We're having an issue with the winevent_nic log parser, specifically the fact that it can't process French server logs properly. For instance: Audit Success would translate in French as 'Succès de l'audit' in the logs. However, putting both 'Succès de l'audit' or 'Succès de l’audit' won't allow the parser tool to… (Show more)

John Snider

in RSA NetWitness Platform2 years ago (Show more)

Centralized Backup & Restore of NetWitness Version 11.2+ (A Wrapper Script for NRT)

NOTE: Updated to support 11.4.1.2Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA replacement of a device. Solution – A Wrapper script for NRT Building off the framework of the original nw-backup scripts written for 10.x…

11 commentsShow more activity

John Snider

(to Albert Cieszkowski)1 week ago (Show more Show less)

Yes, a new version (and associated docs) will be coming out in the next couple of weeks.

Actions

RSA Product Team mentioned RSA NetWitness Platform 2 weeks ago Show mention context

Final reminder: RSA is notifying all users of the scheduled End of Sale (EOS) for expansion of collection devices on the Appliance License Model, effective starting February 1, 2021

RSA Product Team mentioned RSA NetWitness Platform 2 weeks ago Show mention context

Reminder: RSA is notifying all users of the scheduled End of Primary Support (EOPS) for RSA NetWitness Platform version 11.3.x

Yacine BERREZOUG in RSA NetWitness Platform2 weeks ago (Show more)

Linux log with syslog PRI not parsed

Hello, I have a parsing issue with the following Linux log : <37>Jan 4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF) This log is not matching rhlinux devices type and is parsed as unknown. By removing syslog PRI in the header : Jan 4 19:56:01 hostname… (Show more)

6 repliesShow more activity

Yacine BERREZOUG (to Yacine BERREZOUG) 2 weeks ago (Show more Show less)

Hello Dave, Thank you for your answer. I still don't have any way to change syslog configuration. Do you know why windows log with PRI is well parsed ? <133>Jan 5 23:04:42 hostname MSWinEventLog 1 Security 202206857 Tue Jan 05 23:04:42 2021 4648 Microsoft-Windows-Security-Auditing ….. Thanks

Actions

Tommy Mendez in RSA NetWitness Platform2 weeks ago (Show more)

STIX 2.0

Hello, I need to know if this is the correct link that show me how to create a STIX report Decoder: Create a STIX Custom Feed, also I need to know if the lastest version of Netwitness (11.5.x) support STIX 2.0.

RSA NetWitness Platform

Manage

Recent Activity