RSA NetWitness Platform

Jeremy Kerwin in RSA NetWitness Platform2 months ago (Show more)

Whitelist false positive in Endpoint ESA Rules

We have a poorly coding internal application that keeps triggering the Endpoint ESA rule 'unsigned outbound from temp directory' What would be the best way to whitelist this so it doesn't keep showing up in alerts in the respond module?

4 repliesShow more activity

Jeremy Kerwin (to Josh Randall) 2 months ago (Show more Show less)

Thanks for that. Yeah I think a feed is what I was more thinking about. Right now, we only have one checksum but I'm thinking about if this becomes a bigger thing and we start to maintain a list of whitelisted checksums, rather than editing the ESA rule every time to add the additional checksum it could just be automatically imported using…

Actions

Sean Ennis

in RSA NetWitness Platform7 months ago (Show more)

Introducing the New RSA OSINT Threat Feeds

We are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect! What is it? There are two new feeds that have been introduced to RSA Live, built on Open Source Intelligence (OSINT) that has been curated and scored by our partners at ThreatConnect: RSA OSINT IP Threat Intel Feed, including Tor Exit Nodes… (Show more)

6 commentsShow more activity

En Mihashi

(to Sean Ennis) 2 months ago (Show more Show less)

Thanks

Actions

Josh Randall

in RSA NetWitness Platform2 years ago (Show more)

RSA NetWitness Endpoint 11.x vs 4.4 - Key Features/Differences

**UPDATE 22FEB2021** changing from 11.3 specific capabilities to more general, multi-version 11.x capabilities RSA Live Endpoint Content: Endpoint Content NW-Endpoint Ports, Protocols, & Architectures: https://community.rsa.com/docs/DOC-83050#NetWitne NW-Endpoint Quick Start Guide: NetWitness Endpoint Quick Start Guide for RSA NetWitness… (Show more)

2 commentsShow more activity

Csi Piemonte D-Soc in RSA NetWitness Platform2 months ago (Show more)

Connection errors

Good afternoon, we are getting the following error with the logs-packet: 2021-02-23 13:56:00,524 [ native-X.X.X.X-0] ERROR c.r.a.s.s.n.NwNativeAggregationSource|Source admin@X.X.X.X:X.logs-packets-sa-managed received an error java.lang.Exception: invalid language index 2021-02-23 13:56:01,211 [-managed-stream-subscription-0] WARN… (Show more)

Csi Piemonte D-Soc in RSA NetWitness Platform2 months ago (Show more)

Defining context in Esa Rule

We are trying to build a esa rule named Compliance - Windows - WinAdmCSI Logins We want this rule to fire each time a Windows administrator logs in during not working hours. This is the syntax of our rule: @RSAAlert() create context NotWorkingHours start (0, 18, *, *, *) end (0, 9, *, *, *); context NotWorkingHours SELECT * FROM Event(… (Show more)

1 replyShow more activity

Josh Randall

(to Csi Piemonte D-Soc) 2 months ago (Show more Show less)

Csi Piemonte D-Soc I believe the main issue is that you need to use SELECT window(*) ...instead of SELECT * A couple references on the topic: Chapter 11. EPL Reference: Enumeration Methods Chapter 13. EPL Reference: Data Windows Also, you may find it useful to refine your context to account for weekends and different timezones. For…

Actions

Michael Gallegos

in RSA NetWitness Platform2 months ago (Show more)

Network Cloud Visibility with AWS Traffic Mirroring

Introducing RSA NetWitness Platform's support for AWS VPC Traffic Mirroring! By partnering with AWS and integrating with their AWS VPC Traffic Mirroring, customers are able to access to the right virtual traffic and network metadata from AWS environments. The AWS VPC Traffic Mirroring allows users to capture and inspect network traffic to… (Show more)

Uq1lws3RT39tp8reFD8y8NuuHaHt7KaBBIJDVDjgnPY= in RSA NetWitness Platform5 years ago (Show more)

Modify incident categories

Hi, I would like to use the European "ETSI GS ISI" classification for incidents in the Incident management solution (10.4). How can I modify/add categories ? I found that categories are store in the collection categories of the ESA mongodb but each categorie looks linked to a Java Object : { "_id" :… (Show more)

3 repliesShow more activity

Albert Cieszkowski (to Josh Randall) 2 months ago (Show more Show less)

Josh Randall, Indeed it does, exactly was I was looking for - an elegant solution for any age ;-) Many thanks!

Actions

Miguel Lallana in RSA NetWitness Platform2 months ago (Show more)

ssl cert

For Netwitness 11.5.2, what is the process to install certificates used for the console UI? We are looking to generate a CSR to be signed by our CA.

1 replyShow more activity

Josh Randall

(to Miguel Lallana) 2 months ago (Show more Show less)

Miguel Lallana You can find the process for replacing the UI cert in the Security Configuration guide: Security Configuration: Customer Provided Certificates

Actions

Kelly Ahlers

in RSA NetWitness Platform12 months ago (Show more)

Operationalizing Threat Aware Authentication

Shout out to @Casey Switzer, @Josh Randall & @Larry Hammond. Without their help, the lab, configuration and operational considerations would not be possible. Last year in RSA NetWitness 11.3, a new integration was introduced to allow NetWitness to integrate with RSA SecurID to populate high risk users from incidents in Respond. @Josh Randall… (Show more)

5 commentsShow more activity

Kelly Ahlers

(to Calvin Ng) 2 months ago (Show more Show less)

Hey Calvin, Hopefully the comment from Josh below helps out. We have a SecurID API and Josh had put in the work in his previous blog post to demonstrate how to interact with the high risk portion.

Actions

Josh Randall

in RSA NetWitness Platform2 years ago (Show more)

Customizing Respond Incident Notification Emails

One of the more common requests and "how do I" questions I've heard in recent months centers around the Emails that the Respond Module can send when an Incident is created or updated. Enabling this configuration is simple (https://community.rsa.com/docs/DOC-86405), but unfortunately changing the templates that Respond uses when it sends one of… (Show more)

5 commentsShow more activity

Josh Randall

2 months ago (Show more Show less)

Santo Viapiana Yes, i just re-ran the original script on my 11.5.2 lab system and it still works as intended.

Actions

RSA NetWitness Platform

Manage

Recent Activity