Josh Randall

RSA NetWitness Endpoint 11.x vs 4.4 - Key Features/Differences

Blog Post created by Josh Randall Employee on May 20, 2019

**UPDATE 22FEB2021**

**END UPDATE**

 

** - New Capabilities;  these do not exist in 4.x

Planned - These features are in development and coming soon (PM would tase me if I unilaterally announce some non-GA feature before it's actually GA, so coming soon is the best I can do for these ones...)

Future - These features are in the backlog and need to be evaluated for development in upcoming cycles/product releases (**EDIT 23FEB2021** -- PM has tased me for this verbiage, so removing it **END EDIT**)

 

Feature

Comments

Insights

Advanced

Operating Systems Support

Release

Windows

MacOS

Linux

Basic scans

Inventory

11.3

4.x

Tracking scans

Continuous file,network,process,thread monitors

Registry monitor(Specific to windows)

11.3

4.x

Anomaly detection

Inline hooks, kernel hooks,suspicious threads,registry discrepancies

11.3

4.x

Windows Log Collection

Collect Windows Event Logs

11.3**

Threat Detection Content

Detection Rules /Reports

11.3

Risk score

Based on Threat Content Pack

11.3

4.x

File Reputation Service

File Intel ( 3rd Party Lookup)

11.3

4.x

Live Connect

Community Intel

11.3

4.x

Automatic File Download

Analysis of downloaded file

11.3

4.x

Analyze module

Analysis of downloaded file

11.3

4.x

Blocking

Block an executable

11.3

4.x

Agent Protection

Driver Registry Protection / User Mode Kill Protection

11.3**

Powershell, Command-line ( input)

Report user interactions within a console session

11.3**

Process Visualization

Unique identifier (VPID) for process that uniquely identifies the entire process event chain 

 

11.3**

Agent Scan Snapshots

Agents maintain history of unique and separate snapshots for all scans (manual & scheduled)

11.3**

Agent Management via Group Policy

Easily manage configuration and setting options for groups of endpoint agents by specifying policies

11.3**

Endpoint APIs

A set of REST APIs for hosts and files.

Additional APIs are available in later 11.x releases.

 

11.3.2

11.4

11.5

4.x

Remote Access Relay (RAR) Server

Maintain contact with and control of off-network agents through RAR server

 

11.4

4.x

Host Isolation / Containment

Control the spread of an attack by isolating the host from the network. While isolated, all events are still reported to the Endpoint Server.

 

11.4

4.x

Automatic File Download

Automatically download new modules when first seen 

 

11.4

4.x

MFT Download (C drive only)

Download Master File Table for analysis

 

11.4

4.x

MFT Viewer

View downloaded MFTs, with potential time stomping highlighted

 

11.4

4.x

System Memory Dump

Download entire host memory for analysis

 

11.4

4.x

Process Memory Dump

Download memory for specific process for analysis

 

11.4

4.x

Flat File Log Collection

Collect Windows flat file logs

 

11.4**

Extended Linux OS Support

Extended Linux agent support for additional operating systems (Ubuntu 16.04+ LTS; SUSE 12 SP5+)

11.5**

Manual File Download

Download _any_ file(s) present on host by full file path/filename

 

11.5

4.x

Wildcard File Download

Download _any_ file(s) present on host with wildcards (*) for filepath and/or filename

11.5

4.x

Agent History

View history of commands issued to and processed by agents

 

11.5

4.x

Throttle Network Bandwidth for Log Collection 

Limit network bandwidth usage for agents when collection/sending Windows & Flat File logs

 

11.5**

Expanded Network Visibility (ENV)

Network events enriched with endpoint data, such as source host and process, username, risk score, and other host details

 

11.5**

MFT Download (all drives)

Download and view MFT for all drives

Planned

4.x

Upgrade/Uninstall agent via UI

Upgrade and/or uninstall agents from NetWitness UI

Planned

4.x

Yara Scans

Perform yara scans on all automatically-downloaded files/modules

Planned

4.x

Create and Group by Custom Tags

Create tags for _any_ specific agent(s), and leverage those tags in Endpoint Groups/Policies

Planned**

 

Full Disk Scans

4.x

Opswat Metascan Integrtion

4.x

Standalone Scans

4.x

Agent Proxy Support

4.x

Send Alerts to External Syslog Server

4.x

Machine Categorization (i.e.: Gold Image)

4.x

Automatically apply file status & yara/opswat scans to manually downloaded files

4.x

 

 

 

Outcomes