• Whitelist false positive in Endpoint ESA Rules

    We have a poorly coding internal application that keeps triggering the Endpoint ESA rule 'unsigned outbound from temp directory'   What would be the best way to whitelist this so it doesn't keep showing up in al...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Introducing the New RSA OSINT Threat Feeds

    We are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect!     What is it? There are two new feeds that have been introduced to RSA Live, built on Open Source ...
    Sean Ennis
    created by Sean Ennis
  • Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    NOTE:  Updated to support 11.4.1.2Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep...
    John Snider
    last modified by John Snider
  • RSA NetWitness Endpoint 11.x vs 4.4 - Key Features/Differences

    **UPDATE 22FEB2021** changing from 11.3 specific capabilities to more general, multi-version 11.x capabilities RSA Live Endpoint Content: Endpoint Content  NW-Endpoint Ports, Protocols, & Architectu...
    Josh Randall
    last modified by Josh Randall
  • Customizing Respond Incident Notification Emails

    One of the more common requests and "how do I" questions I've heard in recent months centers around the Emails that the Respond Module can send when an Incident is created or updated.  Enabling this configuration...
    Josh Randall
    last modified by Josh Randall
  • Video about Rule Building in Report Module

    I would just like to throw it out there if it hasn't been thought of is the idea of recording a video about rule building in the report module. I've read the documentation but still is a bit fuzzy to me about the vari...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Consolidating your backups and maximizing NRT (NetWitness Recovery Tool)

    Use this process if you would like full control of your backups, otherwise I advise you use the NRT Wrapper Method for an automated approach, - Centralized Backup & Restore of NetWitness Version 11.2+  (...
    Thomas Jones
    last modified by Thomas Jones
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here.   08APR2020 - UPDATE: adding ...
    Josh Randall
    last modified by Josh Randall
  • FireEye Breach

    Introduction Credential Dumping SafetyKatz AndrewSpecial Closing Notes Discovery SharpHound Closing Notes Lateral Movement Impacket Closing Notes Persistence ZeroLogon ...
  • NWE Linux Log Files

    Quick question, can NWE send Linux log files to NetWitness in the same way with Windows files?
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Using RSA NetWitness to Detect Ransomware Attacks

    Table of Contents Introduction How is Ransomware Deployed? Credential Harvesting ProcDump comsvcs.dll Custom Applications Lateral Movement RDP WMI SMB Backdoors Account Cre...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • can i add YARA roles to Netwetness V 11.4.1.2??

    hello   i'm trying to add some YARA roles to the netwitness 11.4.1.2, but i can find anything in web console, can i do it from command line?
    Ahmad Jabr
    created by Ahmad Jabr
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • Linux 5 Dependency errors

    Are there any solutions for dependency errors installing ecat agent 11.4.1.0 on Red Hat Linux 5?   Here is the error received below: $ sudo rpm -Uvh /remote/home/vkrishna/Ecat/nwe-agent.x86_64.rpm error: Failed...
    Eric Schwartz
    created by Eric Schwartz
  • Endpoint 11.5 - Files on Zero Hosts

    Hi All, Within Endpoint 11.5 we have over 1000+ files that are showing as on zero hosts. It strikes me as a bit weird, what is supposed to happen here. Should it be displaying zero hosts? Should the file still be th...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • RSA NetWitness Evolved SIEM and Gartner SOC Visibility Triad

    Before I jump into explaining what is the relation between RSA NetWitness as an evolved SIEM and Threat Defense platform and Gartner’s SOC Visibility triad, I’m going to start by talking about Ga...
    Islam Rashad
    last modified by Islam Rashad
  • Investigate 11.5 - Event Filters (Beta)

    RSA NetWitness 11.5 introduces the ability to interactively filter events using the metadata associated with all the events. This is seen as a new Filter button inside the Event screen that opens the Filter Events pan...
    William Hart
    created by William Hart
  • SNMP with Netwitness Appliances - SNMPv1,2 and 3 – Put it all together 11.x

    Updated for snmpv3: 01/14/2020 Updated for snmpv3: 06/01/2020 Updated for snmpv1,2: 08/10/2020 Scenario – You or your customer would like to link SNMP to the Netwitness for system monitoring purposes (Solarw...
    Thomas Jones
    last modified by Thomas Jones
  • Introducing Springboard to RSA NetWitness Platform

    As of RSA Netwitness Platform 11.5, analysts have a new landing page option to help them determine where to start upon login.  We call this new landing page Springboard.  In 11.5 it will become the new defau...
    Sean Ennis
    last modified by Sean Ennis