• Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    NOTE:  Updated to support You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep...
    John Snider
    last modified by John Snider
  • Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Using RSA NetWitness to Detect Ransomware Attacks

    Table of Contents Introduction How is Ransomware Deployed? Credential Harvesting ProcDump comsvcs.dll Custom Applications Lateral Movement RDP WMI SMB Backdoors Account Cre...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • can i add YARA roles to Netwetness V

    hello   i'm trying to add some YARA roles to the netwitness, but i can find anything in web console, can i do it from command line?
    Ahmad Jabr
    created by Ahmad Jabr
  • Introducing the New RSA OSINT Threat Feeds

    We are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect!     What is it? There are two new feeds that have been introduced to RSA Live, built on Open Source ...
    Sean Ennis
    created by Sean Ennis
  • RSA NetWitness Endpoint 11.3 vs 4.4 - Key Features/Differences

    In 11.3 the same NWE Agent can operate in Insights (free) or Advanced Mode . This change can be made by toggling a policy configuration in the UI and does not require agent reinstall or reboot.  There could be bo...
    Josh Randall
    last modified by Josh Randall
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • Linux 5 Dependency errors

    Are there any solutions for dependency errors installing ecat agent on Red Hat Linux 5?   Here is the error received below: $ sudo rpm -Uvh /remote/home/vkrishna/Ecat/nwe-agent.x86_64.rpm error: Failed...
    Eric Schwartz
    created by Eric Schwartz
  • Endpoint 11.5 - Files on Zero Hosts

    Hi All, Within Endpoint 11.5 we have over 1000+ files that are showing as on zero hosts. It strikes me as a bit weird, what is supposed to happen here. Should it be displaying zero hosts? Should the file still be th...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • RSA NetWitness Evolved SIEM and Gartner SOC Visibility Triad

    Before I jump into explaining what is the relation between RSA NetWitness as an evolved SIEM and Threat Defense platform and Gartner’s SOC Visibility triad, I’m going to start by talking about Ga...
    Islam Rashad
    last modified by Islam Rashad
  • Investigate 11.5 - Event Filters (Beta)

    RSA NetWitness 11.5 introduces the ability to interactively filter events using the metadata associated with all the events. This is seen as a new Filter button inside the Event screen that opens the Filter Events pan...
    William Hart
    created by William Hart
  • SNMP with Netwitness Appliances - SNMPv1,2 and 3 – Put it all together 11.x

    Updated for snmpv3: 01/14/2020 Updated for snmpv3: 06/01/2020 Updated for snmpv1,2: 08/10/2020 Scenario – You or your customer would like to link SNMP to the Netwitness for system monitoring purposes (Solarw...
    Thomas Jones
    last modified by Thomas Jones
  • Introducing Springboard to RSA NetWitness Platform

    As of RSA Netwitness Platform 11.5, analysts have a new landing page option to help them determine where to start upon login.  We call this new landing page Springboard.  In 11.5 it will become the new defau...
    Sean Ennis
    last modified by Sean Ennis
  • Endpoint Broker Bandwidth requirement

    Hello,   I am getting below notification message from one our large customers:    [Bandwidth] [warning] The bandwidth score of 74.3 Mbps is low and may cause aggregation to fall behind from device....
  • Negative Host Count in Endpoint

    Does anyone know why we'd be seeing negative host counts for files under Investigate > Hosts > Files. Doesn't seem to make sense, I'm curious as to what's going on here.  
    Jeremy Kerwin
    created by Jeremy Kerwin
  • RSA NetWitness® Platform Versions

    Click on a link below to visit the page for each product version. RSA NetWitness® Logs & Network | RSA NetWitness® Investigator | RSA NetWitness® Endpoint | RSA NetWitness® Orche...
    RSA Link Team
    last modified by Charan Rajakumar
  • Exchange Exploit Case Study – CVE-2020-0688

    Abstract  In this blog I describe a recent intrusion that started with the exploit of CVE-2020-0688. Microsoft released a patch for this vulnerability on 11 February 2020. In order for this exploit to work, ...
    Hermes Bojaxhi
    last modified by Hermes Bojaxhi
  • Endpoint Log Hybrid - Only for Endpoint Agent Data?

    Should an Endpoint Log Hybrid server just be used for Endpoint Agent Data as best practice? Or can it also be used for other log sources?   Our Endpoint Log Hybrid collects agent data from Endpoints, Logs forwar...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Postman for NetWitness

    If you've ever done any work testing against an API (or even just for fun), then you've likely come across a number of tools that aim to make this work (or fun) easier.   Postman is one of these tools, and ...
    Josh Randall
    last modified by Josh Randall
  • Threat Intel Integration with MISP and Minemeld

    RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c...
    Eric Partington
    created by Eric Partington