• Malware appliance is offline

    Hi everyone, I see one malware appliance is not connecting to Sa server, checked service of malware appliance and it's running in the shell.. However when I look listening ports , 60007 is not listening even service ...
    Musa Timur Sarigul
    last modified by Musa Timur Sarigul
  • Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    NOTE:  Updated to support 11.4.1.2Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep...
    John Snider
    last modified by John Snider
  • Serial console on hardware appliances

    As a (network) engineer I am used to having serial console access to physical devices.   I noticed this is not enables by default on RSA Netwitness appliances. Notr is it anywhere documented here on RSA Link. &#...
    Hugo Van Der Kooij
    last modified by Hugo Van Der Kooij
  • Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Filtering false positives from Alerts

    I'm interested in learning what would be best practice for filtering false alerts. We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors.   An ESA alert is create...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Decoder parameter for proceed raw syslog that doesn't contain valid priorityfield

    What is the difference between requirePri=false and snaplen=1514 in capture.device.params in Decoder config (DECODER->EXPLORE->decoder->config). When I add requirePri=false in that field, ...
    MUKUTAR RAHMAN
    last modified by MUKUTAR RAHMAN
  • Using RSA NetWitness to Detect Ransomware Attacks

    Table of Contents Introduction How is Ransomware Deployed? Credential Harvesting ProcDump comsvcs.dll Custom Applications Lateral Movement RDP WMI SMB Backdoors Account Cre...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • can i add YARA roles to Netwetness V 11.4.1.2??

    hello   i'm trying to add some YARA roles to the netwitness 11.4.1.2, but i can find anything in web console, can i do it from command line?
    Ahmad Jabr
    created by Ahmad Jabr
  • Selective Network Data Collection

    As of RSA NetWitness 11.5, configuring what network traffic your Decoders collect and to what degree it should collect it has become much easier. Administrators can now define a collection policy containing rules for ...
    William Hart
    created by William Hart
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu
  • Introducing the New RSA OSINT Threat Feeds

    We are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect!     What is it? There are two new feeds that have been introduced to RSA Live, built on Open Source ...
    Sean Ennis
    created by Sean Ennis
  • RSA NetWitness NW Server: Standby / Failover (Scenario 2)

    Open video

    Naushad Kasu
    last modified by Naushad Kasu
  • Interpreting Regex for IP range

    This document outlines the procedure to interpret the regex used for IP range in EPL syntax.   {1,3} represents 3 digit number [0-9] represents range number starting from 0 to 9   [0-9]{1,3} represen...
    Sravan Koneti
    last modified by Sravan Koneti
  • RSA Netwitness supported SFP models at physical appliances

    Hello Guys;   We have RSA Netwitness Hybrid Packet physical appliance, what is the supported SFP models that can be used? Hardware setup guide mention only that the physical appliances support SFP SR 10 GB. if w...
    Mohammad Ennab
    last modified by Mohammad Ennab
  • RSA NetWitness ESA / EPL Overview

    Open video

    Naushad Kasu
    last modified by Naushad Kasu
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • Can NwConsole use tlogin for sdk commands?

    We are rolling out the new NwConsole fileHash feature across our packet sensors. For other scripts we used tlogin so we don't have to store a password in the script or config file. This does not seem to work for sdk c...
  • Expanded Coverage of Snort Rules

    RSA NetWitness Platform 11.5 has expanded support for Snort rules (also known as signatures) that can be imported into the network Decoders. Some of the newly supported rule parameters are: nocase byte-extract byte-ju...
    William Hart
    created by William Hart
  • Error while perform migrate & upgrade via ISO

    Hi,   We are migrate and upgrade from 10.6.6 to 11.3, using ISO to boot, while entering the setup prompt have this error;   "mount : special device /dev/VolGroup00/root does not exist cp: cannot stat...
    Mohd Amri Razlan
    created by Mohd Amri Razlan
  • RSA Security Analytics wrong time

    Hello guys,   I have an issue with time between SA server, Log decoder and concentrator server. Let me explain, when I login to SA UI I see a mismatch time between all hosts.     When I checked the...
    Adolfo Sotelo
    last modified by Adolfo Sotelo