Skip navigationLog in to follow, share, and participate in this community. Overview If you are looking at retention requirements for compliance, making decisions about the architecture, or to retain a decent investigation history, NetWitness retention is always at the top of these discussion... NetWitness Retention Script: Understanding The Numbers
BackAlthough the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a... RSA NetWitness Storage Retention Script
Back22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here. 08APR2020 - UPDATE: adding ... Custom Flat File Log Collection with NW-Endpoint 11.4
BackAs you’ve surely seen, a recently discovered supply chain attack has impacted numerous organizations including corporations, government agencies, and nonprofits. Information continues to emerge about the m... RSA Response to SolarWinds/FireEye Attacks
BackWhat Happened On December 8th, 2020, FireEye announced that it had been the victim of a cyber attack perpetrated by an advanced nation state actor. They've disclosed their research into the attack in a few place... FireEye Breach - Implementing Countermeasures in RSA NetWitness
BackIntroduction
Credential Dumping
SafetyKatz
AndrewSpecial
Closing Notes
Discovery
SharpHound
Closing Notes
Lateral Movement
Impacket
Closing Notes
Persistence
ZeroLogon
... I'm certain everyone reading this was just as shocked by the recent news about the FireEye breach as I was and is diligently trying to assess their current security posture in light of this information. As we at RSA v... FireEye Breach - Beyond the signatures
BackTable of Contents
Table of Contents
Simple RCE
Quick Tips
Finding Abnormal Traffic
Content Creation
ESA Rule Builder
Bonus
Decoder App Rule
Packet Bonus
Afterthoughts
Simple ... The Hunt for RCE (Packets)
BackZerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller. As more publ... Domain Controller Takeover with Zerologon, from Compromise to Detection
BackTable of Contents
Introduction
How is Ransomware Deployed?
Credential Harvesting
ProcDump
comsvcs.dll
Custom Applications
Lateral Movement
RDP
WMI
SMB
Backdoors
Account Cre... Using RSA NetWitness to Detect Ransomware Attacks
BackAs of RSA NetWitness 11.5, configuring what network traffic your Decoders collect and to what degree it should collect it has become much easier. Administrators can now define a collection policy containing rules for ... Selective Network Data Collection
BackWe are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect! What is it? There are two new feeds that have been introduced to RSA Live, built on Open Source ... Introducing the New RSA OSINT Threat Feeds
BackIn 11.3 the same NWE Agent can operate in Insights (free) or Advanced Mode . This change can be made by toggling a policy configuration in the UI and does not require agent reinstall or reboot. There could be bo... RSA NetWitness Endpoint 11.3 vs 4.4 - Key Features/Differences
BackHealth and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating... Health & Wellness uses an old IP for connecting to a device - How to Resolve
BackRSA NetWitness Platform 11.5 has expanded support for Snort rules (also known as signatures) that can be imported into the network Decoders. Some of the newly supported rule parameters are: nocase byte-extract byte-ju... Expanded Coverage of Snort Rules
BackA business what? A Business Context Feed is a feed that provides context about systems or data that is present in NetWitness to aid the analyst in understanding more about the system or data they are examining.&... Business Context Feed: Taxonomy
BackBefore I jump into explaining what is the relation between RSA NetWitness as an evolved SIEM and Threat Defense platform and Gartner’s SOC Visibility triad, I’m going to start by talking about Ga... RSA NetWitness Evolved SIEM and Gartner SOC Visibility Triad
BackRSA NetWitness has been supporting Structured Threat Information eXpression (STIX™) as it has been the industry standard for Open Source Cyber Threat Intelligence for quite some time. In Net... Enhanced Threat Intel support via STIX in NetWitness
BackRSA NetWitness 11.5 introduces the ability to interactively filter events using the metadata associated with all the events. This is seen as a new Filter button inside the Event screen that opens the Filter Events pan... Investigate 11.5 - Event Filters (Beta)
BackAs of RSA Netwitness Platform 11.5, analysts have a new landing page option to help them determine where to start upon login. We call this new landing page Springboard. In 11.5 it will become the new defau... Introducing Springboard to RSA NetWitness Platform
Back