• Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • RSA NetWitness Evolved SIEM and Gartner SOC Visibility Triad

    Before I jump into explaining what is the relation between RSA NetWitness as an evolved SIEM and Threat Defense platform and Gartner’s SOC Visibility triad, I’m going to start by talking about Ga...
    Islam Rashad
    last modified by Islam Rashad
  • Enhanced Threat Intel support via STIX in NetWitness

    RSA NetWitness has been supporting Structured Threat Information eXpression (STIX™) as it has been the industry standard for Open Source Cyber Threat Intelligence for quite some time.      In Net...
    Devadas Ck
    created by Devadas Ck
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu
  • Selective Network Data Collection

    As of RSA NetWitness 11.5, configuring what network traffic your Decoders collect and to what degree it should collect it has become much easier. Administrators can now define a collection policy containing rules for ...
    William Hart
    created by William Hart
  • Investigate 11.5 - Event Filters (Beta)

    RSA NetWitness 11.5 introduces the ability to interactively filter events using the metadata associated with all the events. This is seen as a new Filter button inside the Event screen that opens the Filter Events pan...
    William Hart
    created by William Hart
  • Introducing Springboard to RSA NetWitness Platform

    As of RSA Netwitness Platform 11.5, analysts have a new landing page option to help them determine where to start upon login.  We call this new landing page Springboard.  In 11.5 it will become the new defau...
    Sean Ennis
    last modified by Sean Ennis
  • Introducing the NetWitness Export Connector

    RSA is pleased to announce the availability of the NetWitness Export Connector, which enables customers to export NetWitness Platform events and routes the data where you want, all in continuous, streaming fashion. Pr...
    Michael Gallegos
    last modified by Michael Gallegos
  • Introducing the New RSA OSINT Threat Feeds

    We are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect!     What is it? There are two new feeds that have been introduced to RSA Live, built on Open Source ...
    Sean Ennis
    created by Sean Ennis
  • RSA Threat Content mapping with MITRE ATT&CK™

    Introduction to MITRE ATT&CK™ Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (E...
    Prakhar Pandey
    last modified by Prakhar Pandey
  • RSA NetWitness Endpoint 11.3 vs 4.4 - Key Features/Differences

    In 11.3 the same NWE Agent can operate in Insights (free) or Advanced Mode . This change can be made by toggling a policy configuration in the UI and does not require agent reinstall or reboot.  There could be bo...
    Josh Randall
    last modified by Josh Randall
  • Exchange Exploit Case Study – CVE-2020-0688

    Abstract  In this blog I describe a recent intrusion that started with the exploit of CVE-2020-0688. Microsoft released a patch for this vulnerability on 11 February 2020. In order for this exploit to work, ...
    Hermes Bojaxhi
    last modified by Hermes Bojaxhi
  • Postman for NetWitness

    If you've ever done any work testing against an API (or even just for fun), then you've likely come across a number of tools that aim to make this work (or fun) easier.   Postman is one of these tools, and ...
    Josh Randall
    last modified by Josh Randall
  • Threat Intel Integration with MISP and Minemeld

    RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they c...
    Eric Partington
    created by Eric Partington
  • Domain Fronting Malware

    Customers frequently ask me about malware that uses domain fronting and how to detect it. Simply put, domain fronting is when malware or an application pretends to be going to one domain but instead is going somewhere...
    Rui Ataide
    last modified by Rui Ataide
  • Using a 3rd Party Certificate with Endpoint 11.4 - The Hard Way

    By default, NetWitness Endpoint 11.x creates a self-signed Certificate Authority during its initial installation, and uses this CA to generate certificates for the endpoint agent and the local reverse proxy that handl...
    Josh Randall
    created by Josh Randall
  • Using a 3rd Party Certificate with Endpoint 11.4 - The Easy Way

    By default, NetWitness Endpoint 11.x creates a self-signed Certificate Authority during its initial installation, and uses this CA to generate certificates for the endpoint agent and the local reverse proxy that handl...
    Josh Randall
    created by Josh Randall
  • July 22nd NetWitness Webinar - Data Carving in Logs

    Thank you for joining us for the July 22nd NetWitness Webinar covering Data Carving using Logs as presented by Leonard Chvilicek. An edited recording is available below, with the Zoom link to the original webinar reco...
    Lorenzo Pedroncelli
    last modified by Lorenzo Pedroncelli
  • HTTP Plaintext Password Hunting and Parser Updates

    This article applies to hunting with Netwitness for Networks (packet-based). Before proceeding, it is important that you are aware of any GDPR or other applicable data collection regulations which will not be covered ...
    Daniel Spier
    last modified by Daniel Spier
  • Using Feeds to Whitelist Endpoint Rules

    A question has come up a few times on how someone could exclude certain machines from triggering NetWitness Endpoint Agent alerts easily.   This particular use case were their "Gold Images" w...
    Kelly Ahlers
    last modified by Kelly Ahlers