• NetWitness Retention Script:  Understanding The Numbers

    Overview If you are looking at retention requirements for compliance, making decisions about the architecture, or to retain a decent investigation history, NetWitness retention is always at the top of these discussion...
    Leonard Chvilicek
    last modified by Leonard Chvilicek
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here.   08APR2020 - UPDATE: adding ...
    Josh Randall
    last modified by Josh Randall
  • RSA Response to SolarWinds/FireEye Attacks

    As you’ve surely seen, a recently discovered supply chain attack has impacted numerous organizations including corporations, government agencies, and nonprofits.  Information continues to emerge about the m...
    Arthur Fontaine
    last modified by Arthur Fontaine
  • FireEye Breach - Implementing Countermeasures in RSA NetWitness

    What Happened On December 8th, 2020, FireEye announced that it had been the victim of a cyber attack perpetrated by an advanced nation state actor.  They've disclosed their research into the attack in a few place...
    Sean Ennis
    last modified by Sean Ennis
  • FireEye Breach

    Introduction Credential Dumping SafetyKatz AndrewSpecial Closing Notes Discovery SharpHound Closing Notes Lateral Movement Impacket Closing Notes Persistence ZeroLogon ...
  • FireEye Breach - Beyond the signatures

    I'm certain everyone reading this was just as shocked by the recent news about the FireEye breach as I was and is diligently trying to assess their current security posture in light of this information. As we at RSA v...
    Dustin Lee
    last modified by Dustin Lee
  • The Hunt for RCE (Packets)

    Table of Contents Table of Contents Simple RCE Quick Tips Finding Abnormal Traffic Content Creation ESA Rule Builder Bonus Decoder App Rule Packet Bonus Afterthoughts Simple ...
    Cody Spooner
    last modified by Cody Spooner
  • Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Using RSA NetWitness to Detect Ransomware Attacks

    Table of Contents Introduction How is Ransomware Deployed? Credential Harvesting ProcDump comsvcs.dll Custom Applications Lateral Movement RDP WMI SMB Backdoors Account Cre...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • Selective Network Data Collection

    As of RSA NetWitness 11.5, configuring what network traffic your Decoders collect and to what degree it should collect it has become much easier. Administrators can now define a collection policy containing rules for ...
    William Hart
    created by William Hart
  • Introducing the New RSA OSINT Threat Feeds

    We are excited to announce the release of the new RSA OSINT Indicator feed, powered by ThreatConnect!     What is it? There are two new feeds that have been introduced to RSA Live, built on Open Source ...
    Sean Ennis
    created by Sean Ennis
  • RSA NetWitness Endpoint 11.3 vs 4.4 - Key Features/Differences

    In 11.3 the same NWE Agent can operate in Insights (free) or Advanced Mode . This change can be made by toggling a policy configuration in the UI and does not require agent reinstall or reboot.  There could be bo...
    Josh Randall
    last modified by Josh Randall
  • Health & Wellness uses an old IP for connecting to a device - How to Resolve

    Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating...
    Xavier Trepanier-Taupier
    last modified by Xavier Trepanier-Taupier
  • Expanded Coverage of Snort Rules

    RSA NetWitness Platform 11.5 has expanded support for Snort rules (also known as signatures) that can be imported into the network Decoders. Some of the newly supported rule parameters are: nocase byte-extract byte-ju...
    William Hart
    created by William Hart
  • Business Context Feed:  Taxonomy

    A business what?  A Business Context Feed is a feed that provides context about systems or data that is present in NetWitness to aid the analyst in understanding more about the system or data they are examining.&...
    Leonard Chvilicek
    last modified by Leonard Chvilicek
  • RSA NetWitness Evolved SIEM and Gartner SOC Visibility Triad

    Before I jump into explaining what is the relation between RSA NetWitness as an evolved SIEM and Threat Defense platform and Gartner’s SOC Visibility triad, I’m going to start by talking about Ga...
    Islam Rashad
    last modified by Islam Rashad
  • Enhanced Threat Intel support via STIX in NetWitness

    RSA NetWitness has been supporting Structured Threat Information eXpression (STIX™) as it has been the industry standard for Open Source Cyber Threat Intelligence for quite some time.      In Net...
    Devadas Ck
    created by Devadas Ck
  • Investigate 11.5 - Event Filters (Beta)

    RSA NetWitness 11.5 introduces the ability to interactively filter events using the metadata associated with all the events. This is seen as a new Filter button inside the Event screen that opens the Filter Events pan...
    William Hart
    created by William Hart
  • Introducing Springboard to RSA NetWitness Platform

    As of RSA Netwitness Platform 11.5, analysts have a new landing page option to help them determine where to start upon login.  We call this new landing page Springboard.  In 11.5 it will become the new defau...
    Sean Ennis
    last modified by Sean Ennis