• Pi-hole log support in NetWitness

    Many of you may be using a Pi-hole in your home labs, or even at the office.  The issue is the logs are stored in a local text file and NetWitness does not support the logs.   As many know DNS records are v...
    Dave Glover
    last modified by Dave Glover
  • Decoder parameter for proceed raw syslog that doesn't contain valid priorityfield

    What is the difference between requirePri=false and snaplen=1514 in capture.device.params in Decoder config (DECODER->EXPLORE->decoder->config). When I add requirePri=false in that field, ...
    last modified by MUKUTAR RAHMAN
  • Event Time Function Usage

    Event Time Function - *EVNTTIME()It assigns the date and time information present in the event/log to a message variable to normalize the output in a consistent TimeT format. It is part of the function tag i...
    Jay Shah
    created by Jay Shah
  • Parser for Arbor Networks Default Not Updated since 2017

    I’m having trouble with a few fields while using the native parser of Arbor Peakflow SP. I have created a few Log Parser Rules but as noted, they do not override any meta that has already been parsed in the orig...
    Jefferson Oliveira
    last modified by Jefferson Oliveira
  • Issues with setting up SFTP agent collection

    Lately I have been using the sftpagent quite a bit for moving log files to NetWitness.  I have been running into the same issue on installs recently.   The issue happens on the first sftpagent agent co...
    Dave Glover
    created by Dave Glover
  • Time delay in Window's log collection using Winrm

    Hello All,    We have window's server integrated on VLC using winrm and we are facing some issue in log collection time.    we have checked raw event log and found there is huge gap in event...
    rajbir singh
    last modified by rajbir singh
  • RSA Unknown Value

    Hi,   What is the meaning of - in front of the values.Please help. Thanks!
    Prasanna Madhushanka
    last modified by Prasanna Madhushanka
  • How to add LogDecoder Space and update Database

    I am using Netwitness 10.6.   During the install it says I will have to update disk space.   I have added a disk to the Virtual host for my LogDecoder.   Where does LogDecoder store log files?...
    James Williams
    last modified by James Williams
  • SIGRed - 17 Year old DNS Vulnerability

    I'm sure many have heard about the recent DNS vulnerability titled SIGRed. This one looks pretty bad. https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • NW Respond integration with TheHive

    I use the TheHive - https://thehive-project.org/  as our Incident Case management tool of choice. I've started the investigation process of integrating NetWitness and the TheHive together for alerts and recording...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Endpoint agents log collection to a VLC

    We have a number of endpoints that exist in DMZ environments that are serviced by a VLC for log collection from syslog devices. The hosts in the DMZ can only talk to the VLC and cannot talk back to any other NetWitne...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Sizing VM Azure

    I have a VM deployment scenario for logs and packets in Azure. I'm not able to design a scenario well to reflect on the correct implementation of this machine in Azure. If anyone can help me get an idea, I'd appr...
  • NetWitness Endpoint agent on CentOS 6

    Hi Team,   A quick heads up for those installing NetWitness Endpoint agent on CentOS 6. If you are using prelink process within the host, you might need to disable it to improve stability of the endpoint agent a...
    Tim Tsang
    created by Tim Tsang
  • Helpful "How To" Videos

    I have created a few "how to videos" that I hope you find helpful.  They are posted to YouTube and I have included the links below.   They are as follows:   Demo of the new ESI tool -->https://yout...
    Dave Glover
    last modified by Dave Glover
  • Unknown device type

    All,   New user question.   I am using nxlog to send windows event logs to netwitness.  I see that the data is being sent. I am not sure about the difference between the local collector and the decode...
    James Williams
    last modified by James Williams
  • Troubleshooting UEBA Event Collection

    After setting up UEBA You need to make sure you are collecting the following Event IDs from  Hosts as well as Network Events   Active Directory Model -> device.class = 'windows hosts' && referenc...
    Dave Glover
    last modified by Dave Glover
  • How to send on-prem Active Directory Audit Logs to Netwitness

    Hi Sir/Madam,   I want to integrate Active Directory with Netwitness. I know I can add AD in context hub service. But what I want is sending AD Audit logs to Log decoder. I can't find such a thing in Internet. C...
    Kyi Thin
    last modified by Kyi Thin
  • Incidents "GroupBy" clause

    Hello all,   We're currently using version 11.1 of RSA NW and in the Incidents rule we have a new aggregation value that's handy: "Destination User Account".   In the past, we've been having problems creat...
    Pedro Queiros
    last modified by Pedro Queiros
  • Creating a Dashboard in RSA

    Hi, We use RSA Netwitness 11.3 version and we have a requirement to create a dashboard to display the status of existing incidents created by our SOC Staff. Is this possible? if yes please guide how to create the das...
    Prasanna Madhushanka
    last modified by Prasanna Madhushanka
  • Alert Creating

    Como eu poderia criar um alerta de tentativa de acesso as portas 389 e 636 por alguém usando o usuário anônimo?   How could I alert an attempt to access ports 389 and 636 where someone would ...