• Malware appliance is offline

    Hi everyone, I see one malware appliance is not connecting to Sa server, checked service of malware appliance and it's running in the shell.. However when I look listening ports , 60007 is not listening even service ...
    Musa Timur Sarigul
    last modified by Musa Timur Sarigul
  • Advanced EPL Error

    Dear Team,   CheckPoint IPS doesn't show up Destination IP address field in raw logs or syslogs, But source IP is visible. (IPS logs do not contain destination IP field) So, I am writing a rule to guess few IPS...
    support soc
    created by support soc
  • Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    NOTE:  Updated to support You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep...
    John Snider
    last modified by John Snider
  • Serial console on hardware appliances

    As a (network) engineer I am used to having serial console access to physical devices.   I noticed this is not enables by default on RSA Netwitness appliances. Notr is it anywhere documented here on RSA Link. &#...
    Hugo Van Der Kooij
    last modified by Hugo Van Der Kooij
  • Netwitness Log parser Tool

    Is there a new version of Log Parser Tool in the roadmap?   Actual version is 2 years old. RSA, a Dell Technologies business, announces the release of RSA® NetWitness Log Parser Tool v1.1   We commun...
    Isidore DESHAIES
    last modified by Isidore DESHAIES
  • Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Filtering false positives from Alerts

    I'm interested in learning what would be best practice for filtering false alerts. We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors.   An ESA alert is create...
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Is Investigator freeware registration broken?

    See attached. I am trying to activate RSA NetWitness Investigator. Versions 10.6 and 11.4 throw three scripting errors and fail with 301 Moved Permanently during the freeware registration and activation process. A fre...
    Bryon G
    last modified by Bryon G
  • 10.6.5 Physical host instalation Guide

    Dear Team, we are in the need of the instalation guide for the RSA netwitness 10.6.5 we have gone through the documentation but not getting any clearity, we came accross virtual host instalation guide only. Can anyon...
    Anil Prabhakar
    last modified by Anil Prabhakar
  • Is the registration portal down?

    The url register.netwitness.com is not responding. 
    Ryan Rathbun
    created by Ryan Rathbun
  • where to find the status of JIRA ticket ARCHER-93694

    We cannot find the status of the JIRA Ticket ARCHER-93694 in our portal. With ref to Case no 01686003 JIRA ARCHER-93694 has been attached to the mentioned case, but it's not showing in the Engineering Requests tab. Pl...
    socuser .
    last modified by socuser .
  • Pi-hole log support in NetWitness

    Many of you may be using a Pi-hole in your home labs, or even at the office.  The issue is the logs are stored in a local text file and NetWitness does not support the logs.   As many know DNS records are v...
    Dave Glover
    last modified by Dave Glover
  • Decoder parameter for proceed raw syslog that doesn't contain valid priorityfield

    What is the difference between requirePri=false and snaplen=1514 in capture.device.params in Decoder config (DECODER->EXPLORE->decoder->config). When I add requirePri=false in that field, ...
    last modified by MUKUTAR RAHMAN
  • is there any parser for IBM Identity and Access Management Solution?

    We have integrated the IBM IAM via syslog but there is no supported parser, appreciate if any one has this parser and can share it.
    Anas Bdeir
    last modified by Anas Bdeir
  • Error Message. Can not verificate

    I am trying to Make NetWitness Investigator work and I get the following( see below) can you help???       (i) 2020-Nov-09 16:15:02 [URL] cms.netwitness.com 443 1 (F) 2020-Nov-09 16:15:02 [Email Verifi...
    Marcelo Esquivel
    last modified by Marcelo Esquivel
  • Using RSA NetWitness to Detect Ransomware Attacks

    Table of Contents Introduction How is Ransomware Deployed? Credential Harvesting ProcDump comsvcs.dll Custom Applications Lateral Movement RDP WMI SMB Backdoors Account Cre...
    Lee Kirkpatrick
    created by Lee Kirkpatrick
  • can i add YARA roles to Netwetness V

    hello   i'm trying to add some YARA roles to the netwitness, but i can find anything in web console, can i do it from command line?
    Ahmad Jabr
    created by Ahmad Jabr
  • Selective Network Data Collection

    As of RSA NetWitness 11.5, configuring what network traffic your Decoders collect and to what degree it should collect it has become much easier. Administrators can now define a collection policy containing rules for ...
    William Hart
    created by William Hart
  • Event Time Function Usage

    Event Time Function - *EVNTTIME()It assigns the date and time information present in the event/log to a message variable to normalize the output in a consistent TimeT format. It is part of the function tag i...
    Jay Shah
    created by Jay Shah
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu