• Comparing two different types of meta in ESA Rule

    Hello.   It may be a stupid question but I'm not a programmer.   So, how can I compare two different types of meta in ESA Rule(EPL) statement.   I need to compare string with string[] user_dst ...
    Maxim Marchenko
    last modified by Maxim Marchenko
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here.   08APR2020 - UPDATE: adding ...
    Josh Randall
    last modified by Josh Randall
  • Archiver Data Addition

    Dear Team, We have two Archiver available one in DC & Other in DR in our environment and the logs are being forwarded from single event source to both the Archiver via decoder but due to the issue with the forwar...
    socuser .
    last modified by socuser .
  • Collecting Sysmon logs via WinRM

    Sysmon service is running and generating events that I see in Event Viewer. I've add the channel: Microsoft-Windows-Sysmon/Operational on the Log Collector. But I don't see Sysmon logs in Netwitness Investigate. I see...
    Jay Alexander
    last modified by Jay Alexander
  • Error while perform migrate & upgrade via ISO

    Hi,   We are migrate and upgrade from 10.6.6 to 11.3, using ISO to boot, while entering the setup prompt have this error;   "mount : special device /dev/VolGroup00/root does not exist cp: cannot stat...
    Mohd Amri Razlan
    last modified by Mohd Amri Razlan
  • RSA Response to SolarWinds/FireEye Attacks

    As you’ve surely seen, a recently discovered supply chain attack has impacted numerous organizations including corporations, government agencies, and nonprofits.  Information continues to emerge about the m...
    Arthur Fontaine
    last modified by Arthur Fontaine
  • Alert wise total count from MongoDB

    Hello,   Is there any way to pull the total alert count by the alert wise in ESA from mondoD (Backend). (ver.11.3)   Please share any ideas.   Regards Kranthi
    Kranthi Kanapala
    last modified by Kranthi Kanapala
  • Incident page issue

    Hi Everyone    I deploy RSA Netwitness 11.5 into my lab after that I change IP address on SA and component. Everything is fine, the only exception is I can't click on to event in Incident menu to see event d...
    pakorn amonstian
    created by pakorn amonstian
  • FireEye Breach - Implementing Countermeasures in RSA NetWitness

    What Happened On December 8th, 2020, FireEye announced that it had been the victim of a cyber attack perpetrated by an advanced nation state actor.  They've disclosed their research into the attack in a few place...
    Sean Ennis
    last modified by Sean Ennis
  • FireEye Breach

    Introduction Credential Dumping SafetyKatz AndrewSpecial Closing Notes Discovery SharpHound Closing Notes Lateral Movement Impacket Closing Notes Persistence ZeroLogon ...
  • FireEye Breach - Beyond the signatures

    I'm certain everyone reading this was just as shocked by the recent news about the FireEye breach as I was and is diligently trying to assess their current security posture in light of this information. As we at RSA v...
    Dustin Lee
    last modified by Dustin Lee
  • The Hunt for RCE (Packets)

    Table of Contents Table of Contents Simple RCE Quick Tips Finding Abnormal Traffic Content Creation ESA Rule Builder Bonus Decoder App Rule Packet Bonus Afterthoughts Simple ...
    Cody Spooner
    last modified by Cody Spooner
  • Can I use the identity feed connected to AD without a log decoder

    My organization has decided to drop log support in RSA (don't ask why, it wasn't my idea).  If I'm using RSA for a packet only solution, can I still connect to Active Directory for an identity feed?  My unde...
    Dion Stempfley
    created by Dion Stempfley
  • Advanced EPL Error

    Dear Team,   CheckPoint IPS doesn't show up Destination IP address field in raw logs or syslogs, But source IP is visible. (IPS logs do not contain destination IP field) So, I am writing a rule to guess few IPS...
    support soc
    last modified by support soc
  • NWE Linux Log Files

    Quick question, can NWE send Linux log files to NetWitness in the same way with Windows files?
    Jeremy Kerwin
    last modified by Jeremy Kerwin
  • Malware appliance is offline

    Hi everyone, I see one malware appliance is not connecting to Sa server, checked service of malware appliance and it's running in the shell.. However when I look listening ports , 60007 is not listening even service ...
    Musa Timur Sarigul
    last modified by Musa Timur Sarigul
  • Serial console on hardware appliances

    As a (network) engineer I am used to having serial console access to physical devices.   I noticed this is not enables by default on RSA Netwitness appliances. Notr is it anywhere documented here on RSA Link. &#...
    Hugo Van Der Kooij
    last modified by Hugo Van Der Kooij
  • Netwitness Log parser Tool

    Is there a new version of Log Parser Tool in the roadmap?   Actual version is 2 years old. RSA, a Dell Technologies business, announces the release of RSA® NetWitness Log Parser Tool v1.1   We commun...
    Isidore DESHAIES
    last modified by Isidore DESHAIES
  • Domain Controller Takeover with Zerologon, from Compromise to Detection

    Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller.  As more publ...
    Halim Abouzeid
    last modified by Halim Abouzeid
  • Filtering false positives from Alerts

    I'm interested in learning what would be best practice for filtering false alerts. We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors.   An ESA alert is create...
    Jeremy Kerwin
    last modified by Jeremy Kerwin