Log in to follow, share, and participate in this community. Hello. It may be a stupid question but I'm not a programmer. So, how can I compare two different types of meta in ESA Rule(EPL) statement. I need to compare string with string user_dst ... 22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here. 08APR2020 - UPDATE: adding ... Dear Team, We have two Archiver available one in DC & Other in DR in our environment and the logs are being forwarded from single event source to both the Archiver via decoder but due to the issue with the forwar... Sysmon service is running and generating events that I see in Event Viewer. I've add the channel: Microsoft-Windows-Sysmon/Operational on the Log Collector. But I don't see Sysmon logs in Netwitness Investigate. I see... Hi, We are migrate and upgrade from 10.6.6 to 11.3, using ISO to boot, while entering the setup prompt have this error; "mount : special device /dev/VolGroup00/root does not exist cp: cannot stat... As you’ve surely seen, a recently discovered supply chain attack has impacted numerous organizations including corporations, government agencies, and nonprofits. Information continues to emerge about the m... Hello, Is there any way to pull the total alert count by the alert wise in ESA from mondoD (Backend). (ver.11.3) Please share any ideas. Regards Kranthi Hi Everyone I deploy RSA Netwitness 11.5 into my lab after that I change IP address on SA and component. Everything is fine, the only exception is I can't click on to event in Incident menu to see event d... What Happened On December 8th, 2020, FireEye announced that it had been the victim of a cyber attack perpetrated by an advanced nation state actor. They've disclosed their research into the attack in a few place... Introduction
... I'm certain everyone reading this was just as shocked by the recent news about the FireEye breach as I was and is diligently trying to assess their current security posture in light of this information. As we at RSA v... Table of Contents
Table of Contents
Finding Abnormal Traffic
ESA Rule Builder
Decoder App Rule
Simple ... My organization has decided to drop log support in RSA (don't ask why, it wasn't my idea). If I'm using RSA for a packet only solution, can I still connect to Active Directory for an identity feed? My unde... Dear Team, CheckPoint IPS doesn't show up Destination IP address field in raw logs or syslogs, But source IP is visible. (IPS logs do not contain destination IP field) So, I am writing a rule to guess few IPS... Quick question, can NWE send Linux log files to NetWitness in the same way with Windows files? Hi everyone, I see one malware appliance is not connecting to Sa server, checked service of malware appliance and it's running in the shell.. However when I look listening ports , 60007 is not listening even service ... As a (network) engineer I am used to having serial console access to physical devices. I noticed this is not enables by default on RSA Netwitness appliances. Notr is it anywhere documented here on RSA Link. ... Is there a new version of Log Parser Tool in the roadmap? Actual version is 2 years old. RSA, a Dell Technologies business, announces the release of RSA® NetWitness Log Parser Tool v1.1 We commun... Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score of 10/10 being used in the wild by attackers, allowing them to gain admin access to a Windows Domain Controller. As more publ... I'm interested in learning what would be best practice for filtering false alerts. We have a nwfeed file from a threat intel provider that maps IPs, domains and emails to threat actors. An ESA alert is create...