**UPDATE 09JUN2021**
- NW-Endpoint Quick Start
- NW-Endpoint 11.6 Agent Install Guide: Endpoint Agent Installation Guide for 11.6
- NW-Endpoint 11.6 Configuration Guide: Endpoint Configuration Guide for 11.6
- NW-Endpoint 11.6 User Guide: NetWitness Endpoint User Guide for 11.6
**UPDATE 22FEB2021**
- changing from 11.3 specific capabilities to more general, multi-version 11.x capabilities
- RSA Live Endpoint Content: Endpoint Content
- NW-Endpoint Ports, Protocols, & Architectures: Network Architecture and Ports
- NW-Endpoint Quick Start Guide: NetWitness Endpoint Quick Start Guide
- NW-Endpoint 11.x Configuration Guide: NetWitness Endpoint Configuration Guide - Table of Contents
- NW-Endpoint 11.x User Guide: NetWitness Endpoint User Guide for NetWitness Platform 11.x - Table of Contents
- NW-Endpoint 11.5 Agent Install Guide: NetWitness Endpoint Agent Installation Guide for RSA NetWitness Platform 11.5 - Table of Contents
- NW-Endpoint 11.4 Agent Install Guide: NetWitness Endpoint Agent Installation Guide for RSA NetWitness Platform 11.4 - Table of Contents
**END UPDATE**
** - New Capabilities; these do not exist in 4.x
Planned - These features are in development and coming soon (PM would tase me if I unilaterally announce some non-GA feature before it's actually GA, so coming soon is the best I can do for these ones...)
Future - These features are in the backlog and need to be evaluated for development in upcoming cycles/product releases (**EDIT 23FEB2021** -- PM has tased me for this verbiage, so removing it **END EDIT**)
|
Feature |
Comments |
Insights |
Advanced |
Operating Systems Support |
Release |
|||
|
Windows |
MacOS |
Linux |
||||||
|
Basic scans |
Inventor |
 |
|
|
|
|
11.3 |
4.x |
|
Tracking scans |
Continuous file,network,process,thread monitors Registry monitor(Specific to windows) |
|
|
|
11.3 |
4.x |
||
|
Anomaly detection |
Inline hooks, kernel hooks,suspicious threads,registry discrepancies |
|
|
11.3 |
4.x |
|||
|
Windows Log Collection |
Collect Windows Event Logs |
 |
|
|
11.3** |
|||
|
Threat Detection Content |
Detection Rules /Reports |
|
|
|
|
|
11.3 |
|
|
Risk score |
Based on Threat Content Pack |
|
|
|
|
11.3 |
4.x |
|
|
File Reputation Service |
File Intel ( 3rd Party Lookup) |
|
|
|
|
|
11.3 |
4.x |
|
Live Connect |
Community Intel |
|
|
|
|
|
11.3 |
4.x |
|
Automatic File Download |
Analysis of downloaded file |
|
|
|
|
11.3 |
4.x |
|
|
Analyze module |
Analysis of downloaded file |
|
|
|
|
11.3 |
4.x |
|
|
Blocking |
Block an executable |
|
|
11.3 |
4.x |
|||
|
Agent Protection |
Driver Registry Protection / User Mode Kill Protection |
|
|
|
11.3** |
|||
|
Powershell, Command-line ( input) |
Report user interactions within a console session |
|
|
11.3** |
||||
|
Process Visualization |
Unique identifier (VPID) for process that uniquely identifies the entire process event chain |
|
|
|
|
11.3** |
||
|
Agent Scan Snapshots |
Agents maintain history of unique and separate snapshots for all scans (manual & scheduled) |
|
|
|
|
11.3** |
||
|
Agent Management via Group Policy |
Easily manage configuration and setting options for groups of endpoint agents by specifying policies |
|
|
|
|
|
11.3** |
|
|
Endpoint APIs |
A set of REST APIs for hosts and files. Additional APIs are available in later 11.x releases. |
|
|
|
|
|
11.3.2 11.4 11.5 11.6 |
4.x |
|
Remote Access Relay (RAR) Server |
Maintain contact with and control of off-network agents through RAR server |
|
|
|
|
|
11.4 |
4.x |
|
Host Isolation / Containment |
Control the spread of an attack by isolating the host from the network. While isolated, all events are still reported to the Endpoint Server. |
|
|
11.4 |
4.x | |||
|
Automatic File Download |
Automatically download new modules when first seen |
|
|
|
|
11.4 |
4.x | |
|
MFT Download (C drive only) |
Download Master File Table for analysis |
|
|
11.4 |
4.x | |||
|
MFT Viewer |
View downloaded MFTs, with potential time stomping highlighted |
|
|
|
11.4 |
4.x | ||
|
System Memory Dump |
Download entire host memory for analysis |
|
|
11.4 |
4.x | |||
|
Process Memory Dump |
Download memory for specific process for analysis |
|
|
11.4 |
4.x | |||
|
Flat File Log Collection |
Collect Windows flat file logs |
|
|
|
11.4** |
|||
|
Extended Linux OS Support |
Extended Linux agent support for additional operating systems (Ubuntu 16.04+ LTS; SUSE 12 SP5+) |
|
|
|
11.5** |
|||
|
Manual File Download |
Download _any_ file(s) present on host by full file path/filename |
|
|
|
|
11.5 |
4.x | |
|
Wildcard File Download |
Download _any_ file(s) present on host with wildcards (*) for filepath and/or filename |
|
|
|
|
11.5 |
4.x | |
|
Agent History |
View history of commands issued to and processed by agents |
|
|
|
|
|
11.5 |
4.x |
|
Throttle Network Bandwidth for Log Collection |
Limit network bandwidth usage for agents when collection/sending Windows & Flat File logs |
|
|
|
11.5** |
|||
|
Enhanced Network Visibility (ENV) |
Network events enriched with endpoint data, such as source host and process, username, risk score, and other host details |
|
|
|
11.5** |
|||
|
Throttle CPU for Manual Scans |
Analysts can use CPU Maximum slider to select CPU percentage so that the agent can limit the usage to the specified range |
|
|
|
|
|
11.5.1** |
|
|
Extended Windows OS Support |
Extended agent support for Windows Server & Windows 10 20H2 (32- and 64-bit) |
|
|
|
11.5.2 | 4.x | ||
|
Agent Proxy Support |
Windows agents can communicate to the Endpoint server through proxy connections when no direct connection is available |
|
|
|
11.5.3 | 4.x | ||
|
Extended Mac OS Support |
Extended agent support for Mac Big Sur (version 11) |
|
|
|
11.5.3** | |||
|
MFT Download (all drives) |
Download and view MFT for all drives | |
|
11.6 |
4.x |
|||
|
Upgrade/Uninstall agent via UI |
Upgrade and/or uninstall agents from NetWitness UI | |
|
|
|
|
11.6 |
4.x |
|
Yara Scans |
Perform yara scans on automatically-downloaded files/modules | |
|
|
|
|
11.6 |
4.x |
|
Create and Group by Custom Tags |
Create tags for _any_ specific agent(s), and leverage those tags in Endpoint Groups/Policies | |
|
|
|
|
11.6** |
|
|
Save multiple local copies of downloaded files at once |
Analysts can download and save multiple files from the UI at once | |
|
|
|
|
11.6** |
|
|
Forward Windows/File logs to custom IP:PORT |
Administrators can collect Windows and File logs on non-VLC systems by forwarding to a custom system | |
|
|
11.6** |
|
||
|
Full Disk Scans |
Analyst can request for full scan of Disk. | |
|
11.7.1 |
4.x |
|||
|
Opswat Metascan Integration |
Opswat Metascan Integration provides the ability to perform simultaneous analysis of files with Multiple Anti-Malware Engines. | |
|
|
|
11.6.1 |
4.x |
|
|
Standalone Scans |
Analyst can scan systems which are in airgap network and upload the scans back to the netwitness server. | |
|
11.7.1 |
4.x |
|||
|
Yara scan on endpoint agent |
Analyst can trigger Yara scan on selected endpoint agents. | |
12.1** |
|
||||
|
Send Alerts to External Syslog Server |
4.x |
|||||||
|
Machine Categorization (i.e.: Gold Image) |
4.x |
|||||||
2 Comments
