This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Beacons to pendo.io

RichardB
Frequent Contributor
Frequent Contributor

‎2020-07-03 11:34 AM

I just upgraded our servers to NetWitness 11.4.1.2 and noticed almost every page sends beacons to pendo.io:

 

https://cdn.pendo.io/agent/releases/2.58.0/guide.css 

https://cdn.pendo.io/agent/static/5573cea1-9980-41fc-5e47-9708e86ba7ad/pendo.js 

https://data.pendo.io/data/guide.js/5573cea1-9980-41fc-5e47-9708e86ba7ad?jzb=eJxljj9vszAQxr-[cut] 

 

Did NetWitness always do this? Is this new in 11.4.1.2?

What annoys me most about this is the referer header gives away our NetWitness URL including possible sensitive path (we use deep linking to the investigate module from other applications):

Host: cdn.pendo.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://netwitness.local/admin/services/139/security
Connection: keep-alive

Labels:
0 Likes
3 REPLIES 3

RichardB
Frequent Contributor
Frequent Contributor

‎2020-07-03 12:01 PM

I did some research using NetWitness (it is such a great tool) and it seems the beaconing to pendo.io was introduced (or significantly expanded) in NetWitness 11.4.1.0.

0 Likes

Anonymous
Not applicable
In response to RichardB

‎2020-07-03 01:42 PM

Hi Richard,

 

Well spotted and great use of the tool 🙂

 

It's to do with the Customer Experience Improvement Program that can be disabled under Admin > System > Info.

 

It seems to default *on* instead of *off* but I will let others comment on that.

 

Hope that helps!

 

Cheers,

 

Rui

0 Likes

RichardB
Frequent Contributor
Frequent Contributor
In response to Anonymous

‎2020-07-06 03:43 AM

Hi Rui,

Thanks! I found the CEIP setting and disabled it. I'm pretty sure we disabled this before in 11.3. Was it set to "on" again during the 11.4 upgrade? That's not cool. 

Ok, I found in https://community.rsa.com/docs/DOC-111790  that in 11.4.1 the first admin login should receive a pop-up to enable this feature. We have 2 separate environments and there is no way we would have accidentally enabled CEIP in both of them. Seems like the pop-up idea didn't work but CEIP was enabled anyway. I'm glad we caught this now though.

Cheers,

Richard

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.