ContentsContents
| Release Notes |
| What's New |
| Fixed Issues |
| Product Documentation |
| Getting Help with NetWitness Platform |
| Build Numbers |
| Revision History |
| What's New |
| Fixed Issues |
| Product Documentation |
| Getting Help with NetWitness Platform |
| Build Numbers |
| Revision History |
| What's New |
| Product Documentation |
| Getting Help with NetWitness Platform |
| Build Numbers |
| Revision History |
| Appendix |
| Upgrade Instructions |
| What's New |
| Known Issues |
| Product Documentation |
| Getting Help with NetWitness Platform |
| Build Numbers |
| Revision History |
| Appendix |
| Upgrade Instructions |
| What's New |
| Fixed Issues |
| Product Documentation |
| Getting Help with NetWitness Platform |
| Build Numbers |
| Revision History |
| Title |
| Copyrights |
| What's New |
| Fixed Issues |
| Product Documentation |
| Getting Help with NetWitness Platform |
| Build Numbers |
| Revision History |
| Known Issues |
| Security Fixes |
| Getting Started |
| Getting Started with NetWitness Platform |
| Logging in to NetWitness Platform |
| Changing Your Password |
| Identifying Your Role |
| NetWitness Platform Basic Navigation |
| Setting Up Your Default View by SOC Role |
| Managing the Springboard |
| Managing Dashboards |
| Setting User Preferences |
| Managing Jobs |
| Viewing and Deleting Notifications |
| Viewing Help in the Application |
| Finding Documents on NetWitness Community |
| Troubleshooting for User Setup |
| NetWitness Platform Getting Started References |
| User Preferences |
| Notifications Panel and Notifications Tray |
| Jobs Panel and Jobs Tray |
| Hosts and Services Basics |
| Hosts and Services Set Up Procedures |
| Hosts and Services Maintenance Procedures |
| References |
| Hosts View |
| Services View |
| Edit Service Dialog |
| Services Config View |
| Services Config View - Appliance Service Configuration Tab |
| Services Config View - Data Retention Scheduler Tab |
| Services Config View - Files Tab |
| Services Explore View |
| Services Explore View - Properties Dialog |
| Services Logs View |
| Services Security View |
| Services Security View - Users Tab |
| Services Security View - Roles Tab |
| Services Security View - Service User Roles and Permissions |
| Services Security View - Aggregation Role |
| Services Security View - Settings Tab |
| Services Stats View |
| Services Stats View - Chart Stats Tray |
| Services Stats View - Gauges |
| Services Stats View - Timeline Charts |
| Services System View |
| Services Topology View |
| Services System View - Host Task List Dialog |
| Service Configuration Parameters |
| Aggregation Configuration Parameters |
| Appliance Service Configuration Parameters |
| Archiver Service Configuration Parameters |
| Broker Service Configuration Parameters |
| Concentrator Service Configuration Parameters |
| Core Service Logging Configuration Parameters |
| Core Service-to-Service Configuration Parameters |
| Core Service System Configuration Parameters |
| Decoder Configuration Parameters |
| Network Decoder Service Configuration Parameters |
| Log Decoder Service Configuration Parameters |
| REST Interface Configuration Parameters |
| NetWitness Platform Core Service system.roles Modes |
| Centralized Service Configuration via Policy |
| Centralized Service Configuration - Groups Tab |
| Centralized Service Configuration - Policies Tab |
| Troubleshooting Version Installations and Updates |
| Introduction |
| Admin-server Configuration |
| Analysis-server Configuration |
| Config-server Configuration |
| Content-server Configuration |
| Contexthub-server Configuration |
| Correlation-server Configuration |
| Endpoint-broker-server Configuration |
| Endpoint-server Configuration |
| Enrichment-server Configuration |
| Integration-server Configuration |
| Investigate-server Configuration |
| Launch-framework Configuration |
| License-server Configuration |
| Metrics-server Configuration |
| Node-infra-server Configuration |
| No-op-server Configuration |
| Orchestration-server Configuration |
| Relay-server Configuration |
| Respond-server Configuration |
| Security-server Configuration |
| Source-server Configuration |
| What Is NetWitness Investigate |
| QuickStart |
| QuickStart |
| Install and Upgrade |
| The Basics |
| Deployment Optional Setup Procedures |
| Network Architecture and Ports |
| Site Requirements and Safety |
| Entitlement Capability Implementation |
| Initial Set Up |
| Obtain License Server ID from NetWitness Platform UI |
| Access Product Licenses from myRSA |
| Synchronize NetWitness Server |
| Synchronize Local Licensing Server Offline |
| License Types |
| Configure NetWitness Notifications |
| About Out-of-Compliance Banners |
| Troubleshoot Licensing |
| Licensing Panel Reference |
| Usage Trend |
| Reassign Licenses |
| Export Usage Stats |
| Settings Tab |
| Out-of-Compliance Reference |
| Introduction |
| Installation Tasks |
| Update or Install Legacy Windows Collection |
| Post Installation Tasks |
| Appendix A. Troubleshooting |
| Appendix B. Create External Repo |
| Appendix C. Silent Installation Using CLI |
| Appendix D. Third Party Server System Requirement |
| Basic Deployment |
| Install NW Virtual Host in Virtual Environment |
| Step 1a. Create Virtual Machine - VMware |
| Step 1b. Deploy the Virtual Host in Hyper-V |
| Step 1c. Create Virtual Machine in Nutanix AHV |
| Step 2. Configure Databases to Accommodate NetWitness Platform |
| Task 1. Add New Disk |
| Task 2. Storage Configurations |
| Step 3. Installation Tasks |
| Step 4. Configure Host-Specific Parameters |
| Step 5. Post Installation Tasks |
| Appendix A. Troubleshooting |
| Appendix B. Silent Installation Using CLI |
| Appendix C. Virtual Host Recommended System Requirements |
| Appendix D. Update the Virtual ESA Host Memory |
| Storage Overview |
| Storage Requirements |
| Prepare Physical Storage |
| Prepare Virtual or Cloud Storage |
| Configure Storage Using the REST API |
| Prepare Unity Storage |
| Migrate Data to Another Storage Type |
| Appendix A. How NetWitness Platform Hosts Store Data |
| Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py) |
| Appendix C. Troubleshooting |
| Appendix D. Sample Storage Configuration Scenarios |
| Revision History |
| AWS Deployment Overview |
| AWS Deployment |
| Establish AWS Environment |
| Find NetWitness AMIs |
| Launch an Instance and Configure a Host |
| Configure Hosts (Instances) in NetWitness Platform |
| Configure Packet Capture |
| Instance Configuration Recommendations |
| Appendix A Silent Installation Using CLI |
| Azure Installation Overview |
| Azure Configuration Recommendations |
| Azure Deployment |
| Partition Recommendations |
| Deploy NW Server Host in Azure |
| Deploy Component Core Services in Azure |
| Installation Tasks |
| Appendix A. Silent Installation Using CLI |
| Google Cloud Platform Installation Overview |
| GCP Deployment |
| Prerequisites |
| Find NetWitness Platform GCP Images |
| Establish gcloud Environment |
| Create an Instance using Google Cloud SDK Shell |
| Installation Tasks |
| Configure Hosts (Instances) in NetWitness Platform |
| GCP Instance Configuration Recommendations |
| Introduction to Endpoint Agent Installation |
| Prerequisites |
| Generate an Agent Packager |
| Generate Agent Installers |
| Deploy and Verify Agents |
| Uninstall Agents |
| Upgrade Agents |
| Recommendations for Installing Agents in Virtual Desktop Infrastructure Environment |
| Troubleshooting |
| Introduction |
| Migrating NetWitness Endpoint 4.4.0.x to NetWitness Platform |
| Importing NetWitness Endpoint 4.4.0.x Configurations to NetWitness Platform |
| Introduction |
| NetWitness UEBA Standalone Installation |
| System Requirement |
| Installation Tasks |
| Post Installation Tasks |
| Overview |
| Contacting Customer Care |
| Pre Upgrade Checks |
| Upgrade Preparation Tasks |
| Upgrade Tasks |
| Post Upgrade Tasks |
| Endpoint Upgrade Tasks |
| Appendix A. Offline Upgrade Using CLI |
| Appendix B. Troubleshooting Version Installations and Upgrades |
| Appendix C. Troubleshooting Version Installations and Upgrades |
| Overview |
| Contacting Customer Care |
| Pre Upgrade Checks |
| Upgrade Preparation Tasks |
| Upgrade Tasks |
| Post Upgrade Tasks |
| Endpoint Upgrade Tasks |
| Enable New Features |
| Appendix A. Offline Upgrade Using CLI |
| Appendix B. Set Up External Repo |
| Appendix C. Troubleshooting Version Installations and Upgrades |
| Overview |
| Contacting Customer Care |
| Upgrade Preparation Tasks |
| Upgrade Tasks |
| Post Upgrade Tasks |
| Endpoint Upgrade Tasks |
| Enable New Features |
| Appendix A. Offline Upgrade Using CLI |
| Appendix B. Troubleshooting Version Installations and Upgrades |
| Windows Legacy Collection |
| Overview |
| Logstash Input Plugin - Configuration Process |
| Install Logstash |
| Install NetWitness Logstash Input Plugin |
| Configure Logstash Input Plugin |
| Configure SSL |
| Health and Wellness |
| Configure Custom Value Meta |
| (Optional) Configure Logstash Filter Plugin |
| Configure Logstash Output Plugin |
| Known Issues |
| Configure and Manage |
| Decoder and Log Decoder Quick Setup |
| Configure Common Settings on a Decoder |
| Configure Capture Settings |
| (Optional) Configure System-Level (BPF) Packet Filtering |
| (Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces |
| (Optional) Configure Meta-Only Decoders |
| (Optional) Configure Selective Network Data Collection |
| (Optional) Configure a Decoder to Write Standard pcap-formatted Files |
| (Optional) Multiple Adapter Packet Capture |
| (Optional) Internet Content Adaptation Protocol Capture |
| (Optional) Data Plane Development Kit Packet Capture |
| (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface |
| (Optional) Process Raw Syslog Data without Priority Field |
| (Optional) Configure Decoder to Support OpenAppID |
| Enable and Disable Parsers and Log Parsers |
| Start and Stop Data Capture |
| Configure Decoder Rules |
| Configure Application Rules |
| Configure Correlation Rules |
| Configure Network Rules |
| Fix Rules with Invalid Syntax |
| Decoder Commands for Managing Rules |
| Configure Parsers and Feeds |
| Configure Parsers |
| Use Custom Parsers |
| Enable and Configure the Entropy Parser |
| Flex Parser |
| Arithmetic Functions |
| Common Parser Operations |
| General Functions |
| Logging Functions |
| Nodes |
| Payload Functions |
| Regex |
| String Functions |
| GeoIP2 Parsers |
| Lua Parsers |
| HTTP Parsers |
| Snort Parsers |
| Search Parser |
| Wireless LAN Configuration |
| Troubleshooting Parsers | NetWitness |
| Configure Feeds |
| Custom Feed Definition File Structure |
| Feed Definitions File |
| Create a Custom Feed |
| Create a STIX Custom Feed |
| Create an Identity Feed |
| Upload, Edit, or Remove a Feed |
| Create Custom Meta Keys Using Custom Feed |
| Decoder and Log Decoder Additional Procedures |
| Configure 10G Capability | NetWitness |
| Configure 10G Capability |
| Configure a Log Decoder to Accept Protobuf |
| Configure Session Split Timeouts |
| Configure Syslog Forwarding to Destination |
| Configure Transaction Handling on a Decoder |
| Configure Data Export |
| Decrypt Incoming Packets TLS 1.2 |
| Decrypt Incoming Packets TLS 1.3 |
| Edit Decoder System Configuration Settings |
| Enable CPU Usage Stats for Installed Content |
| Enable Parser Mappings |
| Enable or Disable Lua and Flex Parsing Systems |
| Map IP Address to Service Type |
| Event Time Support |
| Obtain Log Files from a Pre-11.0 Log Decoder |
| Upload a Log File to a Log Decoder |
| Upload a Packet Capture File |
| F5 BIG IP - NetWitness Perfect Forward Secrecy Inspection Visibility |
| Troubleshooting Packet Drops (11.x and above) |
| Decoder and Log Decoder References |
| Services Config View - Capture Policies Tab |
| Services Config View - Edit Policies Wizard |
| Services Config View - Data Privacy Tab |
| Services Config View - Data Retention Scheduler |
| Services Config View - Feeds Tab |
| Services Config View - Upload Feeds Dialog |
| Services Config View - Files Tab |
| Services Config View - General Tab |
| Services Config View - Parsers Tab |
| Services Config View - Parser Mappings Tab |
| Services Config View - Data Export Tab |
| Services Config View - Rules Tab |
| Services Config View - App Rules Tab |
| Services Config View - Correlation Rules Tab |
| Services Config View - Network Rules Tab |
| Services System View - Decoders |
| Broker and Concentrator Basics |
| Overview of Brokers and Concentrators |
| Basic Setup Procedures |
| Step 1. Verify Service System Configuration |
| Step 2. Configure the Aggregation Process |
| Step 3. Configure Aggregate Services |
| Step 4. (Optional) Configure Group Aggregation |
| Step 5. Start and Stop Aggregation |
| Broker and Concentrator Configuration References |
| Services Config View - Broker/Concentrator General Tab |
| Services System View - Broker |
| NetWitness Core Database Introduction |
| Basic Database Configuration |
| Tiered Database Storage |
| Manifests |
| Advanced Database Configuration |
| Database Configuration Nodes |
| Index Configuration Nodes |
| SDK Configuration Nodes |
| Per-User Configuration Nodes |
| Scheduler |
| Rollover |
| Snort Rules and Configuration |
| Queries |
| Index Customization |
| Rebuilding of the Index |
| Optimization Techniques |
| Rule Examples |
| Appendix A: Statistics |
| Appendix B: Index Inspect |
| Live Content in NetWitness Suite |
| Deploy Content |
| Create Live Account |
| Set Up Live Services in NetWitness |
| Deploy Content using Live Content UI |
| Required Procedures |
| Find and Deploy Live Resources |
| Manage Live Resources |
| Search and Download Content from NetWitness Platform Live |
| Additional Procedures |
| Export Data to RSA |
| Create a Resource Package |
| Manage Custom Feeds |
| Create a Custom Feed |
| Create a STIX Custom Feed |
| MetaCallback Feeds |
| Create an Identity Feed |
| Edit a Feed |
| Remove a Feed |
| Subscribing to Resources |
| Miscellaneous Live Services Procedures |
| References |
| Live Configure View |
| Deployments Tab |
| Subscriptions Tab |
| Discontinued Resource Tab |
| Live Feeds View |
| Live Resource View |
| Live Search View |
| Live Search Content View |
| Resource Package Deployment Wizard |
| RSA Live Registration Portal |
| NetWitness Feedback and Data Sharing |
| Troubleshooting |
| Policy-based Centralized Content Management |
| About Policy-based Centralized Content Management |
| Migrate Content from Core Services to Content Library |
| About Content Library |
| Import Content to Content Library |
| Create an Application Rule |
| Edit Application Rule |
| Delete Application Rule |
| View Application Rule Details |
| Create a Network Rule |
| Edit Network Rule |
| Delete Network Rule |
| View Network Rule Details |
| About Groups |
| Create a Group |
| View a Group |
| Delete a Group |
| Edit a Group |
| About Policies |
| Create and Publish Policies |
| Clone a Policy |
| Delete a Policy |
| Edit a Policy |
| View a Policy |
| Enable Content for a Policy |
| Disable Content for a Policy |
| References |
| Content Library Tab |
| Groups Tab |
| Policies Tab |
| Appendix A: Endpoint Risk Scoring Rules |
| About Log Collection |
| Log Collection Architecture |
| Basic Implementation |
| Provision Local and Remote Collectors |
| Configure LC/RC |
| Configure Failover |
| Configure Replication |
| Configure Chain of Remote Collectors |
| Throttle RC to LC Bandwidth |
| Set up a Lockbox |
| Start Collection Services |
| Verify Log Collection is Working |
| Configure Certificates |
| Configure Custom Certificates |
| Log Collection Basics |
| Basic Procedure |
| Search for Specific Event Sources |
| Configure Event Filters for Log Collector |
| Import, Export, Edit and Test Event Sources in Bulk |
| Collection Protocols |
| Configure AWS (CloudTrail) Event Sources |
| Configure Azure Event Sources |
| Configure Check Point Event Sources |
| Configure File Event Sources |
| Configure Logstash |
| Configure Netflow Event Sources |
| Configure ODBC Event Sources |
| Configure DSNs |
| Create Custom Typespec |
| Troubleshoot ODBC Collection |
| Configure SDEE Event Sources |
| Configure SNMP Event Sources |
| Configure Syslog Event Sources |
| Configure VMware Event Sources |
| Configure Windows Event Sources |
| Windows Legacy Configuration |
| Set Up Windows Legacy Collector |
| Configure Windows Legacy and NetApp Event Sources in RSA NetWitness |
| Troubleshoot Windows Legacy and NetApp Collection |
| AWS Parameters |
| Azure Parameters |
| Check Point Parameters |
| File Parameters |
| Service System View |
| ODBC Parameters |
| ODBC DSN Parameters |
| Remote/Local Collectors Configuration Parameters |
| Tabs |
| General Tab |
| Event Destinations Tab |
| Event Sources Tab |
| Settings Tab |
| Log Collection: Troubleshoot |
| NetWitness Event Sources |
| Managing Event Sources |
| Alarms and Notifications |
| Automatic Alerting |
| Common Scenarios for Monitoring Policies |
| Manage Event Source Groups |
| Create Event Source Groups |
| Create Event Source Group Form |
| Acknowledge and Map Event Sources |
| Edit or Delete Event Source Groups |
| Remove Idle Event Sources |
| Create an Event Source and Edit its Attributes |
| Bulk Edit Event Source Attributes |
| Import Event Sources |
| Export Event Sources |
| Sort Event Sources |
| Monitor Polices |
| Configure Event Source Group Alerts |
| Set Up Notifications |
| Disable Notifications |
| Configure Automatic Alerting |
| View Event Source Alarms |
| Event Source References |
| Discovery Tab |
| Manage Tab |
| Manage Tab - Historical Graph View |
| Manage Event Source Tab |
| Event Sources View |
| Create/Edit Group Form |
| Details View |
| Manage Parser Mappings |
| Alarms Tab |
| Monitoring Policies Tab |
| Settings Tab |
| Log Parser Rules Tab (version 11.1 only) |
| Troubleshooting/Appendix |
| Alarms and Notifications Issues |
| Duplicate Log Messages |
| Troubleshoot Feeds |
| Import File Issues |
| Negative Policy Numbering |
| Viewing Logs from Pre-11.0 Log Decoder |
| Log Parser Rules Customization |
| Add or Delete Log Parser |
| JSON Mappings |
| Create Custom Log Parser Rules |
| Log Parsers and the Default Log Parser |
| Use Cases |
| Extend a Log Parser Example |
| Select the Reference Log Decoder |
| Move Log Parser Rules to Production |
| Troubleshooting and Limitations |
| Log Parser Rules Tab |
| Overview |
| Dataflow |
| Install Logstash |
| Install and Configure the NetWitness Codec |
| Configure Logstash Output Plugins |
| Configure Event Source |
| Advanced NetWitness Configuration |
| Coding Appendix: Linux event Source Example |
| Coding Appendix: Build a Parser |
| Overview |
| Logstash Input Plugin - Configuration Process |
| Install Logstash |
| Install NetWitness Logstash Input Plugin |
| Configure Logstash Input Plugin |
| Configure SSL |
| Health and Wellness |
| Configure Custom Value Meta |
| (Optional) Configure Logstash Filter Plugin |
| Configure Logstash Output Plugin |
| Known Issues |
| Archiver Overview |
| Basic Archiver Configuration |
| Add the Archiver Service |
| Add Log Decoder as a Data Source to Archiver |
| Configure Archiver Storage and Log Retention |
| Configure Hot, Warm, and Cold Storage |
| Configure Log Storage Collections |
| Define Retention Rules |
| Add Archiver as a Data Source to Reporting Engine |
| Configure Archiver Monitoring |
| Additional Archiver Configuration |
| Configure Data Backup and Restore |
| Retrieve Hash Information |
| Archiver References |
| Archiver Collection Dialog |
| Archiver Services Config View - General Tab |
| Archiver Service Configuration |
| Data Retention Tab - Archiver |
| Services Config View - Archiver |
| Overview |
| Configuration Procedures |
| Add Workbench Service as a Data Source to Broker |
| Add Workbench as a Data Source to Reporting Engine |
| Manage Collections |
| Services Config View |
| Services Config View - Collections Tab |
| Services Config View - General Tab |
| Troubleshooting |
| Event Stream Analysis Overview |
| Configure ESA Correlation Rules |
| Additional ESA Correlation Rules Procedures |
| Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys |
| Configure Advanced Settings for ESA Correlation |
| Configure Character Case for Advanced ESA Rules |
| Deploy Endpoint Risk Scoring Rules on ESA |
| Change Memory Threshold for ESA Rules |
| Start, Stop, or Restart ESA Service |
| View Audit Logs and Verify ESA Component Versions |
| References - Previous ESA Versions |
| Services Config View Data Sources Tab (11.2 and Earlier) |
| Services Config View Advanced Tab (11.2 and Earlier) |
| Whois Lookup Service Configuration (11.1.x to 11.4.x) |
| ESA Analytics Mappings (11.1.x to 11.4.x) |
| Module Settings (11.1.x to 11.4.x) |
| Getting Started with ESA |
| Best Practices |
| Troubleshoot ESA |
| View Memory Metrics for Rules |
| How ESA Handles Sensitive Data |
| ESA Rule Types |
| ESA Permissions |
| Practice with Sample Rules |
| Working with Trial Rules |
| Add Rules to the Rules Library |
| Download Configurable RSA Live ESA Rules |
| Customize an RSA Live ESA Rule |
| Add a Rule Builder Rule |
| Step 1. Name and Describe the Rule |
| Step 2. Build a Rule Statement |
| Step 3. Add Conditions to a Rule Statement |
| Working With Rules |
| Edit, Duplicate or Delete a Rule |
| Filter or Search for Rules |
| Import or Export Rules |
| Choose How to Be Notified of Alerts |
| Notification Methods |
| Add Notification Method to a Rule |
| Add a Data Enrichment Source |
| Enrichment Sources |
| Configure a Context Hub List as an Enrichment Source |
| Configure an In-Memory Table as an Enrichment Source |
| Add an Enrichment to a Rule |
| Deploy Rules to Run on ESA |
| ESA Rule Deployment Steps |
| Additional ESA Rule Deployment Procedures |
| View ESA Stats and Alerts |
| View Stats for an ESA Service |
| View a Summary of Alerts |
| Add an Advanced EPL Rule |
| Event Processing Language (EPL) |
| ESA Annotations |
| Example Advanced EPL Rules |
| Configure an In-Memory Table Using an EPL Query |
| ESA Alert References |
| RulesTab |
| Rules Tab Options Panel |
| Rule Library Panel |
| Rule Builder Tab |
| Build a Statement Dialog |
| Advanced EPL Rule Tab |
| Rule Syntax Dialog |
| Deployment Panel |
| Deploy ESA Services Dialog |
| Deploy ESA Rules Dialog |
| Updates to the Deployment Dialog |
| Services Tab |
| Settings Tab |
| How Context Hub Works |
| Configure Lists as a Data Source |
| Configure Archer as a Data Source |
| Configure Active Directory Data Source |
| Configure RSA EndPoint Data Source |
| Configure Respond Data Source |
| Configure File Reputation Server Data Source |
| Configure STIX as a Data Source |
| Configure RESTAPI as a Data Source |
| Configure Data Sources Settings |
| Import or Export Lists for Context Hub |
| Manage Meta Type and Meta Key Mapping |
| Context Hub Data Sources Tab |
| Context Hub Lists Tab |
| Context Hub STIX Tab |
| Troubleshooting |
| How Malware Analysis Works |
| Basic Setup |
| Configure Malware Analysis Operating Environment |
| Configure General Malware Analysis Settings |
| Configure Indicators of Compromise |
| Configure Installed Antivirus Vendors |
| Enable Community Scoring |
| (Optional) Configure Auditing on Malware Analysis Host |
| (Optional) Configure Hash Filter |
| (Optional) Configure Malware Analysis Proxy Settings |
| (Optional) Register for a ThreatGRID API Key |
| Additional Procedures for Configuring Malware Analysis |
| Create Custom Alert in CEF Format |
| Enable Custom YARA Content |
| Supported Antivirus Vendors |
| Malware Analysis References |
| Services Config View - General Tab |
| Services Config View - Indicators of Compromise Tab |
| Services Config View - IOC Summary Tab |
| Services Config View - Auditing Tab |
| Services Config View - Hash Tab |
| Services Config View - AV Tab |
| Services Config View - Proxy Tab |
| Services Config View - ThreatGRID Tab |
| Services Config View - Integration Tab |
| NetWitness Endpoint Overview |
| Agent Modes |
| Endpoint Server Configuration |
| Deploy Endpoint Application Rules and ESA Correlation Rules |
| Setup Meta Forwarding to Log Decoder |
| Endpoint Sources |
| Create Groups and Policies |
| Manage Groups |
| Manage Policies |
| Change Policy Ordering for Groups |
| Configure Data Retention Policy |
| Manage Role Permissions at Endpoint Server Level |
| Manage Inactive Agents |
| Configure Retention Policy for Memory Dumps and MFT |
| (Optional) Installing and Configuring Relay Server |
| Endpoint YARA Rules |
| Configure OPSWAT |
| Integrate NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.3 |
| Endpoint References |
| General Tab |
| Data Retention Scheduler Tab |
| Packager Tab |
| Relay Server Tab |
| Endpoint Sources - Groups |
| Endpoint Sources - Policies |
| Troubleshooting |
| Reset File Collection Bookmarks |
| Supported File Log Event Source Types |
| Specify UNC Paths |
| About this Document |
| NetWitness Respond Configuration Overview |
| Configuring NetWitness Respond |
| Step 1. Configure Alert Sources to Display Alerts in the Respond View |
| Step 2. Assign Respond View Permissions |
| Step 3. Enable and Create Incident Rules for Alerts |
| Additional Procedures for Respond Configuration |
| Set Up and Verify Default Incident Rules |
| Configure Risk Scoring Settings for Automated Incident Creation |
| Configure Custom Respond Server Alert Normalization |
| Configure Analyst UI for Respond Server Alert Normalization |
| Configure Incident Email Notification Settings |
| Set a Retention Period for Alerts and Incidents |
| Obfuscate Private Data |
| Manage Incidents in Archer Cyber Incident & Breach Response |
| Configure the Option to Send Incidents to Archer |
| Configure Threat Aware Authentication |
| Set a Counter for Matched Alerts and Incidents |
| Edit the Incident Rules Export ZIP File |
| Configure a Database for the Respond Server Service |
| NetWitness Respond Configuration Reference |
| Configure View |
| Incident Rules View |
| Incident Rule Details View |
| Incident Email Notification Settings View |
| Aggregation Rules Tab (11.0 and earlier) |
| New Rule tab (11.0 and earlier) |
| How Reporting Engine Works |
| Configure Reporting Engine |
| Configure the Data Sources |
| (Optional) Add Workbench as Data Source to Reporting Engine |
| (Optional) Add Archiver as Data Source to Reporting Engine |
| (Optional) Integrate EndPoint Information Into Reports |
| (Optional) Add Collection as Data Source to Reporting Engine |
| Configure Data Privacy for Reporting Engine |
| Configure Data Source Permissions |
| Configure Reporting Engine Settings |
| Enable LDAP Authentication |
| Add Additional Space for Large Reports |
| Managing Log File Parameters |
| Configure Task Scheduler for a Reporting Engine |
| How to Define Reports, Charts, and Alerts |
| Configure Reporting Engine General Settings |
| Reporting Engine Reference |
| Reporting Engine General Tab |
| Reporting Engine Sources Tab |
| Reporting Engine Output Actions Tab |
| Reporting Engine Manage Logos Tab |
| How Warehouse Connector Works |
| Install Warehouse Connector Service on a Log Decoder or Decoder |
| Configure a Warehouse Connector Service |
| Configure the Data Source for Warehouse Connector |
| Configure the Destination |
| Configure the Destination Using NFS |
| Configure the Destination Using SFTP |
| Configure the Destination Using WebHDFS |
| Configure a Stream |
| Monitor a Warehouse Connector |
| Add Warehouse as a Data Source to Reporting Engine |
| Analyze a Warehouse Report |
| View the Warehouse Connector Service |
| Troubleshoot the Warehouse Connector |
| Manage a Stream |
| Manage a Lockbox |
| Warehouse Connector Configuration References |
| General Tab Settings |
| Appliance Service Configuration Tab Settings |
| Sources and Destinations Configuration |
| Add Stream Dialog |
| Streams Configuration |
| Lockbox Settings |
| UEBA Configuration Overview |
| UEBA Configuration |
| UEBA Configuration Troubleshooting |
| Introduction |
| Admin-server Configuration |
| Analysis-server Configuration |
| Config-server Configuration |
| Content-server Configuration |
| Contexthub-server Configuration |
| Correlation-server Configuration |
| Endpoint-broker-server Configuration |
| Endpoint-server Configuration |
| Enrichment-server Configuration |
| Integration-server Configuration |
| Investigate-server Configuration |
| Launch-framework Configuration |
| License-server Configuration |
| Metrics-server Configuration |
| Node-infra-server Configuration |
| No-op-server Configuration |
| Orchestration-server Configuration |
| Relay-server Configuration |
| Respond-server Configuration |
| Security-server Configuration |
| Source-server Configuration |
| Set Up System Security |
| Configure Password Complexity |
| Change the Default Admin Passwords |
| Configure System-Level Security Settings |
| (Optional) Configure External Authentication |
| Configure Active Directory |
| Configure PAM Login Capability |
| (Optional) Configure PKI Authentication |
| (Optional) Use a Custom Server Certificate |
| (Optional) Create a Customized Login Banner |
| How Role-Based Access Control Works |
| Role Permissions |
| Manage Users with Roles and Permissions |
| Review the Preconfigured NetWitness Platform Roles |
| (Optional) Add a Role and Assign Permissions |
| Verify Query and Session Attributes per Role |
| Set Up Users |
| (Optional) Map User Roles to External Groups |
| Search for External Groups |
| Set Up Multi-Factor Authentication |
| Set Up Single Sign-On Authentication |
| Configure Single Sign-On |
| (Optional) Set Up Public Key Infrastructure (PKI) Authentication |
| Configure PKI Authentication |
| Import Server Certificate and Trusted CA Certificate |
| (Optional) Configure the CRL Manually |
| Enable PKI Authentication |
| Disable PKI |
| Delete Server Certificate and Trusted CA Certificate |
| Troubleshooting |
| References |
| Admin Security View |
| Users Tab |
| Add or Edit User Dialog |
| Roles Tab |
| Add or Edit Role Dialog |
| External Group Mapping Tab |
| Add Role Mapping Dialog |
| Search External Groups Dialog |
| Settings Tab |
| PKI Settings Tab |
| Login Banner Tab |
| Single Sign-On Settings Tab |
| Data Privacy Overview |
| Recommended Configurations |
| Quick Start Procedures |
| Prepare to Configure Data Privacy |
| Configure the Recommended Data Privacy Solution |
| In-Depth Procedures |
| Configure Data Obfuscation |
| Configure Data Retention |
| Configure User Accounts for Use in Data Privacy |
| Data Privacy References |
| System Configuration Overview |
| Standard Procedures |
| Access System Settings |
| Configure Notification Servers |
| Notification Servers Overview |
| Configure the Email Settings as Notification Server |
| Configure Script as a Notification Server |
| Configure the SNMP Settings as Notification Server |
| Configure a Syslog Notification Server |
| Configure Notification Outputs |
| Notification Outputs Overview |
| Configure Email as a Notification |
| Configure Script as a Notification |
| Configure SNMP as a Notification |
| Configure Syslog as a Notification |
| Configure Templates for Notifications |
| Configure Global Notification Templates |
| Define a Template for ESA Alert Notifications |
| Import and Export a Global NotificationsTemplate |
| Configure Email Server and Notification Account |
| Configure Global Audit Logging |
| Configure a Destination to Receive Global Audit Logs |
| Define a Template for Global Audit Logging |
| Define a Global Audit Logging Configuration |
| Verify Global Audit Logs |
| Configure Centralized Audit Logging |
| Configure Investigation Settings |
| Configure Live Services Settings |
| Live Feedback Overview |
| Upload Data to RSA |
| Configure Log File Settings |
| Configure Syslog and SNMP Settings |
| AdditionalProcedures |
| Add Custom Context Menu Actions |
| Configure NTP Servers |
| Configure Proxy for Security Analytics |
| Troubleshooting System Configuration |
| References |
| Global Audit Logging Configurations Panel |
| Add New Configuration Dialog |
| Supported CEF Meta Keys |
| Supported Global Audit Logging Meta Key Variables |
| Global Audit Logging Operation Reference |
| Local Audit Log Locations |
| Global Notifications Panel |
| Define Notification Server Dialogs |
| Define Notification Output Dialogs |
| Define Notification Template Dialog |
| Output Tab |
| Servers Tab |
| Templates Tab |
| HTTP Proxy Settings Panel |
| Email Configuration Panel |
| Investigation Configuration Panel |
| Live Services Configuration Panel |
| NTP Settings Panel |
| Context Menu Actions Panel |
| Legacy Notifications Configuration Panel |
| Overview |
| Review Best Practices |
| Health and Wellness |
| Monitor Health and Wellness using NetWitness Platform UI |
| Manage Policies |
| Include the Default Email Subject Line |
| Monitor System Statistics |
| Filter System Statistics |
| Create Historical Graph of System Statistics |
| Monitor Service Statistics |
| Add Statistics to a Gauge or Chart |
| Edit Properties of Statistics Gauges |
| Edit Properties of Timeline Charts |
| Monitor Hosts and Services |
| Filter Hosts and Services in the Monitoring View |
| Monitor Host Details |
| Monitor Service Details |
| Monitor Event Sources |
| Configure Event Source Monitoring |
| Filter Event Sources |
| Create Historical Graph of Events Collected for an Event Source |
| Monitor Alarms |
| Monitor Health and Wellness Using SNMP Alerts |
| Troubleshooting Health & Wellness |
| Monitor using New Health and Wellness |
| Configuring Alert Notifications |
| Adding Alert Notifications |
| Suppressing Notifications |
| Monitoring through Dashboards |
| Creating Custom dashboard |
| Monitoring through Alerts |
| Creating Custom Monitors |
| Adding Custom Trigger to an Existing Monitor |
| Managing Dashboards and Alerts |
| Managing Alert Notifications |
| Advanced Configurations |
| Backup and Restore New Health and Wellness |
| Troubleshooting Health and Wellness |
| Appendices |
| New Health and Wellness Dashboards |
| New Health and Wellness Monitors |
| Uninstall New Health and Wellness |
| Manage NetWitness Platform Updates |
| Reissue Certificates |
| DisplaySystem and Service Logs |
| Access Reporting Engine Log File |
| Search and Export Historical Logs |
| Maintain Queries Using URL Integration |
| Manage the deploy_admin Account |
| NW Server Host Secondary IP Configuration Management |
| Change Host Network Configuration |
| Manage Custom Host Entries |
| Configure FIPS Support |
| Configure DISA STIG Hardening |
| Troubleshoot NetWitness Platform |
| Debugging Information |
| Error Notification |
| Miscellaneous Tips |
| Troubleshoot Feeds |
| Troubleshooting Cert-Reissue Command |
| References |
| Health and Wellness |
| Health and Wellness View - Alarms View |
| Event Source Monitoring View |
| Health and Wellness Historical Graphs |
| Historical Graph View for Events Collected from an Event Source |
| Historical Graph View for System Stats |
| Health and Wellness Settings View - Archiver |
| Health and Wellness Settings View - Event Sources |
| Health and Wellness Settings View - Warehouse Connector |
| Monitoring View |
| Archiver Details View |
| Broker Details View |
| Concentrator Details View |
| Decoder Details View |
| ESA Correlation Details View |
| ESA Analytics Details View |
| Host Details View |
| Log Collector Details View |
| Log Decoder Details View |
| Malware Details View |
| Warehouse Connector Details View |
| Policies View |
| Health and Wellness Email Templates |
| NetWitness Platform Out-of-the-Box Policies |
| System Stats Browser View |
| New Health and Wellness Settings |
| System View - System Info Panel |
| System Updates Panel - Settings View |
| System Logging - Settings View |
| System Logging - Realtime View |
| System Logging - Historical View |
| Disaster Recovery |
| Disaster Recovery Azure |
| Disater Recovery AWS |
| Appendix A. Modify fstab for Series 5 and 6 Hybrid Storage After Recovery |
| Investigate and Respond |
| How NetWitness Investigate Works |
| Configuring NetWitness Investigate Views and Preferences |
| Configure the Navigate View and Legacy Events View |
| Configure the Events View |
| Beginning an Investigation |
| Begin an Investigation in the Navigate or Legacy Events View |
| Begin an Investigation in the Events View |
| Refining the Results Set |
| Use Meta Groups to Focus on Relevant Meta Keys |
| Use Columns and Column Groups in the Events List |
| Use Query Profiles to Encapsulate Common Areas for Investigation |
| Drill into Metadata in the Events View (Beta) |
| Filter Results in the Events View |
| Filter Results in the Navigate View |
| Filter Results in the Legacy Events View |
| Create a Query in the Navigate and Legacy Events Views |
| Search for Text Patterns in the Navigate and Legacy Events Views |
| View and Modify Queries Using URL Integration |
| Reconstructing and Analyzing Events |
| Examine Event Details in the Events View |
| Analyze Events in the Events View |
| Reconstruct an Event in the Legacy Events View |
| Look Up Additional Context for Results |
| Launch a Lookup of a Meta Key |
| Launch a Malware Analysis Scan from the Navigate View |
| Group Events from Split and Related Sessions in the Events and Legacy Events Views |
| Visualize Metadata as Parallel Coordinates |
| Visualize the Current Drill Point in Informer |
| Downloading and Acting Upon Results |
| Download Data in the Events View |
| Export or Print a Drill Point in the Navigate View |
| Export Events in the Legacy Events View |
| Add Events to an Incident in the Events View |
| Add Events to an Incident in the Legacy Events View |
| Troubleshooting Investigate |
| Investigate Reference Materials |
| Add Events to an Incident Dialog |
| Add/Remove from List Dialog |
| Column Groups Dialogs |
| Context Lookup Panel |
| Create an Incident Dialog |
| Events View |
| Events View - Email Tab |
| Events View - File Tab |
| Events View - Host Tab |
| Events View - Packet Tab |
| Events View - Text Tab |
| Investigate Dialog |
| Investigation Tab - User Preferences Panel |
| Investigate View |
| Legacy Event Reconstruction View |
| Legacy Events View |
| Manage Default Meta Keys Dialog |
| Meta Groups Dialogs |
| Navigate View |
| Query Dialog |
| Query Profiles Dialogs |
| Generate Springboard Panel Dialog |
| Settings Dialogs for Investigate Views |
| Malware Analysis Functions |
| Malware Scoring Modules |
| Conducting Malware Analysis |
| Begin a Malware Analysis Investigation |
| Implement Custom YARA Content |
| Examine Scan Files and Events in List Form |
| Configure the Malware Analysis Summary of Events View |
| Filter Dashlet Data in the Summary of Events View |
| Upload Files for Malware Analysis Scanning |
| View Detailed Malware Analysis of an Event |
| Malware Analysis Reference Materials |
| Malware Analysis View |
| Malware Analysis Events List and Files List |
| Scan For Malware Dialog |
| Select a Malware Analysis Service Dialog |
| Introduction to Endpoint Investigation |
| Workflow of an Investigation |
| Investigate Files |
| Investigate Hosts |
| Investigate Process |
| Change File Status and Remediate |
| Analyze Downloaded Files |
| Perform Forensic Investigation |
| Analyze Events |
| Network Isolation |
| NetWitness Endpoint with Third-Party Antivirus Products |
| Troubleshooting NetWitness Endpoint |
| NetWitness Endpoint Reference Materials |
| Files View |
| Hosts View |
| Hosts View - Details Tab |
| Hosts View - Process Tab |
| Hosts View - Autoruns Tab |
| Hosts View - Files Tab |
| Hosts View - Drivers Tab |
| Hosts View - Libraries Tab |
| Hosts View - Anomalies Tab |
| Hosts View - Downloads Tab |
| Hosts View - System Information |
| Hosts View - Agent History Tab |
| Introduction |
| UEBA use Cases for Windows Logs |
| How to Investigate High-Risk Entities |
| Identify High-Risk Entities |
| Begin an Investigation of High-Risk Entities |
| Take Action on High-Risk Entities |
| Manage High-Risk Entities |
| Investigate Top Alerts |
| Filter Alerts |
| Investigate Indicators |
| Manage Top Alerts |
| Modeled Behaviors for Users |
| View NetWitness UEBA Metrics in Health and Wellness |
| Monitor Health and Wellness of UEBA |
| Reference |
| Overview View |
| Users View |
| Alerts View |
| User Profile View |
| Appendix: UEBA Windows Audit Policy |
| NetWitness Respond Process |
| Responding to Incidents |
| Determine which Incidents Require Action |
| Investigate the Incident |
| Escalate or Remediate the Incident |
| Incident Response Use Case Examples |
| Reviewing Alerts |
| Review Endpoint Alerts using Process Tree |
| NetWitness Respond Reference Information |
| Incidents List View |
| Incident Details View |
| Alerts List View |
| Alert Details View |
| Tasks List View |
| Add/Remove From List Dialog |
| Context Lookup Panel - Respond View |
| Reporting Overview |
| Configure and Generate a Report |
| Configure a Rule |
| Create and Schedule a Report |
| View a Report |
| Investigate a Report |
| Manage a List or Rule or Report |
| Working with Charts |
| Chart Overview |
| Configure a Chart |
| Schedule a Chart |
| View a Chart |
| Test a Chart |
| Investigate a Chart |
| Manage Chart Groups and Charts |
| Working with Alerts |
| Alert Overview |
| Configure Reporting Engine |
| Configure an Alert |
| Schedule an Alert |
| View an Alert |
| Investigate an Alert |
| Manage Alerts and Alert Templates |
| Appendix |
| Rule Syntax |
| Warehouse DB Simple Rules |
| Warehouse DB Advanced Rules |
| Task Scheduler for Warehouse Reporting |
| Query Aggregates |
| Troubleshoot Reporting |
| Reporting References |
| Build Chart View |
| Build List View |
| Build Report View |
| Build Rule View |
| Chart Permissions Dialog |
| Chart View |
| Execution History Panel |
| Generate List Dialog |
| Import Chart Dialog |
| Import Report Dialog |
| Investigate a Chart View |
| List Permissions Dialog |
| List View |
| Reports Permissions Dialog |
| Report View |
| Rule Permissions Dialog |
| Rule View |
| Select a Logo Dialog |
| Schedule a Chart View |
| Schedule Report Panel |
| Scheduled Reports View |
| Test a Chart View |
| View a Chart Panel |
| View All Charts Panel |
| View a Report Panel |
| View All Reports Panel |
| Alerting References |
| Alert List View |
| Alert Permissions Dialog |
| Alert Schedules View |
| Create or Modify Alert Panel |
| Investigate an Alert View |
| Import Alert Dialog |
| Template References |
| Alert Template View |
| Create or Modify Template View |
| View Alerts Schedule View |
| View Alerts View |
| Develop and Integrate |
| Archer Integration |
| Configure NetWitness Suite to Work With Archer |
| Manage Unified Collector Framework |
| Troubleshoot Archer Integration |
| RSA Endpoint Integration |
| Configure Endpoint Alerts via Message Bus |
| Configure Contextual Data from Endpoint via Recurring Feed |
| Configure Endpoint Alerts via Syslog into a Log Decoder |
| Intro |
| Usage |
| Enable |
| Packets |
| Parser/Feed Upload |
| Statistics Graph |
| SDK Commands |
| NetWitness Core Services API Guide |
| NetWitness API Guide |
| shell |
| tree |
| Access NwConsole and Help |
| Basic Command Line Parameters and Editing |
| Connecting to a Service |
| Monitoring Stats |
| Useful Commands |
| SDK Content Command |
| SDK Content Command Examples |
| Commands Used for Troubleshooting |
