ContentsContents
Release Notes |
What's New |
Fixed Issues |
Product Documentation |
Getting Help with NetWitness Platform |
Build Numbers |
Revision History |
What's New |
Fixed Issues |
Product Documentation |
Getting Help with NetWitness Platform |
Build Numbers |
Revision History |
What's New |
Product Documentation |
Getting Help with NetWitness Platform |
Build Numbers |
Revision History |
Appendix |
Upgrade Instructions |
What's New |
Known Issues |
Product Documentation |
Getting Help with NetWitness Platform |
Build Numbers |
Revision History |
Appendix |
Upgrade Instructions |
What's New |
Fixed Issues |
Product Documentation |
Getting Help with NetWitness Platform |
Build Numbers |
Revision History |
Title |
Copyrights |
What's New |
Fixed Issues |
Product Documentation |
Getting Help with NetWitness Platform |
Build Numbers |
Revision History |
Known Issues |
Security Fixes |
Getting Started |
Getting Started with NetWitness Platform |
Logging in to NetWitness Platform |
Changing Your Password |
Identifying Your Role |
NetWitness Platform Basic Navigation |
Setting Up Your Default View by SOC Role |
Managing the Springboard |
Managing Dashboards |
Setting User Preferences |
Managing Jobs |
Viewing and Deleting Notifications |
Viewing Help in the Application |
Finding Documents on NetWitness Community |
Troubleshooting for User Setup |
NetWitness Platform Getting Started References |
User Preferences |
Notifications Panel and Notifications Tray |
Jobs Panel and Jobs Tray |
Hosts and Services Basics |
Hosts and Services Set Up Procedures |
Hosts and Services Maintenance Procedures |
References |
Hosts View |
Services View |
Edit Service Dialog |
Services Config View |
Services Config View - Appliance Service Configuration Tab |
Services Config View - Data Retention Scheduler Tab |
Services Config View - Files Tab |
Services Explore View |
Services Explore View - Properties Dialog |
Services Logs View |
Services Security View |
Services Security View - Users Tab |
Services Security View - Roles Tab |
Services Security View - Service User Roles and Permissions |
Services Security View - Aggregation Role |
Services Security View - Settings Tab |
Services Stats View |
Services Stats View - Chart Stats Tray |
Services Stats View - Gauges |
Services Stats View - Timeline Charts |
Services System View |
Services Topology View |
Services System View - Host Task List Dialog |
Service Configuration Parameters |
Aggregation Configuration Parameters |
Appliance Service Configuration Parameters |
Archiver Service Configuration Parameters |
Broker Service Configuration Parameters |
Concentrator Service Configuration Parameters |
Core Service Logging Configuration Parameters |
Core Service-to-Service Configuration Parameters |
Core Service System Configuration Parameters |
Decoder Configuration Parameters |
Network Decoder Service Configuration Parameters |
Log Decoder Service Configuration Parameters |
REST Interface Configuration Parameters |
NetWitness Platform Core Service system.roles Modes |
Centralized Service Configuration via Policy |
Centralized Service Configuration - Groups Tab |
Centralized Service Configuration - Policies Tab |
Troubleshooting Version Installations and Updates |
Introduction |
Admin-server Configuration |
Analysis-server Configuration |
Config-server Configuration |
Content-server Configuration |
Contexthub-server Configuration |
Correlation-server Configuration |
Endpoint-broker-server Configuration |
Endpoint-server Configuration |
Enrichment-server Configuration |
Integration-server Configuration |
Investigate-server Configuration |
Launch-framework Configuration |
License-server Configuration |
Metrics-server Configuration |
Node-infra-server Configuration |
No-op-server Configuration |
Orchestration-server Configuration |
Relay-server Configuration |
Respond-server Configuration |
Security-server Configuration |
Source-server Configuration |
What Is NetWitness Investigate |
QuickStart |
QuickStart |
Install and Upgrade |
The Basics |
Deployment Optional Setup Procedures |
Network Architecture and Ports |
Site Requirements and Safety |
Entitlement Capability Implementation |
Initial Set Up |
Obtain License Server ID from NetWitness Platform UI |
Access Product Licenses from myRSA |
Synchronize NetWitness Server |
Synchronize Local Licensing Server Offline |
License Types |
Configure NetWitness Notifications |
About Out-of-Compliance Banners |
Troubleshoot Licensing |
Licensing Panel Reference |
Usage Trend |
Reassign Licenses |
Export Usage Stats |
Settings Tab |
Out-of-Compliance Reference |
Introduction |
Installation Tasks |
Update or Install Legacy Windows Collection |
Post Installation Tasks |
Appendix A. Troubleshooting |
Appendix B. Create External Repo |
Appendix C. Silent Installation Using CLI |
Appendix D. Third Party Server System Requirement |
Basic Deployment |
Install NW Virtual Host in Virtual Environment |
Step 1a. Create Virtual Machine - VMware |
Step 1b. Deploy the Virtual Host in Hyper-V |
Step 1c. Create Virtual Machine in Nutanix AHV |
Step 2. Configure Databases to Accommodate NetWitness Platform |
Task 1. Add New Disk |
Task 2. Storage Configurations |
Step 3. Installation Tasks |
Step 4. Configure Host-Specific Parameters |
Step 5. Post Installation Tasks |
Appendix A. Troubleshooting |
Appendix B. Silent Installation Using CLI |
Appendix C. Virtual Host Recommended System Requirements |
Appendix D. Update the Virtual ESA Host Memory |
Storage Overview |
Storage Requirements |
Prepare Physical Storage |
Prepare Virtual or Cloud Storage |
Configure Storage Using the REST API |
Prepare Unity Storage |
Migrate Data to Another Storage Type |
Appendix A. How NetWitness Platform Hosts Store Data |
Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py) |
Appendix C. Troubleshooting |
Appendix D. Sample Storage Configuration Scenarios |
Revision History |
AWS Deployment Overview |
AWS Deployment |
Establish AWS Environment |
Find NetWitness AMIs |
Launch an Instance and Configure a Host |
Configure Hosts (Instances) in NetWitness Platform |
Configure Packet Capture |
Instance Configuration Recommendations |
Appendix A Silent Installation Using CLI |
Azure Installation Overview |
Azure Configuration Recommendations |
Azure Deployment |
Partition Recommendations |
Deploy NW Server Host in Azure |
Deploy Component Core Services in Azure |
Installation Tasks |
Appendix A. Silent Installation Using CLI |
Google Cloud Platform Installation Overview |
GCP Deployment |
Prerequisites |
Find NetWitness Platform GCP Images |
Establish gcloud Environment |
Create an Instance using Google Cloud SDK Shell |
Installation Tasks |
Configure Hosts (Instances) in NetWitness Platform |
GCP Instance Configuration Recommendations |
Introduction to Endpoint Agent Installation |
Prerequisites |
Generate an Agent Packager |
Generate Agent Installers |
Deploy and Verify Agents |
Uninstall Agents |
Upgrade Agents |
Recommendations for Installing Agents in Virtual Desktop Infrastructure Environment |
Troubleshooting |
Introduction |
Migrating NetWitness Endpoint 4.4.0.x to NetWitness Platform |
Importing NetWitness Endpoint 4.4.0.x Configurations to NetWitness Platform |
Introduction |
NetWitness UEBA Standalone Installation |
System Requirement |
Installation Tasks |
Post Installation Tasks |
Overview |
Contacting Customer Care |
Pre Upgrade Checks |
Upgrade Preparation Tasks |
Upgrade Tasks |
Post Upgrade Tasks |
Endpoint Upgrade Tasks |
Appendix A. Offline Upgrade Using CLI |
Appendix B. Troubleshooting Version Installations and Upgrades |
Appendix C. Troubleshooting Version Installations and Upgrades |
Overview |
Contacting Customer Care |
Pre Upgrade Checks |
Upgrade Preparation Tasks |
Upgrade Tasks |
Post Upgrade Tasks |
Endpoint Upgrade Tasks |
Enable New Features |
Appendix A. Offline Upgrade Using CLI |
Appendix B. Set Up External Repo |
Appendix C. Troubleshooting Version Installations and Upgrades |
Overview |
Contacting Customer Care |
Upgrade Preparation Tasks |
Upgrade Tasks |
Post Upgrade Tasks |
Endpoint Upgrade Tasks |
Enable New Features |
Appendix A. Offline Upgrade Using CLI |
Appendix B. Troubleshooting Version Installations and Upgrades |
Windows Legacy Collection |
Overview |
Logstash Input Plugin - Configuration Process |
Install Logstash |
Install NetWitness Logstash Input Plugin |
Configure Logstash Input Plugin |
Configure SSL |
Health and Wellness |
Configure Custom Value Meta |
(Optional) Configure Logstash Filter Plugin |
Configure Logstash Output Plugin |
Known Issues |
Configure and Manage |
Decoder and Log Decoder Quick Setup |
Configure Common Settings on a Decoder |
Configure Capture Settings |
(Optional) Configure System-Level (BPF) Packet Filtering |
(Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces |
(Optional) Configure Meta-Only Decoders |
(Optional) Configure Selective Network Data Collection |
(Optional) Configure a Decoder to Write Standard pcap-formatted Files |
(Optional) Multiple Adapter Packet Capture |
(Optional) Internet Content Adaptation Protocol Capture |
(Optional) Data Plane Development Kit Packet Capture |
(Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface |
(Optional) Process Raw Syslog Data without Priority Field |
(Optional) Configure Decoder to Support OpenAppID |
Enable and Disable Parsers and Log Parsers |
Start and Stop Data Capture |
Configure Decoder Rules |
Configure Application Rules |
Configure Correlation Rules |
Configure Network Rules |
Fix Rules with Invalid Syntax |
Decoder Commands for Managing Rules |
Configure Parsers and Feeds |
Configure Parsers |
Use Custom Parsers |
Enable and Configure the Entropy Parser |
Flex Parser |
Arithmetic Functions |
Common Parser Operations |
General Functions |
Logging Functions |
Nodes |
Payload Functions |
Regex |
String Functions |
GeoIP2 Parsers |
Lua Parsers |
HTTP Parsers |
Snort Parsers |
Search Parser |
Wireless LAN Configuration |
Troubleshooting Parsers | NetWitness |
Configure Feeds |
Custom Feed Definition File Structure |
Feed Definitions File |
Create a Custom Feed |
Create a STIX Custom Feed |
Create an Identity Feed |
Upload, Edit, or Remove a Feed |
Create Custom Meta Keys Using Custom Feed |
Decoder and Log Decoder Additional Procedures |
Configure 10G Capability | NetWitness |
Configure 10G Capability |
Configure a Log Decoder to Accept Protobuf |
Configure Session Split Timeouts |
Configure Syslog Forwarding to Destination |
Configure Transaction Handling on a Decoder |
Configure Data Export |
Decrypt Incoming Packets TLS 1.2 |
Decrypt Incoming Packets TLS 1.3 |
Edit Decoder System Configuration Settings |
Enable CPU Usage Stats for Installed Content |
Enable Parser Mappings |
Enable or Disable Lua and Flex Parsing Systems |
Map IP Address to Service Type |
Event Time Support |
Obtain Log Files from a Pre-11.0 Log Decoder |
Upload a Log File to a Log Decoder |
Upload a Packet Capture File |
F5 BIG IP - NetWitness Perfect Forward Secrecy Inspection Visibility |
Troubleshooting Packet Drops (11.x and above) |
Decoder and Log Decoder References |
Services Config View - Capture Policies Tab |
Services Config View - Edit Policies Wizard |
Services Config View - Data Privacy Tab |
Services Config View - Data Retention Scheduler |
Services Config View - Feeds Tab |
Services Config View - Upload Feeds Dialog |
Services Config View - Files Tab |
Services Config View - General Tab |
Services Config View - Parsers Tab |
Services Config View - Parser Mappings Tab |
Services Config View - Data Export Tab |
Services Config View - Rules Tab |
Services Config View - App Rules Tab |
Services Config View - Correlation Rules Tab |
Services Config View - Network Rules Tab |
Services System View - Decoders |
Broker and Concentrator Basics |
Overview of Brokers and Concentrators |
Basic Setup Procedures |
Step 1. Verify Service System Configuration |
Step 2. Configure the Aggregation Process |
Step 3. Configure Aggregate Services |
Step 4. (Optional) Configure Group Aggregation |
Step 5. Start and Stop Aggregation |
Broker and Concentrator Configuration References |
Services Config View - Broker/Concentrator General Tab |
Services System View - Broker |
NetWitness Core Database Introduction |
Basic Database Configuration |
Tiered Database Storage |
Manifests |
Advanced Database Configuration |
Database Configuration Nodes |
Index Configuration Nodes |
SDK Configuration Nodes |
Per-User Configuration Nodes |
Scheduler |
Rollover |
Snort Rules and Configuration |
Queries |
Index Customization |
Rebuilding of the Index |
Optimization Techniques |
Rule Examples |
Appendix A: Statistics |
Appendix B: Index Inspect |
Live Content in NetWitness Suite |
Deploy Content |
Create Live Account |
Set Up Live Services in NetWitness |
Deploy Content using Live Content UI |
Required Procedures |
Find and Deploy Live Resources |
Manage Live Resources |
Search and Download Content from NetWitness Platform Live |
Additional Procedures |
Export Data to RSA |
Create a Resource Package |
Manage Custom Feeds |
Create a Custom Feed |
Create a STIX Custom Feed |
MetaCallback Feeds |
Create an Identity Feed |
Edit a Feed |
Remove a Feed |
Subscribing to Resources |
Miscellaneous Live Services Procedures |
References |
Live Configure View |
Deployments Tab |
Subscriptions Tab |
Discontinued Resource Tab |
Live Feeds View |
Live Resource View |
Live Search View |
Live Search Content View |
Resource Package Deployment Wizard |
RSA Live Registration Portal |
NetWitness Feedback and Data Sharing |
Troubleshooting |
Policy-based Centralized Content Management |
About Policy-based Centralized Content Management |
Migrate Content from Core Services to Content Library |
About Content Library |
Import Content to Content Library |
Create an Application Rule |
Edit Application Rule |
Delete Application Rule |
View Application Rule Details |
Create a Network Rule |
Edit Network Rule |
Delete Network Rule |
View Network Rule Details |
About Groups |
Create a Group |
View a Group |
Delete a Group |
Edit a Group |
About Policies |
Create and Publish Policies |
Clone a Policy |
Delete a Policy |
Edit a Policy |
View a Policy |
Enable Content for a Policy |
Disable Content for a Policy |
References |
Content Library Tab |
Groups Tab |
Policies Tab |
Appendix A: Endpoint Risk Scoring Rules |
About Log Collection |
Log Collection Architecture |
Basic Implementation |
Provision Local and Remote Collectors |
Configure LC/RC |
Configure Failover |
Configure Replication |
Configure Chain of Remote Collectors |
Throttle RC to LC Bandwidth |
Set up a Lockbox |
Start Collection Services |
Verify Log Collection is Working |
Configure Certificates |
Configure Custom Certificates |
Log Collection Basics |
Basic Procedure |
Search for Specific Event Sources |
Configure Event Filters for Log Collector |
Import, Export, Edit and Test Event Sources in Bulk |
Collection Protocols |
Configure AWS (CloudTrail) Event Sources |
Configure Azure Event Sources |
Configure Check Point Event Sources |
Configure File Event Sources |
Configure Logstash |
Configure Netflow Event Sources |
Configure ODBC Event Sources |
Configure DSNs |
Create Custom Typespec |
Troubleshoot ODBC Collection |
Configure SDEE Event Sources |
Configure SNMP Event Sources |
Configure Syslog Event Sources |
Configure VMware Event Sources |
Configure Windows Event Sources |
Windows Legacy Configuration |
Set Up Windows Legacy Collector |
Configure Windows Legacy and NetApp Event Sources in RSA NetWitness |
Troubleshoot Windows Legacy and NetApp Collection |
AWS Parameters |
Azure Parameters |
Check Point Parameters |
File Parameters |
Service System View |
ODBC Parameters |
ODBC DSN Parameters |
Remote/Local Collectors Configuration Parameters |
Tabs |
General Tab |
Event Destinations Tab |
Event Sources Tab |
Settings Tab |
Log Collection: Troubleshoot |
NetWitness Event Sources |
Managing Event Sources |
Alarms and Notifications |
Automatic Alerting |
Common Scenarios for Monitoring Policies |
Manage Event Source Groups |
Create Event Source Groups |
Create Event Source Group Form |
Acknowledge and Map Event Sources |
Edit or Delete Event Source Groups |
Remove Idle Event Sources |
Create an Event Source and Edit its Attributes |
Bulk Edit Event Source Attributes |
Import Event Sources |
Export Event Sources |
Sort Event Sources |
Monitor Polices |
Configure Event Source Group Alerts |
Set Up Notifications |
Disable Notifications |
Configure Automatic Alerting |
View Event Source Alarms |
Event Source References |
Discovery Tab |
Manage Tab |
Manage Tab - Historical Graph View |
Manage Event Source Tab |
Event Sources View |
Create/Edit Group Form |
Details View |
Manage Parser Mappings |
Alarms Tab |
Monitoring Policies Tab |
Settings Tab |
Log Parser Rules Tab (version 11.1 only) |
Troubleshooting/Appendix |
Alarms and Notifications Issues |
Duplicate Log Messages |
Troubleshoot Feeds |
Import File Issues |
Negative Policy Numbering |
Viewing Logs from Pre-11.0 Log Decoder |
Log Parser Rules Customization |
Add or Delete Log Parser |
JSON Mappings |
Create Custom Log Parser Rules |
Log Parsers and the Default Log Parser |
Use Cases |
Extend a Log Parser Example |
Select the Reference Log Decoder |
Move Log Parser Rules to Production |
Troubleshooting and Limitations |
Log Parser Rules Tab |
Overview |
Dataflow |
Install Logstash |
Install and Configure the NetWitness Codec |
Configure Logstash Output Plugins |
Configure Event Source |
Advanced NetWitness Configuration |
Coding Appendix: Linux event Source Example |
Coding Appendix: Build a Parser |
Overview |
Logstash Input Plugin - Configuration Process |
Install Logstash |
Install NetWitness Logstash Input Plugin |
Configure Logstash Input Plugin |
Configure SSL |
Health and Wellness |
Configure Custom Value Meta |
(Optional) Configure Logstash Filter Plugin |
Configure Logstash Output Plugin |
Known Issues |
Archiver Overview |
Basic Archiver Configuration |
Add the Archiver Service |
Add Log Decoder as a Data Source to Archiver |
Configure Archiver Storage and Log Retention |
Configure Hot, Warm, and Cold Storage |
Configure Log Storage Collections |
Define Retention Rules |
Add Archiver as a Data Source to Reporting Engine |
Configure Archiver Monitoring |
Additional Archiver Configuration |
Configure Data Backup and Restore |
Retrieve Hash Information |
Archiver References |
Archiver Collection Dialog |
Archiver Services Config View - General Tab |
Archiver Service Configuration |
Data Retention Tab - Archiver |
Services Config View - Archiver |
Overview |
Configuration Procedures |
Add Workbench Service as a Data Source to Broker |
Add Workbench as a Data Source to Reporting Engine |
Manage Collections |
Services Config View |
Services Config View - Collections Tab |
Services Config View - General Tab |
Troubleshooting |
Event Stream Analysis Overview |
Configure ESA Correlation Rules |
Additional ESA Correlation Rules Procedures |
Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys |
Configure Advanced Settings for ESA Correlation |
Configure Character Case for Advanced ESA Rules |
Deploy Endpoint Risk Scoring Rules on ESA |
Change Memory Threshold for ESA Rules |
Start, Stop, or Restart ESA Service |
View Audit Logs and Verify ESA Component Versions |
References - Previous ESA Versions |
Services Config View Data Sources Tab (11.2 and Earlier) |
Services Config View Advanced Tab (11.2 and Earlier) |
Whois Lookup Service Configuration (11.1.x to 11.4.x) |
ESA Analytics Mappings (11.1.x to 11.4.x) |
Module Settings (11.1.x to 11.4.x) |
Getting Started with ESA |
Best Practices |
Troubleshoot ESA |
View Memory Metrics for Rules |
How ESA Handles Sensitive Data |
ESA Rule Types |
ESA Permissions |
Practice with Sample Rules |
Working with Trial Rules |
Add Rules to the Rules Library |
Download Configurable RSA Live ESA Rules |
Customize an RSA Live ESA Rule |
Add a Rule Builder Rule |
Step 1. Name and Describe the Rule |
Step 2. Build a Rule Statement |
Step 3. Add Conditions to a Rule Statement |
Working With Rules |
Edit, Duplicate or Delete a Rule |
Filter or Search for Rules |
Import or Export Rules |
Choose How to Be Notified of Alerts |
Notification Methods |
Add Notification Method to a Rule |
Add a Data Enrichment Source |
Enrichment Sources |
Configure a Context Hub List as an Enrichment Source |
Configure an In-Memory Table as an Enrichment Source |
Add an Enrichment to a Rule |
Deploy Rules to Run on ESA |
ESA Rule Deployment Steps |
Additional ESA Rule Deployment Procedures |
View ESA Stats and Alerts |
View Stats for an ESA Service |
View a Summary of Alerts |
Add an Advanced EPL Rule |
Event Processing Language (EPL) |
ESA Annotations |
Example Advanced EPL Rules |
Configure an In-Memory Table Using an EPL Query |
ESA Alert References |
RulesTab |
Rules Tab Options Panel |
Rule Library Panel |
Rule Builder Tab |
Build a Statement Dialog |
Advanced EPL Rule Tab |
Rule Syntax Dialog |
Deployment Panel |
Deploy ESA Services Dialog |
Deploy ESA Rules Dialog |
Updates to the Deployment Dialog |
Services Tab |
Settings Tab |
How Context Hub Works |
Configure Lists as a Data Source |
Configure Archer as a Data Source |
Configure Active Directory Data Source |
Configure RSA EndPoint Data Source |
Configure Respond Data Source |
Configure File Reputation Server Data Source |
Configure STIX as a Data Source |
Configure RESTAPI as a Data Source |
Configure Data Sources Settings |
Import or Export Lists for Context Hub |
Manage Meta Type and Meta Key Mapping |
Context Hub Data Sources Tab |
Context Hub Lists Tab |
Context Hub STIX Tab |
Troubleshooting |
How Malware Analysis Works |
Basic Setup |
Configure Malware Analysis Operating Environment |
Configure General Malware Analysis Settings |
Configure Indicators of Compromise |
Configure Installed Antivirus Vendors |
Enable Community Scoring |
(Optional) Configure Auditing on Malware Analysis Host |
(Optional) Configure Hash Filter |
(Optional) Configure Malware Analysis Proxy Settings |
(Optional) Register for a ThreatGRID API Key |
Additional Procedures for Configuring Malware Analysis |
Create Custom Alert in CEF Format |
Enable Custom YARA Content |
Supported Antivirus Vendors |
Malware Analysis References |
Services Config View - General Tab |
Services Config View - Indicators of Compromise Tab |
Services Config View - IOC Summary Tab |
Services Config View - Auditing Tab |
Services Config View - Hash Tab |
Services Config View - AV Tab |
Services Config View - Proxy Tab |
Services Config View - ThreatGRID Tab |
Services Config View - Integration Tab |
NetWitness Endpoint Overview |
Agent Modes |
Endpoint Server Configuration |
Deploy Endpoint Application Rules and ESA Correlation Rules |
Setup Meta Forwarding to Log Decoder |
Endpoint Sources |
Create Groups and Policies |
Manage Groups |
Manage Policies |
Change Policy Ordering for Groups |
Configure Data Retention Policy |
Manage Role Permissions at Endpoint Server Level |
Manage Inactive Agents |
Configure Retention Policy for Memory Dumps and MFT |
(Optional) Installing and Configuring Relay Server |
Endpoint YARA Rules |
Configure OPSWAT |
Integrate NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.3 |
Endpoint References |
General Tab |
Data Retention Scheduler Tab |
Packager Tab |
Relay Server Tab |
Endpoint Sources - Groups |
Endpoint Sources - Policies |
Troubleshooting |
Reset File Collection Bookmarks |
Supported File Log Event Source Types |
Specify UNC Paths |
About this Document |
NetWitness Respond Configuration Overview |
Configuring NetWitness Respond |
Step 1. Configure Alert Sources to Display Alerts in the Respond View |
Step 2. Assign Respond View Permissions |
Step 3. Enable and Create Incident Rules for Alerts |
Additional Procedures for Respond Configuration |
Set Up and Verify Default Incident Rules |
Configure Risk Scoring Settings for Automated Incident Creation |
Configure Custom Respond Server Alert Normalization |
Configure Analyst UI for Respond Server Alert Normalization |
Configure Incident Email Notification Settings |
Set a Retention Period for Alerts and Incidents |
Obfuscate Private Data |
Manage Incidents in Archer Cyber Incident & Breach Response |
Configure the Option to Send Incidents to Archer |
Configure Threat Aware Authentication |
Set a Counter for Matched Alerts and Incidents |
Edit the Incident Rules Export ZIP File |
Configure a Database for the Respond Server Service |
NetWitness Respond Configuration Reference |
Configure View |
Incident Rules View |
Incident Rule Details View |
Incident Email Notification Settings View |
Aggregation Rules Tab (11.0 and earlier) |
New Rule tab (11.0 and earlier) |
How Reporting Engine Works |
Configure Reporting Engine |
Configure the Data Sources |
(Optional) Add Workbench as Data Source to Reporting Engine |
(Optional) Add Archiver as Data Source to Reporting Engine |
(Optional) Integrate EndPoint Information Into Reports |
(Optional) Add Collection as Data Source to Reporting Engine |
Configure Data Privacy for Reporting Engine |
Configure Data Source Permissions |
Configure Reporting Engine Settings |
Enable LDAP Authentication |
Add Additional Space for Large Reports |
Managing Log File Parameters |
Configure Task Scheduler for a Reporting Engine |
How to Define Reports, Charts, and Alerts |
Configure Reporting Engine General Settings |
Reporting Engine Reference |
Reporting Engine General Tab |
Reporting Engine Sources Tab |
Reporting Engine Output Actions Tab |
Reporting Engine Manage Logos Tab |
How Warehouse Connector Works |
Install Warehouse Connector Service on a Log Decoder or Decoder |
Configure a Warehouse Connector Service |
Configure the Data Source for Warehouse Connector |
Configure the Destination |
Configure the Destination Using NFS |
Configure the Destination Using SFTP |
Configure the Destination Using WebHDFS |
Configure a Stream |
Monitor a Warehouse Connector |
Add Warehouse as a Data Source to Reporting Engine |
Analyze a Warehouse Report |
View the Warehouse Connector Service |
Troubleshoot the Warehouse Connector |
Manage a Stream |
Manage a Lockbox |
Warehouse Connector Configuration References |
General Tab Settings |
Appliance Service Configuration Tab Settings |
Sources and Destinations Configuration |
Add Stream Dialog |
Streams Configuration |
Lockbox Settings |
UEBA Configuration Overview |
UEBA Configuration |
UEBA Configuration Troubleshooting |
Introduction |
Admin-server Configuration |
Analysis-server Configuration |
Config-server Configuration |
Content-server Configuration |
Contexthub-server Configuration |
Correlation-server Configuration |
Endpoint-broker-server Configuration |
Endpoint-server Configuration |
Enrichment-server Configuration |
Integration-server Configuration |
Investigate-server Configuration |
Launch-framework Configuration |
License-server Configuration |
Metrics-server Configuration |
Node-infra-server Configuration |
No-op-server Configuration |
Orchestration-server Configuration |
Relay-server Configuration |
Respond-server Configuration |
Security-server Configuration |
Source-server Configuration |
Set Up System Security |
Configure Password Complexity |
Change the Default Admin Passwords |
Configure System-Level Security Settings |
(Optional) Configure External Authentication |
Configure Active Directory |
Configure PAM Login Capability |
(Optional) Configure PKI Authentication |
(Optional) Use a Custom Server Certificate |
(Optional) Create a Customized Login Banner |
How Role-Based Access Control Works |
Role Permissions |
Manage Users with Roles and Permissions |
Review the Preconfigured NetWitness Platform Roles |
(Optional) Add a Role and Assign Permissions |
Verify Query and Session Attributes per Role |
Set Up Users |
(Optional) Map User Roles to External Groups |
Search for External Groups |
Set Up Multi-Factor Authentication |
Set Up Single Sign-On Authentication |
Configure Single Sign-On |
(Optional) Set Up Public Key Infrastructure (PKI) Authentication |
Configure PKI Authentication |
Import Server Certificate and Trusted CA Certificate |
(Optional) Configure the CRL Manually |
Enable PKI Authentication |
Disable PKI |
Delete Server Certificate and Trusted CA Certificate |
Troubleshooting |
References |
Admin Security View |
Users Tab |
Add or Edit User Dialog |
Roles Tab |
Add or Edit Role Dialog |
External Group Mapping Tab |
Add Role Mapping Dialog |
Search External Groups Dialog |
Settings Tab |
PKI Settings Tab |
Login Banner Tab |
Single Sign-On Settings Tab |
Data Privacy Overview |
Recommended Configurations |
Quick Start Procedures |
Prepare to Configure Data Privacy |
Configure the Recommended Data Privacy Solution |
In-Depth Procedures |
Configure Data Obfuscation |
Configure Data Retention |
Configure User Accounts for Use in Data Privacy |
Data Privacy References |
System Configuration Overview |
Standard Procedures |
Access System Settings |
Configure Notification Servers |
Notification Servers Overview |
Configure the Email Settings as Notification Server |
Configure Script as a Notification Server |
Configure the SNMP Settings as Notification Server |
Configure a Syslog Notification Server |
Configure Notification Outputs |
Notification Outputs Overview |
Configure Email as a Notification |
Configure Script as a Notification |
Configure SNMP as a Notification |
Configure Syslog as a Notification |
Configure Templates for Notifications |
Configure Global Notification Templates |
Define a Template for ESA Alert Notifications |
Import and Export a Global NotificationsTemplate |
Configure Email Server and Notification Account |
Configure Global Audit Logging |
Configure a Destination to Receive Global Audit Logs |
Define a Template for Global Audit Logging |
Define a Global Audit Logging Configuration |
Verify Global Audit Logs |
Configure Centralized Audit Logging |
Configure Investigation Settings |
Configure Live Services Settings |
Live Feedback Overview |
Upload Data to RSA |
Configure Log File Settings |
Configure Syslog and SNMP Settings |
AdditionalProcedures |
Add Custom Context Menu Actions |
Configure NTP Servers |
Configure Proxy for Security Analytics |
Troubleshooting System Configuration |
References |
Global Audit Logging Configurations Panel |
Add New Configuration Dialog |
Supported CEF Meta Keys |
Supported Global Audit Logging Meta Key Variables |
Global Audit Logging Operation Reference |
Local Audit Log Locations |
Global Notifications Panel |
Define Notification Server Dialogs |
Define Notification Output Dialogs |
Define Notification Template Dialog |
Output Tab |
Servers Tab |
Templates Tab |
HTTP Proxy Settings Panel |
Email Configuration Panel |
Investigation Configuration Panel |
Live Services Configuration Panel |
NTP Settings Panel |
Context Menu Actions Panel |
Legacy Notifications Configuration Panel |
Overview |
Review Best Practices |
Health and Wellness |
Monitor Health and Wellness using NetWitness Platform UI |
Manage Policies |
Include the Default Email Subject Line |
Monitor System Statistics |
Filter System Statistics |
Create Historical Graph of System Statistics |
Monitor Service Statistics |
Add Statistics to a Gauge or Chart |
Edit Properties of Statistics Gauges |
Edit Properties of Timeline Charts |
Monitor Hosts and Services |
Filter Hosts and Services in the Monitoring View |
Monitor Host Details |
Monitor Service Details |
Monitor Event Sources |
Configure Event Source Monitoring |
Filter Event Sources |
Create Historical Graph of Events Collected for an Event Source |
Monitor Alarms |
Monitor Health and Wellness Using SNMP Alerts |
Troubleshooting Health & Wellness |
Monitor using New Health and Wellness |
Configuring Alert Notifications |
Adding Alert Notifications |
Suppressing Notifications |
Monitoring through Dashboards |
Creating Custom dashboard |
Monitoring through Alerts |
Creating Custom Monitors |
Adding Custom Trigger to an Existing Monitor |
Managing Dashboards and Alerts |
Managing Alert Notifications |
Advanced Configurations |
Backup and Restore New Health and Wellness |
Troubleshooting Health and Wellness |
Appendices |
New Health and Wellness Dashboards |
New Health and Wellness Monitors |
Uninstall New Health and Wellness |
Manage NetWitness Platform Updates |
Reissue Certificates |
DisplaySystem and Service Logs |
Access Reporting Engine Log File |
Search and Export Historical Logs |
Maintain Queries Using URL Integration |
Manage the deploy_admin Account |
NW Server Host Secondary IP Configuration Management |
Change Host Network Configuration |
Manage Custom Host Entries |
Configure FIPS Support |
Configure DISA STIG Hardening |
Troubleshoot NetWitness Platform |
Debugging Information |
Error Notification |
Miscellaneous Tips |
Troubleshoot Feeds |
Troubleshooting Cert-Reissue Command |
References |
Health and Wellness |
Health and Wellness View - Alarms View |
Event Source Monitoring View |
Health and Wellness Historical Graphs |
Historical Graph View for Events Collected from an Event Source |
Historical Graph View for System Stats |
Health and Wellness Settings View - Archiver |
Health and Wellness Settings View - Event Sources |
Health and Wellness Settings View - Warehouse Connector |
Monitoring View |
Archiver Details View |
Broker Details View |
Concentrator Details View |
Decoder Details View |
ESA Correlation Details View |
ESA Analytics Details View |
Host Details View |
Log Collector Details View |
Log Decoder Details View |
Malware Details View |
Warehouse Connector Details View |
Policies View |
Health and Wellness Email Templates |
NetWitness Platform Out-of-the-Box Policies |
System Stats Browser View |
New Health and Wellness Settings |
System View - System Info Panel |
System Updates Panel - Settings View |
System Logging - Settings View |
System Logging - Realtime View |
System Logging - Historical View |
Disaster Recovery |
Disaster Recovery Azure |
Disater Recovery AWS |
Appendix A. Modify fstab for Series 5 and 6 Hybrid Storage After Recovery |
Investigate and Respond |
How NetWitness Investigate Works |
Configuring NetWitness Investigate Views and Preferences |
Configure the Navigate View and Legacy Events View |
Configure the Events View |
Beginning an Investigation |
Begin an Investigation in the Navigate or Legacy Events View |
Begin an Investigation in the Events View |
Refining the Results Set |
Use Meta Groups to Focus on Relevant Meta Keys |
Use Columns and Column Groups in the Events List |
Use Query Profiles to Encapsulate Common Areas for Investigation |
Drill into Metadata in the Events View (Beta) |
Filter Results in the Events View |
Filter Results in the Navigate View |
Filter Results in the Legacy Events View |
Create a Query in the Navigate and Legacy Events Views |
Search for Text Patterns in the Navigate and Legacy Events Views |
View and Modify Queries Using URL Integration |
Reconstructing and Analyzing Events |
Examine Event Details in the Events View |
Analyze Events in the Events View |
Reconstruct an Event in the Legacy Events View |
Look Up Additional Context for Results |
Launch a Lookup of a Meta Key |
Launch a Malware Analysis Scan from the Navigate View |
Group Events from Split and Related Sessions in the Events and Legacy Events Views |
Visualize Metadata as Parallel Coordinates |
Visualize the Current Drill Point in Informer |
Downloading and Acting Upon Results |
Download Data in the Events View |
Export or Print a Drill Point in the Navigate View |
Export Events in the Legacy Events View |
Add Events to an Incident in the Events View |
Add Events to an Incident in the Legacy Events View |
Troubleshooting Investigate |
Investigate Reference Materials |
Add Events to an Incident Dialog |
Add/Remove from List Dialog |
Column Groups Dialogs |
Context Lookup Panel |
Create an Incident Dialog |
Events View |
Events View - Email Tab |
Events View - File Tab |
Events View - Host Tab |
Events View - Packet Tab |
Events View - Text Tab |
Investigate Dialog |
Investigation Tab - User Preferences Panel |
Investigate View |
Legacy Event Reconstruction View |
Legacy Events View |
Manage Default Meta Keys Dialog |
Meta Groups Dialogs |
Navigate View |
Query Dialog |
Query Profiles Dialogs |
Generate Springboard Panel Dialog |
Settings Dialogs for Investigate Views |
Malware Analysis Functions |
Malware Scoring Modules |
Conducting Malware Analysis |
Begin a Malware Analysis Investigation |
Implement Custom YARA Content |
Examine Scan Files and Events in List Form |
Configure the Malware Analysis Summary of Events View |
Filter Dashlet Data in the Summary of Events View |
Upload Files for Malware Analysis Scanning |
View Detailed Malware Analysis of an Event |
Malware Analysis Reference Materials |
Malware Analysis View |
Malware Analysis Events List and Files List |
Scan For Malware Dialog |
Select a Malware Analysis Service Dialog |
Introduction to Endpoint Investigation |
Workflow of an Investigation |
Investigate Files |
Investigate Hosts |
Investigate Process |
Change File Status and Remediate |
Analyze Downloaded Files |
Perform Forensic Investigation |
Analyze Events |
Network Isolation |
NetWitness Endpoint with Third-Party Antivirus Products |
Troubleshooting NetWitness Endpoint |
NetWitness Endpoint Reference Materials |
Files View |
Hosts View |
Hosts View - Details Tab |
Hosts View - Process Tab |
Hosts View - Autoruns Tab |
Hosts View - Files Tab |
Hosts View - Drivers Tab |
Hosts View - Libraries Tab |
Hosts View - Anomalies Tab |
Hosts View - Downloads Tab |
Hosts View - System Information |
Hosts View - Agent History Tab |
Introduction |
UEBA use Cases for Windows Logs |
How to Investigate High-Risk Entities |
Identify High-Risk Entities |
Begin an Investigation of High-Risk Entities |
Take Action on High-Risk Entities |
Manage High-Risk Entities |
Investigate Top Alerts |
Filter Alerts |
Investigate Indicators |
Manage Top Alerts |
Modeled Behaviors for Users |
View NetWitness UEBA Metrics in Health and Wellness |
Monitor Health and Wellness of UEBA |
Reference |
Overview View |
Users View |
Alerts View |
User Profile View |
Appendix: UEBA Windows Audit Policy |
NetWitness Respond Process |
Responding to Incidents |
Determine which Incidents Require Action |
Investigate the Incident |
Escalate or Remediate the Incident |
Incident Response Use Case Examples |
Reviewing Alerts |
Review Endpoint Alerts using Process Tree |
NetWitness Respond Reference Information |
Incidents List View |
Incident Details View |
Alerts List View |
Alert Details View |
Tasks List View |
Add/Remove From List Dialog |
Context Lookup Panel - Respond View |
Reporting Overview |
Configure and Generate a Report |
Configure a Rule |
Create and Schedule a Report |
View a Report |
Investigate a Report |
Manage a List or Rule or Report |
Working with Charts |
Chart Overview |
Configure a Chart |
Schedule a Chart |
View a Chart |
Test a Chart |
Investigate a Chart |
Manage Chart Groups and Charts |
Working with Alerts |
Alert Overview |
Configure Reporting Engine |
Configure an Alert |
Schedule an Alert |
View an Alert |
Investigate an Alert |
Manage Alerts and Alert Templates |
Appendix |
Rule Syntax |
Warehouse DB Simple Rules |
Warehouse DB Advanced Rules |
Task Scheduler for Warehouse Reporting |
Query Aggregates |
Troubleshoot Reporting |
Reporting References |
Build Chart View |
Build List View |
Build Report View |
Build Rule View |
Chart Permissions Dialog |
Chart View |
Execution History Panel |
Generate List Dialog |
Import Chart Dialog |
Import Report Dialog |
Investigate a Chart View |
List Permissions Dialog |
List View |
Reports Permissions Dialog |
Report View |
Rule Permissions Dialog |
Rule View |
Select a Logo Dialog |
Schedule a Chart View |
Schedule Report Panel |
Scheduled Reports View |
Test a Chart View |
View a Chart Panel |
View All Charts Panel |
View a Report Panel |
View All Reports Panel |
Alerting References |
Alert List View |
Alert Permissions Dialog |
Alert Schedules View |
Create or Modify Alert Panel |
Investigate an Alert View |
Import Alert Dialog |
Template References |
Alert Template View |
Create or Modify Template View |
View Alerts Schedule View |
View Alerts View |
Develop and Integrate |
Archer Integration |
Configure NetWitness Suite to Work With Archer |
Manage Unified Collector Framework |
Troubleshoot Archer Integration |
RSA Endpoint Integration |
Configure Endpoint Alerts via Message Bus |
Configure Contextual Data from Endpoint via Recurring Feed |
Configure Endpoint Alerts via Syslog into a Log Decoder |
Intro |
Usage |
Enable |
Packets |
Parser/Feed Upload |
Statistics Graph |
SDK Commands |
NetWitness Core Services API Guide |
NetWitness API Guide |
shell |
tree |
Access NwConsole and Help |
Basic Command Line Parameters and Editing |
Connecting to a Service |
Monitoring Stats |
Useful Commands |
SDK Content Command |
SDK Content Command Examples |
Commands Used for Troubleshooting |