Contents

Release Notes
What's New
Fixed Issues
Product Documentation
Getting Help with NetWitness Platform
Build Numbers
Revision History
What's New
Fixed Issues
Product Documentation
Getting Help with NetWitness Platform
Build Numbers
Revision History
What's New
Product Documentation
Getting Help with NetWitness Platform
Build Numbers
Revision History
Appendix
Upgrade Instructions
What's New
Known Issues
Product Documentation
Getting Help with NetWitness Platform
Build Numbers
Revision History
Appendix
Upgrade Instructions
What's New
Fixed Issues
Product Documentation
Getting Help with NetWitness Platform
Build Numbers
Revision History
Title
Copyrights
What's New
Fixed Issues
Product Documentation
Getting Help with NetWitness Platform
Build Numbers
Revision History
Known Issues
Security Fixes
Getting Started
Getting Started with NetWitness Platform
Logging in to NetWitness Platform
Changing Your Password
Identifying Your Role
NetWitness Platform Basic Navigation
Setting Up Your Default View by SOC Role
Managing the Springboard
Managing Dashboards
Setting User Preferences
Managing Jobs
Viewing and Deleting Notifications
Viewing Help in the Application
Finding Documents on NetWitness Community
Troubleshooting for User Setup
NetWitness Platform Getting Started References
User Preferences
Notifications Panel and Notifications Tray
Jobs Panel and Jobs Tray
Hosts and Services Basics
Hosts and Services Set Up Procedures
Hosts and Services Maintenance Procedures
References
Hosts View
Services View
Edit Service Dialog
Services Config View
Services Config View - Appliance Service Configuration Tab
Services Config View - Data Retention Scheduler Tab
Services Config View - Files Tab
Services Explore View
Services Explore View - Properties Dialog
Services Logs View
Services Security View
Services Security View - Users Tab
Services Security View - Roles Tab
Services Security View - Service User Roles and Permissions
Services Security View - Aggregation Role
Services Security View - Settings Tab
Services Stats View
Services Stats View - Chart Stats Tray
Services Stats View - Gauges
Services Stats View - Timeline Charts
Services System View
Services Topology View
Services System View - Host Task List Dialog
Service Configuration Parameters
Aggregation Configuration Parameters
Appliance Service Configuration Parameters
Archiver Service Configuration Parameters
Broker Service Configuration Parameters
Concentrator Service Configuration Parameters
Core Service Logging Configuration Parameters
Core Service-to-Service Configuration Parameters
Core Service System Configuration Parameters
Decoder Configuration Parameters
Network Decoder Service Configuration Parameters
Log Decoder Service Configuration Parameters
REST Interface Configuration Parameters
NetWitness Platform Core Service system.roles Modes
Centralized Service Configuration via Policy
Centralized Service Configuration - Groups Tab
Centralized Service Configuration - Policies Tab
Troubleshooting Version Installations and Updates
Introduction
Admin-server Configuration
Analysis-server Configuration
Config-server Configuration
Content-server Configuration
Contexthub-server Configuration
Correlation-server Configuration
Endpoint-broker-server Configuration
Endpoint-server Configuration
Enrichment-server Configuration
Integration-server Configuration
Investigate-server Configuration
Launch-framework Configuration
License-server Configuration
Metrics-server Configuration
Node-infra-server Configuration
No-op-server Configuration
Orchestration-server Configuration
Relay-server Configuration
Respond-server Configuration
Security-server Configuration
Source-server Configuration
What Is NetWitness Investigate
QuickStart
QuickStart
Install and Upgrade
The Basics
Deployment Optional Setup Procedures
Network Architecture and Ports
Site Requirements and Safety
Entitlement Capability Implementation
Initial Set Up
Obtain License Server ID from NetWitness Platform UI
Access Product Licenses from myRSA
Synchronize NetWitness Server
Synchronize Local Licensing Server Offline
License Types
Configure NetWitness Notifications
About Out-of-Compliance Banners
Troubleshoot Licensing
Licensing Panel Reference
Usage Trend
Reassign Licenses
Export Usage Stats
Settings Tab
Out-of-Compliance Reference
Introduction
Installation Tasks
Update or Install Legacy Windows Collection
Post Installation Tasks
Appendix A. Troubleshooting
Appendix B. Create External Repo
Appendix C. Silent Installation Using CLI
Appendix D. Third Party Server System Requirement
Basic Deployment
Install NW Virtual Host in Virtual Environment
Step 1a. Create Virtual Machine - VMware
Step 1b. Deploy the Virtual Host in Hyper-V
Step 1c. Create Virtual Machine in Nutanix AHV
Step 2. Configure Databases to Accommodate NetWitness Platform
Task 1. Add New Disk
Task 2. Storage Configurations
Step 3. Installation Tasks
Step 4. Configure Host-Specific Parameters
Step 5. Post Installation Tasks
Appendix A. Troubleshooting
Appendix B. Silent Installation Using CLI
Appendix C. Virtual Host Recommended System Requirements
Appendix D. Update the Virtual ESA Host Memory
Storage Overview
Storage Requirements
Prepare Physical Storage
Prepare Virtual or Cloud Storage
Configure Storage Using the REST API
Prepare Unity Storage
Migrate Data to Another Storage Type
Appendix A. How NetWitness Platform Hosts Store Data
Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py)
Appendix C. Troubleshooting
Appendix D. Sample Storage Configuration Scenarios
Revision History
AWS Deployment Overview
AWS Deployment
Establish AWS Environment
Find NetWitness AMIs
Launch an Instance and Configure a Host
Configure Hosts (Instances) in NetWitness Platform
Configure Packet Capture
Instance Configuration Recommendations
Appendix A Silent Installation Using CLI
Azure Installation Overview
Azure Configuration Recommendations
Azure Deployment
Partition Recommendations
Deploy NW Server Host in Azure
Deploy Component Core Services in Azure
Installation Tasks
Appendix A. Silent Installation Using CLI
Google Cloud Platform Installation Overview
GCP Deployment
Prerequisites
Find NetWitness Platform GCP Images
Establish gcloud Environment
Create an Instance using Google Cloud SDK Shell
Installation Tasks
Configure Hosts (Instances) in NetWitness Platform
GCP Instance Configuration Recommendations
Introduction to Endpoint Agent Installation
Prerequisites
Generate an Agent Packager
Generate Agent Installers
Deploy and Verify Agents
Uninstall Agents
Upgrade Agents
Recommendations for Installing Agents in Virtual Desktop Infrastructure Environment
Troubleshooting
Introduction
Migrating NetWitness Endpoint 4.4.0.x to NetWitness Platform
Importing NetWitness Endpoint 4.4.0.x Configurations to NetWitness Platform
Introduction
NetWitness UEBA Standalone Installation
System Requirement
Installation Tasks
Post Installation Tasks
Overview
Contacting Customer Care
Pre Upgrade Checks
Upgrade Preparation Tasks
Upgrade Tasks
Post Upgrade Tasks
Endpoint Upgrade Tasks
Appendix A. Offline Upgrade Using CLI
Appendix B. Troubleshooting Version Installations and Upgrades
Appendix C. Troubleshooting Version Installations and Upgrades
Overview
Contacting Customer Care
Pre Upgrade Checks
Upgrade Preparation Tasks
Upgrade Tasks
Post Upgrade Tasks
Endpoint Upgrade Tasks
Enable New Features
Appendix A. Offline Upgrade Using CLI
Appendix B. Set Up External Repo
Appendix C. Troubleshooting Version Installations and Upgrades
Overview
Contacting Customer Care
Upgrade Preparation Tasks
Upgrade Tasks
Post Upgrade Tasks
Endpoint Upgrade Tasks
Enable New Features
Appendix A. Offline Upgrade Using CLI
Appendix B. Troubleshooting Version Installations and Upgrades
Windows Legacy Collection
Overview
Logstash Input Plugin - Configuration Process
Install Logstash
Install NetWitness Logstash Input Plugin
Configure Logstash Input Plugin
Configure SSL
Health and Wellness
Configure Custom Value Meta
(Optional) Configure Logstash Filter Plugin
Configure Logstash Output Plugin
Known Issues
Configure and Manage
Decoder and Log Decoder Quick Setup
Configure Common Settings on a Decoder
Configure Capture Settings
(Optional) Configure System-Level (BPF) Packet Filtering
(Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces
(Optional) Configure Meta-Only Decoders
(Optional) Configure Selective Network Data Collection
(Optional) Configure a Decoder to Write Standard pcap-formatted Files
(Optional) Multiple Adapter Packet Capture
(Optional) Internet Content Adaptation Protocol Capture
(Optional) Data Plane Development Kit Packet Capture
(Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface
(Optional) Process Raw Syslog Data without Priority Field
(Optional) Configure Decoder to Support OpenAppID
Enable and Disable Parsers and Log Parsers
Start and Stop Data Capture
Configure Decoder Rules
Configure Application Rules
Configure Correlation Rules
Configure Network Rules
Fix Rules with Invalid Syntax
Decoder Commands for Managing Rules
Configure Parsers and Feeds
Configure Parsers
Use Custom Parsers
Enable and Configure the Entropy Parser
Flex Parser
Arithmetic Functions
Common Parser Operations
General Functions
Logging Functions
Nodes
Payload Functions
Regex
String Functions
GeoIP2 Parsers
Lua Parsers
HTTP Parsers
Snort Parsers
Search Parser
Wireless LAN Configuration
Troubleshooting Parsers | NetWitness
Configure Feeds
Custom Feed Definition File Structure
Feed Definitions File
Create a Custom Feed
Create a STIX Custom Feed
Create an Identity Feed
Upload, Edit, or Remove a Feed
Create Custom Meta Keys Using Custom Feed
Decoder and Log Decoder Additional Procedures
Configure 10G Capability | NetWitness
Configure 10G Capability
Configure a Log Decoder to Accept Protobuf
Configure Session Split Timeouts
Configure Syslog Forwarding to Destination
Configure Transaction Handling on a Decoder
Configure Data Export
Decrypt Incoming Packets TLS 1.2
Decrypt Incoming Packets TLS 1.3
Edit Decoder System Configuration Settings
Enable CPU Usage Stats for Installed Content
Enable Parser Mappings
Enable or Disable Lua and Flex Parsing Systems
Map IP Address to Service Type
Event Time Support
Obtain Log Files from a Pre-11.0 Log Decoder
Upload a Log File to a Log Decoder
Upload a Packet Capture File
F5 BIG IP - NetWitness Perfect Forward Secrecy Inspection Visibility
Troubleshooting Packet Drops (11.x and above)
Decoder and Log Decoder References
Services Config View - Capture Policies Tab
Services Config View - Edit Policies Wizard
Services Config View - Data Privacy Tab
Services Config View - Data Retention Scheduler
Services Config View - Feeds Tab
Services Config View - Upload Feeds Dialog
Services Config View - Files Tab
Services Config View - General Tab
Services Config View - Parsers Tab
Services Config View - Parser Mappings Tab
Services Config View - Data Export Tab
Services Config View - Rules Tab
Services Config View - App Rules Tab
Services Config View - Correlation Rules Tab
Services Config View - Network Rules Tab
Services System View - Decoders
Broker and Concentrator Basics
Overview of Brokers and Concentrators
Basic Setup Procedures
Step 1. Verify Service System Configuration
Step 2. Configure the Aggregation Process
Step 3. Configure Aggregate Services
Step 4. (Optional) Configure Group Aggregation
Step 5. Start and Stop Aggregation
Broker and Concentrator Configuration References
Services Config View - Broker/Concentrator General Tab
Services System View - Broker
NetWitness Core Database Introduction
Basic Database Configuration
Tiered Database Storage
Manifests
Advanced Database Configuration
Database Configuration Nodes
Index Configuration Nodes
SDK Configuration Nodes
Per-User Configuration Nodes
Scheduler
Rollover
Snort Rules and Configuration
Queries
Index Customization
Rebuilding of the Index
Optimization Techniques
Rule Examples
Appendix A: Statistics
Appendix B: Index Inspect
Live Content in NetWitness Suite
Deploy Content
Create Live Account
Set Up Live Services in NetWitness
Deploy Content using Live Content UI
Required Procedures
Find and Deploy Live Resources
Manage Live Resources
Search and Download Content from NetWitness Platform Live
Additional Procedures
Export Data to RSA
Create a Resource Package
Manage Custom Feeds
Create a Custom Feed
Create a STIX Custom Feed
MetaCallback Feeds
Create an Identity Feed
Edit a Feed
Remove a Feed
Subscribing to Resources
Miscellaneous Live Services Procedures
References
Live Configure View
Deployments Tab
Subscriptions Tab
Discontinued Resource Tab
Live Feeds View
Live Resource View
Live Search View
Live Search Content View
Resource Package Deployment Wizard
RSA Live Registration Portal
NetWitness Feedback and Data Sharing
Troubleshooting
Policy-based Centralized Content Management
About Policy-based Centralized Content Management
Migrate Content from Core Services to Content Library
About Content Library
Import Content to Content Library
Create an Application Rule
Edit Application Rule
Delete Application Rule
View Application Rule Details
Create a Network Rule
Edit Network Rule
Delete Network Rule
View Network Rule Details
About Groups
Create a Group
View a Group
Delete a Group
Edit a Group
About Policies
Create and Publish Policies
Clone a Policy
Delete a Policy
Edit a Policy
View a Policy
Enable Content for a Policy
Disable Content for a Policy
References
Content Library Tab
Groups Tab
Policies Tab
Appendix A: Endpoint Risk Scoring Rules
About Log Collection
Log Collection Architecture
Basic Implementation
Provision Local and Remote Collectors
Configure LC/RC
Configure Failover
Configure Replication
Configure Chain of Remote Collectors
Throttle RC to LC Bandwidth
Set up a Lockbox
Start Collection Services
Verify Log Collection is Working
Configure Certificates
Configure Custom Certificates
Log Collection Basics
Basic Procedure
Search for Specific Event Sources
Configure Event Filters for Log Collector
Import, Export, Edit and Test Event Sources in Bulk
Collection Protocols
Configure AWS (CloudTrail) Event Sources
Configure Azure Event Sources
Configure Check Point Event Sources
Configure File Event Sources
Configure Logstash
Configure Netflow Event Sources
Configure ODBC Event Sources
Configure DSNs
Create Custom Typespec
Troubleshoot ODBC Collection
Configure SDEE Event Sources
Configure SNMP Event Sources
Configure Syslog Event Sources
Configure VMware Event Sources
Configure Windows Event Sources
Windows Legacy Configuration
Set Up Windows Legacy Collector
Configure Windows Legacy and NetApp Event Sources in RSA NetWitness
Troubleshoot Windows Legacy and NetApp Collection
AWS Parameters
Azure Parameters
Check Point Parameters
File Parameters
Service System View
ODBC Parameters
ODBC DSN Parameters
Remote/Local Collectors Configuration Parameters
Tabs
General Tab
Event Destinations Tab
Event Sources Tab
Settings Tab
Log Collection: Troubleshoot
NetWitness Event Sources
Managing Event Sources
Alarms and Notifications
Automatic Alerting
Common Scenarios for Monitoring Policies
Manage Event Source Groups
Create Event Source Groups
Create Event Source Group Form
Acknowledge and Map Event Sources
Edit or Delete Event Source Groups
Remove Idle Event Sources
Create an Event Source and Edit its Attributes
Bulk Edit Event Source Attributes
Import Event Sources
Export Event Sources
Sort Event Sources
Monitor Polices
Configure Event Source Group Alerts
Set Up Notifications
Disable Notifications
Configure Automatic Alerting
View Event Source Alarms
Event Source References
Discovery Tab
Manage Tab
Manage Tab - Historical Graph View
Manage Event Source Tab
Event Sources View
Create/Edit Group Form
Details View
Manage Parser Mappings
Alarms Tab
Monitoring Policies Tab
Settings Tab
Log Parser Rules Tab (version 11.1 only)
Troubleshooting/Appendix
Alarms and Notifications Issues
Duplicate Log Messages
Troubleshoot Feeds
Import File Issues
Negative Policy Numbering
Viewing Logs from Pre-11.0 Log Decoder
Log Parser Rules Customization
Add or Delete Log Parser
JSON Mappings
Create Custom Log Parser Rules
Log Parsers and the Default Log Parser
Use Cases
Extend a Log Parser Example
Select the Reference Log Decoder
Move Log Parser Rules to Production
Troubleshooting and Limitations
Log Parser Rules Tab
Overview
Dataflow
Install Logstash
Install and Configure the NetWitness Codec
Configure Logstash Output Plugins
Configure Event Source
Advanced NetWitness Configuration
Coding Appendix: Linux event Source Example
Coding Appendix: Build a Parser
Overview
Logstash Input Plugin - Configuration Process
Install Logstash
Install NetWitness Logstash Input Plugin
Configure Logstash Input Plugin
Configure SSL
Health and Wellness
Configure Custom Value Meta
(Optional) Configure Logstash Filter Plugin
Configure Logstash Output Plugin
Known Issues
Archiver Overview
Basic Archiver Configuration
Add the Archiver Service
Add Log Decoder as a Data Source to Archiver
Configure Archiver Storage and Log Retention
Configure Hot, Warm, and Cold Storage
Configure Log Storage Collections
Define Retention Rules
Add Archiver as a Data Source to Reporting Engine
Configure Archiver Monitoring
Additional Archiver Configuration
Configure Data Backup and Restore
Retrieve Hash Information
Archiver References
Archiver Collection Dialog
Archiver Services Config View - General Tab
Archiver Service Configuration
Data Retention Tab - Archiver
Services Config View - Archiver
Overview
Configuration Procedures
Add Workbench Service as a Data Source to Broker
Add Workbench as a Data Source to Reporting Engine
Manage Collections
Services Config View
Services Config View - Collections Tab
Services Config View - General Tab
Troubleshooting
Event Stream Analysis Overview
Configure ESA Correlation Rules
Additional ESA Correlation Rules Procedures
Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys
Configure Advanced Settings for ESA Correlation
Configure Character Case for Advanced ESA Rules
Deploy Endpoint Risk Scoring Rules on ESA
Change Memory Threshold for ESA Rules
Start, Stop, or Restart ESA Service
View Audit Logs and Verify ESA Component Versions
References - Previous ESA Versions
Services Config View Data Sources Tab (11.2 and Earlier)
Services Config View Advanced Tab (11.2 and Earlier)
Whois Lookup Service Configuration (11.1.x to 11.4.x)
ESA Analytics Mappings (11.1.x to 11.4.x)
Module Settings (11.1.x to 11.4.x)
Getting Started with ESA
Best Practices
Troubleshoot ESA
View Memory Metrics for Rules
How ESA Handles Sensitive Data
ESA Rule Types
ESA Permissions
Practice with Sample Rules
Working with Trial Rules
Add Rules to the Rules Library
Download Configurable RSA Live ESA Rules
Customize an RSA Live ESA Rule
Add a Rule Builder Rule
Step 1. Name and Describe the Rule
Step 2. Build a Rule Statement
Step 3. Add Conditions to a Rule Statement
Working With Rules
Edit, Duplicate or Delete a Rule
Filter or Search for Rules
Import or Export Rules
Choose How to Be Notified of Alerts
Notification Methods
Add Notification Method to a Rule
Add a Data Enrichment Source
Enrichment Sources
Configure a Context Hub List as an Enrichment Source
Configure an In-Memory Table as an Enrichment Source
Add an Enrichment to a Rule
Deploy Rules to Run on ESA
ESA Rule Deployment Steps
Additional ESA Rule Deployment Procedures
View ESA Stats and Alerts
View Stats for an ESA Service
View a Summary of Alerts
Add an Advanced EPL Rule
Event Processing Language (EPL)
ESA Annotations
Example Advanced EPL Rules
Configure an In-Memory Table Using an EPL Query
ESA Alert References
RulesTab
Rules Tab Options Panel
Rule Library Panel
Rule Builder Tab
Build a Statement Dialog
Advanced EPL Rule Tab
Rule Syntax Dialog
Deployment Panel
Deploy ESA Services Dialog
Deploy ESA Rules Dialog
Updates to the Deployment Dialog
Services Tab
Settings Tab
How Context Hub Works
Configure Lists as a Data Source
Configure Archer as a Data Source
Configure Active Directory Data Source
Configure RSA EndPoint Data Source
Configure Respond Data Source
Configure File Reputation Server Data Source
Configure STIX as a Data Source
Configure RESTAPI as a Data Source
Configure Data Sources Settings
Import or Export Lists for Context Hub
Manage Meta Type and Meta Key Mapping
Context Hub Data Sources Tab
Context Hub Lists Tab
Context Hub STIX Tab
Troubleshooting
How Malware Analysis Works
Basic Setup
Configure Malware Analysis Operating Environment
Configure General Malware Analysis Settings
Configure Indicators of Compromise
Configure Installed Antivirus Vendors
Enable Community Scoring
(Optional) Configure Auditing on Malware Analysis Host
(Optional) Configure Hash Filter
(Optional) Configure Malware Analysis Proxy Settings
(Optional) Register for a ThreatGRID API Key
Additional Procedures for Configuring Malware Analysis
Create Custom Alert in CEF Format
Enable Custom YARA Content
Supported Antivirus Vendors
Malware Analysis References
Services Config View - General Tab
Services Config View - Indicators of Compromise Tab
Services Config View - IOC Summary Tab
Services Config View - Auditing Tab
Services Config View - Hash Tab
Services Config View - AV Tab
Services Config View - Proxy Tab
Services Config View - ThreatGRID Tab
Services Config View - Integration Tab
NetWitness Endpoint Overview
Agent Modes
Endpoint Server Configuration
Deploy Endpoint Application Rules and ESA Correlation Rules
Setup Meta Forwarding to Log Decoder
Endpoint Sources
Create Groups and Policies
Manage Groups
Manage Policies
Change Policy Ordering for Groups
Configure Data Retention Policy
Manage Role Permissions at Endpoint Server Level
Manage Inactive Agents
Configure Retention Policy for Memory Dumps and MFT
(Optional) Installing and Configuring Relay Server
Endpoint YARA Rules
Configure OPSWAT
Integrate NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.3
Endpoint References
General Tab
Data Retention Scheduler Tab
Packager Tab
Relay Server Tab
Endpoint Sources - Groups
Endpoint Sources - Policies
Troubleshooting
Reset File Collection Bookmarks
Supported File Log Event Source Types
Specify UNC Paths
About this Document
NetWitness Respond Configuration Overview
Configuring NetWitness Respond
Step 1. Configure Alert Sources to Display Alerts in the Respond View
Step 2. Assign Respond View Permissions
Step 3. Enable and Create Incident Rules for Alerts
Additional Procedures for Respond Configuration
Set Up and Verify Default Incident Rules
Configure Risk Scoring Settings for Automated Incident Creation
Configure Custom Respond Server Alert Normalization
Configure Analyst UI for Respond Server Alert Normalization
Configure Incident Email Notification Settings
Set a Retention Period for Alerts and Incidents
Obfuscate Private Data
Manage Incidents in Archer Cyber Incident & Breach Response
Configure the Option to Send Incidents to Archer
Configure Threat Aware Authentication
Set a Counter for Matched Alerts and Incidents
Edit the Incident Rules Export ZIP File
Configure a Database for the Respond Server Service
NetWitness Respond Configuration Reference
Configure View
Incident Rules View
Incident Rule Details View
Incident Email Notification Settings View
Aggregation Rules Tab (11.0 and earlier)
New Rule tab (11.0 and earlier)
How Reporting Engine Works
Configure Reporting Engine
Configure the Data Sources
(Optional) Add Workbench as Data Source to Reporting Engine
(Optional) Add Archiver as Data Source to Reporting Engine
(Optional) Integrate EndPoint Information Into Reports
(Optional) Add Collection as Data Source to Reporting Engine
Configure Data Privacy for Reporting Engine
Configure Data Source Permissions
Configure Reporting Engine Settings
Enable LDAP Authentication
Add Additional Space for Large Reports
Managing Log File Parameters
Configure Task Scheduler for a Reporting Engine
How to Define Reports, Charts, and Alerts
Configure Reporting Engine General Settings
Reporting Engine Reference
Reporting Engine General Tab
Reporting Engine Sources Tab
Reporting Engine Output Actions Tab
Reporting Engine Manage Logos Tab
How Warehouse Connector Works
Install Warehouse Connector Service on a Log Decoder or Decoder
Configure a Warehouse Connector Service
Configure the Data Source for Warehouse Connector
Configure the Destination
Configure the Destination Using NFS
Configure the Destination Using SFTP
Configure the Destination Using WebHDFS
Configure a Stream
Monitor a Warehouse Connector
Add Warehouse as a Data Source to Reporting Engine
Analyze a Warehouse Report
View the Warehouse Connector Service
Troubleshoot the Warehouse Connector
Manage a Stream
Manage a Lockbox
Warehouse Connector Configuration References
General Tab Settings
Appliance Service Configuration Tab Settings
Sources and Destinations Configuration
Add Stream Dialog
Streams Configuration
Lockbox Settings
UEBA Configuration Overview
UEBA Configuration
UEBA Configuration Troubleshooting
Introduction
Admin-server Configuration
Analysis-server Configuration
Config-server Configuration
Content-server Configuration
Contexthub-server Configuration
Correlation-server Configuration
Endpoint-broker-server Configuration
Endpoint-server Configuration
Enrichment-server Configuration
Integration-server Configuration
Investigate-server Configuration
Launch-framework Configuration
License-server Configuration
Metrics-server Configuration
Node-infra-server Configuration
No-op-server Configuration
Orchestration-server Configuration
Relay-server Configuration
Respond-server Configuration
Security-server Configuration
Source-server Configuration
Set Up System Security
Configure Password Complexity
Change the Default Admin Passwords
Configure System-Level Security Settings
(Optional) Configure External Authentication
Configure Active Directory
Configure PAM Login Capability
(Optional) Configure PKI Authentication
(Optional) Use a Custom Server Certificate
(Optional) Create a Customized Login Banner
How Role-Based Access Control Works
Role Permissions
Manage Users with Roles and Permissions
Review the Preconfigured NetWitness Platform Roles
(Optional) Add a Role and Assign Permissions
Verify Query and Session Attributes per Role
Set Up Users
(Optional) Map User Roles to External Groups
Search for External Groups
Set Up Multi-Factor Authentication
Set Up Single Sign-On Authentication
Configure Single Sign-On
(Optional) Set Up Public Key Infrastructure (PKI) Authentication
Configure PKI Authentication
Import Server Certificate and Trusted CA Certificate
(Optional) Configure the CRL Manually
Enable PKI Authentication
Disable PKI
Delete Server Certificate and Trusted CA Certificate
Troubleshooting
References
Admin Security View
Users Tab
Add or Edit User Dialog
Roles Tab
Add or Edit Role Dialog
External Group Mapping Tab
Add Role Mapping Dialog
Search External Groups Dialog
Settings Tab
PKI Settings Tab
Login Banner Tab
Single Sign-On Settings Tab
Data Privacy Overview
Recommended Configurations
Quick Start Procedures
Prepare to Configure Data Privacy
Configure the Recommended Data Privacy Solution
In-Depth Procedures
Configure Data Obfuscation
Configure Data Retention
Configure User Accounts for Use in Data Privacy
Data Privacy References
System Configuration Overview
Standard Procedures
Access System Settings
Configure Notification Servers
Notification Servers Overview
Configure the Email Settings as Notification Server
Configure Script as a Notification Server
Configure the SNMP Settings as Notification Server
Configure a Syslog Notification Server
Configure Notification Outputs
Notification Outputs Overview
Configure Email as a Notification
Configure Script as a Notification
Configure SNMP as a Notification
Configure Syslog as a Notification
Configure Templates for Notifications
Configure Global Notification Templates
Define a Template for ESA Alert Notifications
Import and Export a Global NotificationsTemplate
Configure Email Server and Notification Account
Configure Global Audit Logging
Configure a Destination to Receive Global Audit Logs
Define a Template for Global Audit Logging
Define a Global Audit Logging Configuration
Verify Global Audit Logs
Configure Centralized Audit Logging
Configure Investigation Settings
Configure Live Services Settings
Live Feedback Overview
Upload Data to RSA
Configure Log File Settings
Configure Syslog and SNMP Settings
AdditionalProcedures
Add Custom Context Menu Actions
Configure NTP Servers
Configure Proxy for Security Analytics
Troubleshooting System Configuration
References
Global Audit Logging Configurations Panel
Add New Configuration Dialog
Supported CEF Meta Keys
Supported Global Audit Logging Meta Key Variables
Global Audit Logging Operation Reference
Local Audit Log Locations
Global Notifications Panel
Define Notification Server Dialogs
Define Notification Output Dialogs
Define Notification Template Dialog
Output Tab
Servers Tab
Templates Tab
HTTP Proxy Settings Panel
Email Configuration Panel
Investigation Configuration Panel
Live Services Configuration Panel
NTP Settings Panel
Context Menu Actions Panel
Legacy Notifications Configuration Panel