This website uses cookies. By clicking Accept, you consent to the use of cookies.
Click Here
to learn more about how we use cookies.
Accept
Reject
Browse
NetWitness Community
Home
Products
NetWitness Platform
Advisories
Documentation
Platform Documentation
Known Issues
Security Fixes
Hardware Documentation
Threat Content
Unified Data Model
Videos
Downloads
Integrations
Knowledge Base
NetWitness Cloud SIEM
Advisories
Documentation
Knowledge Base
NetWitness Detect AI
Advisories
Documentation
Knowledge Base
NetWitness Investigator
NetWitness Orchestrator
Advisories
Documentation
Knowledge Base
Legacy NetWitness Orchestrator
Advisories
Documentation
Community
Blog
Discussions
Events
Idea Exchange
Support
Case Portal
Create New Case
View My Cases
View My Team's Cases
Community Support
Getting Started
News & Announcements
Community Support Forum
Community Support Articles
Product Life Cycle
Support Information
General Security Advisories
Training
Blog
Certification Program
Course Catalog
Netwitness XDR
EC-Council Training
New Product Readiness
On-Demand Subscriptions
Student Resources
Upcoming Events
Role-Based Training
Technology Partners
Trust Center
Sign In
Register Now
Entire Website
This Location
Documents
Users
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
NetWitness Platform Online Documentation
Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
NetWitness Community
Products
NetWitness Platform
Documentation
Online Documentation
Malware Analysis Configuration Guide for 11.7
Options
Subscribe to RSS Feed
Bookmark
Subscribe
Printer Friendly Page
Report Inappropriate Content
English
French (Français)
German (Deutsche)
Japanese (日本人)
Spanish (Español)
Versions
Version 12.5
Version 12.4.2
Version 12.4.1
Version 12.4
Version 12.3.1
Version 12.3
Version 12.2
Version 12.1
Version 12.0
Collections
Platform Documentation
Hardware Setup Guides
Integrations
Threat Intelligence
All Downloads
Table of Contents
Release Notes
Release Notes for 12.5
What's New
Fixed Issues
Known Issues
Build Numbers
Release Notes for 12.4.2
What's New
Fixed Issues
Known Issues
Build Numbers
Release Notes for 12.4.1
What's New
Fixed Issues
Known Issues
Build Numbers
Release Notes for 12.4
What's New
Fixed Issues
Known Issues
Build Numbers
Release Notes for 12.3.1
What's New
Fixed Issues
Known Issues
Build Numbers
Release Notes for 12.3
What's New
Fixed Issues
Known Issues
Build Numbers
Release Notes for 12.2.0.1
What's New
Fixed Issues
Upgrade Instructions
Build Numbers
Release Notes for 12.2
What's New
Fixed Issues
Build Numbers
What's New in Previous Releases
Known Issues
Security Fixes
Getting Started
Getting Started With NetWitness
Getting Started with NetWitness Platform
Log in to NetWitness Platform
Changing Your Password
Identifying Your Role
NetWitness Platform Basic Navigation
Setting Up Your Default View by SOC Role
Manage Home Widgets
Managing the Springboard
Managing Dashboards
Setting User Preferences
Managing Jobs
Viewing and Deleting Notifications
Viewing Help in the Application
Finding Documents on NetWitness Community
Troubleshooting for User Setup
NetWitness Platform Getting Started References
User Preferences
Notifications Panel and Notifications Tray
Jobs Panel and Jobs Tray
Set up your Hosts and Services
Hosts and Services Basics
Hosts and Services Set Up Procedures
Hosts and Services Maintenance Procedures
References
Hosts View
Services View
Edit Service Dialog
Services Config View
Services Config View - Appliance Service Configuration Tab
Services Config View - Data Retention Scheduler Tab
Services Config View - Files Tab
Services Explore View
Services Explore View - Properties Dialog
Services Logs View
Services Security View
Services Security View - Users Tab
Services Security View - Roles Tab
Services Security View - Service User Roles and Permissions
Services Security View - Aggregation Role
Services Security View - Settings Tab
Services Stats View
Services Stats View - Chart Stats Tray
Services Stats View - Gauges
Services Stats View - Timeline Charts
Services System View
Services Topology View
Services System View - Host Task List Dialog
Service Configuration Parameters
Aggregation Configuration Parameters
Appliance Service Configuration Parameters
Archiver Service Configuration Parameters
Broker Service Configuration Parameters
Concentrator Service Configuration Parameters
Core Service Logging Configuration Parameters
Core Service-to-Service Configuration Parameters
Core Service System Configuration Parameters
Decoder Configuration Parameters
Network Decoder Service Configuration Parameters
Log Decoder Service Configuration Parameters
REST Interface Configuration Parameters
NetWitness Platform Core Service system.roles Modes
Centralized Service Configuration via Policy
Centralized Service Configuration - Groups Tab
Centralized Service Configuration - Policies Tab
Troubleshooting Version Installations and Updates
Quick Start - Investigation
What Is NetWitness Investigate
Quick Start - Endpoints
QuickStart
Quick Start - UEBA
QuickStart
Install and Upgrade
Deploy NetWitness
The Basics
Deployment Optional Setup Procedures
Network Architecture and Ports
Site Requirements and Safety
Manage Licensing
Entitlement Capability Implementation
Initial Set Up
Obtain License Server ID from NetWitness Platform UI
Access Product Licenses from myRSA
Synchronize NetWitness Server
Synchronize Local Licensing Server Offline
License Types
Configure NetWitness Notifications
About Out-of-Compliance Banners
Troubleshoot Licensing
Licensing Panel Reference
Usage Trend
Reassign Licenses
Export Usage Stats
Settings Tab
Out-of-Compliance Reference
License Usage Calculations for Decoder and Log Decoder Services
Physical Host Installation
Introduction
Installation Tasks
Update or Install Legacy Windows Collection
Post Installation Tasks
Appendix A. Troubleshooting
Appendix B. Create External Repo
Appendix C. Silent Installation Using CLI
Appendix D. Third Party Server System Requirement
Virtual Host Installation
Basic Deployment
Install NW Virtual Host in Virtual Environment
Step 1a. Create Virtual Machine - VMware
Step 1b. Deploy the Virtual Host in Hyper-V
Step 1c. Create Virtual Machine in Nutanix AHV
Step 2. Configure Block Storage to Accommodate NetWitness Platform
Task 1. Add New Disk
Task 2. Add New Volume and Extend Existing File Systems
Task 3. Storage Configurations
Step 3. Installation Tasks
Step 4. Configure Host-Specific Parameters
Step 5. Post Installation Tasks
Appendix A. Troubleshooting
Appendix B. Silent Installation Using CLI
Appendix C. Virtual Host Recommended System Requirements
Appendix D. Update the Virtual ESA Host Memory
NetWitness Storage Configuration
Storage Overview
Storage Requirements
Prepare Physical Storage
Prepare Virtual or Cloud Storage
Configure Storage Using the REST API
Prepare Unity Storage
Migrate Data to Another Storage Type
SASE Node-x (Decoder/Concentrator) - GCP Persistent Disk (PD) Storage Configuration
Introduction
Identify Storage Requirements
Identify or Define Storage Model
Deploy SASE Node(s)
Configure SASE Node(s) Storage
Extend Storage for SASE Node
Appendix
Appendix A - Defining a Custom Host Model
Appendix B - Sample Scenario for Configuring SASE Decoder Storage
Appendix C - Sample Scenario for Configuring SASE Concentrator Storage
Appendix D - Sample Scenario for Extending for SASE Decoder Storage
Appendix E - Sample Scenario for Extending SASE Concentrator Storage
Appendix A. How NetWitness Platform Hosts Store Data
Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py)
Appendix C. Troubleshooting
Appendix D. Sample Storage Configuration Scenarios
Appendix E: Sample Storage Configuration Scenarios for 8 or 12 Drive Powervault
Appendix F: Sample Storage Configuration Scenarios Meta Disk Kits
Appendix G: Sample Storage Configuration for Concentrator Index with One Meta Disk Kit
AWS Deployment
AWS Deployment Overview
AWS Deployment
Establish AWS Environment
Find NetWitness AMIs
Launch an Instance and Configure a Host
Configure Hosts (Instances) in NetWitness Platform
Configure Packet Capture
Instance Configuration Recommendations
Appendix A Silent Installation Using CLI
Azure Deployment
Azure Installation Overview
Azure Configuration Recommendations
Azure Deployment
Partition Recommendations
Deploy NW Server Host in Azure
Installation Tasks
Configure Hosts (Instances) in NetWitness Platform
Configure Packet Capture for Azure Cloud Environment
Appendix A. Silent Installation Using CLI
Google Cloud Platform Deployment
Google Cloud Platform Installation Overview
GCP Deployment
Prerequisites
Find NetWitness Platform GCP Images
Establish gcloud Environment
Create an Instance using Google Cloud SDK Shell
Create a Firewall Rule
Connect to VM Instance using SSH
Installation Tasks
Configure Hosts (Instances) in NetWitness Platform
Configure Packet Mirroring
GCP Instance Configuration Recommendations
Endpoint Agent Installation
Introduction to Endpoint Agent Installation
Prerequisites
Generate an Agent Packager
Generate Agent Installers
Deploy and Verify Agents
Uninstall Agents
Upgrade Agents
Recommendations for Installing Agents in Virtual Desktop Infrastructure Environment
Troubleshooting
UEBA Standalone Installation
Introduction
NetWitness UEBA Standalone Installation
System Requirement
Installation Tasks
Post Installation Tasks
Upgrade to NetWitness Platform 12.5
Upgrade NetWitness Platform
Pre Upgrade Checks
Prepare to Upgrade NetWitness Platform
Perform Upgrade Tasks
Perform Post Upgrade Tasks
Perform Endpoint Upgrade Tasks
Troubleshoot Upgrade Issues
Upgrade to NetWitness Platform 12.4.2
Upgrade NetWitness Platform
Pre upgrade checks
Prepare to Upgrade NetWitness Platform
Perform Upgrade Tasks
Perform Post Upgrade Tasks
Perform Endpoint Upgrade Tasks
Troubleshoot Upgrade Issues
Upgrade to NetWitness Platform 12.4.1
Upgrade NetWitness Platform
Pre upgrade checks
Prepare to Upgrade NetWitness Platform
Perform Upgrade Tasks
Perform Post Upgrade Tasks
Perform Endpoint Upgrade Tasks
Troubleshoot Upgrade Issues
Upgrade to NetWitness Platform 12.4
Upgrade NetWitness Platform
Pre upgrade checks
Prepare to Upgrade NetWitness Platform
Perform Upgrade Tasks
Perform Post Upgrade Tasks
Perform Endpoint Upgrade Tasks
Troubleshoot Upgrade Issues
Upgrade to NetWitness Platform 12.3.1
Overview
Pre upgrade checks
Upgrade Preparation Tasks
Upgrade Tasks
Post Upgrade Tasks
Endpoint Upgrade Tasks
Start Using New Features
Troubleshooting Version Installations and Upgrades
Upgrade to NetWitness Platform 12.3
Overview
Pre upgrade checks
Upgrade Preparation Tasks
Upgrade Tasks
Post Upgrade Tasks
Endpoint Upgrade Tasks
Start Using New Features
Troubleshooting Version Installations and Upgrades
Upgrade to NetWitness Platform 12.2
Overview
Pre upgrade checks
Upgrade Preparation Tasks
Upgrade Tasks
Post Upgrade Tasks
Endpoint Upgrade Tasks
Troubleshooting Version Installations and Upgrades
Windows Legacy Log Collection Configuration
Windows Legacy Collection
NetWitness Export Connector Deployment
Overview
Logstash Input Plugin - Configuration Process
Install Logstash
Install NetWitness Logstash Input Plugin
Configure Logstash Input Plugin
Configure SSL
Health and Wellness
Configure Custom Value Meta
(Optional) Configure Logstash Filter Plugin
Configure Logstash Output Plugin
Known Issues
Configure and Manage
SASE Installation and Configuration
SASE Hybrid Cloud Overview
SASE Installation
SASE Configuration
nw-create-cloud-hybrid Command Help
SASE Deployment
SASE Undeployment
SASE Backup
SASE Restore
SASE Upgrade
Reissue All Certificates
Reissue Node Certificates
Check Certificate Status
Check Overlay Network Status
GCP Cloud Quick-Install Guide
Limitations
SASE Configuration for Palo Alto Networks
Getting Started
Deploy Palo Alto Prisma Integration using CCM
Deploy Palo Alto Prisma Integration using NwConsole
Remove Palo Alto Prisma Integration Plugin
SASE Configuration for Broadcom
Getting Started
Deploy Broadcom ETM Integration using CCM
Response Actions Configuration
Response Actions
Integrate the Connector with NetWitness Platform
Create and Manage Response Actions
Response Actions History View
Quick Actions
Response Actions and Quick Actions Use Case Examples
Correlation between Response and Quick Actions
Quick Action History
Connect with Threat Connect using HTTPS
NetWitness Response Actions Reference Information
Response Actions View
Quick Actions Option
Policy-based Centralized Content Management
About Policy-based Centralized Content Management
Enable or Disable Policy-based Centralized Content Management for All or Individual Services
Migrate Content from Core Services to Content Library
Migrate ESA Deployments to Policies and Groups
Manage Content Library
Import Content to Content Library
Create an Application Rule
Clone Application Rule
Edit Application Rule
Delete Application Rule
View Application Rule Details
Create a Network Rule
Clone Network Rule
Edit Network Rule
Delete Network Rule
View Network Rule Details
Create an ESA Rule
Edit an ESA Rule
Delete an ESA Rule
About MITRE ATT&CK Tactics and Techniques
About SASE Integration Plugins
Manage Search Pattern Rules
Filter Content Rules
Manage Groups
Create a Group
View a Group
Delete a Group
Edit a Group
Filter Groups
Manage Policies
Create and Publish Policies
Clone a Policy
Delete a Policy
Edit a Policy
View a Policy
Enable Content for a Policy
Disable Content for a Policy
Subscribe Content for a Policy
Unsubscribe Content for a Policy
Filter Policies
Filter Policy Content Details
Merge Policy with ESA Content
Manage Services
View a Service
Migrate Content from Service
Enable or Disable CCM for Individual Decoder Services
Manage ESA Datasources
View an ESA Datasource
Add an ESA Datasource
Edit an ESA Datasource
Delete an ESA Datasource
Manage Deployments
View a Deployment
Create a Deployment
Edit a Deployment
Start a Deployment
Fast Deployment
Deployment Stats
Remove a Deployment
Stop a Deployment
Troubleshooting
References
Content Library Tab
Data Sources Tab
Deployments Tab
Groups Tab
Policies Tab
Services Tab
Appendix A: Endpoint Risk Scoring Rules
Appendix B: Position Tracking Information
Decoder and Log Decoder Configuration
Decoder and Log Decoder Quick Setup
Configure Common Settings on a Decoder
Configure Capture Settings
(Optional) Configure System-Level (BPF) Packet Filtering
(Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces
(Optional) Configure Meta-Only Decoders
(Optional) Configure Selective Network Data Collection
(Optional) Configure a Decoder to Write Standard pcap-formatted Files
(Optional) Multiple Adapter Packet Capture
(Optional) Internet Content Adaptation Protocol Capture
(Optional) Data Plane Development Kit Packet Capture
(Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface
(Optional) Process Raw Syslog Data without Priority Field
(Optional) Configure Decoder to Support OpenAppID
Enable and Disable Parsers and Log Parsers
Start and Stop Data Capture
Configure Decoder Rules
Configure Application Rules
Configure Correlation Rules
Configure Network Rules
Fix Rules with Invalid Syntax
Decoder Commands for Managing Rules
Configure Parsers and Feeds
Configure Parsers
Use Custom Parsers
Enable and Configure the Entropy Parser
Flex Parser
Arithmetic Functions
Common Parser Operations
General Functions
Logging Functions
Nodes
Payload Functions
Regex
String Functions
GeoIP2 Parsers
Lua Parsers
HTTP Parsers
Snort Parsers
Search Parser
Wireless LAN Configuration
Troubleshooting Parsers
Configure Feeds
Custom Feed Definition File Structure
Feed Definitions File
Create a Custom Feed
Create a STIX Custom Feed
Create an Identity Feed
Upload, Edit, or Remove a Feed
Create Custom Meta Keys Using Custom Feed
Decoder and Log Decoder Additional Procedures
Configure 10G Capability | NetWitness
Configure 10G Capability
Configure a Log Decoder to Accept Protobuf
Configure Session Split Timeouts
Configure Syslog Forwarding to Destination
Configure Transaction Handling on a Decoder
Configure Data Export
Decrypt Incoming Packets TLS 1.2
Decrypt Incoming Packets TLS 1.3
Edit Decoder System Configuration Settings
Enable CPU Usage Stats for Installed Content
Enable Parser Mappings
Enable or Disable Lua and Flex Parsing Systems
Map IP Address to Service Type
Event Time Support
Obtain Log Files from a Pre-11.0 Log Decoder
Upload a Log File to a Log Decoder
Upload a Packet Capture File
F5 BIG IP - NetWitness Perfect Forward Secrecy Inspection Visibility
Troubleshooting Packet Drops (11.x and above)
Decoder and Log Decoder References
Services Config View - Capture Policies Tab
Services Config View - Edit Policies Wizard
Services Config View - Data Privacy Tab
Services Config View - Data Retention Scheduler
Services Config View - Feeds Tab
Services Config View - Upload Feeds Dialog
Services Config View - Files Tab
Services Config View - General Tab
Services Config View - Parsers Tab
Services Config View - Parser Mappings Tab
Services Config View - Data Export Tab
Services Config View - Rules Tab
Services Config View - App Rules Tab
Services Config View - Correlation Rules Tab
Services Config View - Network Rules Tab
Services System View - Decoders
NetWitness Extended Meta Key Configuration
Overview
Performance Considerations
Configuring Extended Meta Keys
Extended Meta Recommendations
Broker and Concentrator Configuration
Broker and Concentrator Basics
Overview of Brokers and Concentrators
Basic Setup Procedures
Step 1. Verify Service System Configuration
Step 2. Configure the Aggregation Process
Step 3. Configure Aggregate Services
Step 4. (Optional) Configure Group Aggregation
Step 5. Start and Stop Aggregation
Broker and Concentrator Configuration References
Services Config View - Broker/Concentrator General Tab
Services System View - Broker
Core Database Tuning
NetWitness Core Database Introduction
Basic Database Configuration
Tiered Database Storage
Manifests
Advanced Database Configuration
Database Configuration Nodes
Index Configuration Nodes
SDK Configuration Nodes
Per-User Configuration Nodes
Scheduler
Rollover
Snort Rules and Configuration
Queries
Index Customization
Rebuilding of the Index
Optimization Techniques
Rule Examples
Appendix A: Statistics
Appendix B: Index Inspect
Live Services Management
Live Content in NetWitness Suite
Deploy Content
Create Live Account
Set Up Live Services in NetWitness Platform
Deploy Content using Live Content UI
Required Procedures
Find and Deploy Live Resources
Manage Live Resources
Search and Download Content from NetWitness Cloud Services Live
Manage Custom Content
Additional Procedures
Export Data to NetWitness
Create a Resource Package
Manage Custom Feeds
Subscribing to Resources
Miscellaneous Live Services Procedures
References
Live Configure View
Live Feeds View
Live Resource View
Live Search View
Live Search Content View
Resource Package Deployment Wizard
NetWitness Live Registration Portal
Netwitness Feedback and Data Sharing
Troubleshooting
Log Collection Configuration
About Log Collection
Log Collection Architecture
Basic Implementation
Provision Local and Remote Collectors
Configure LC/RC
Configure Failover
Configure Replication
Configure Chain of Remote Collectors
Throttle RC to LC Bandwidth
Set up a Lockbox
Start Collection Services
Verify Log Collection is Working
Configure Certificates
Configure Custom Certificates
Log Collection Basics
Basic Procedure
Search for Specific Event Sources
Configure Event Filters for Log Collector
Import, Export, Edit and Test Event Sources in Bulk
Collection Protocols
Configure AWS (CloudTrail) Event Sources
Configure Azure Event Sources
Configure Check Point Event Sources
Configure File Event Sources
Configure Logstash
Configure Netflow Event Sources
ODBC
Configure ODBC Event Sources
Configure DSNs
Create Custom Typespec
Troubleshoot ODBC Collection
Configure SDEE Event Sources
Configure SNMP Event Sources
Configure Syslog Event Sources
Configure VMware Event Sources
Configure Windows Event Sources
Windows Legacy Configuration
Set Up Windows Legacy Collector
Configure Windows Legacy and NetApp Event Sources in NetWitness
Troubleshoot Windows Legacy and NetApp Collection
Reference
AWS Parameters
Azure Parameters
Check Point Parameters
File Parameters
Service System View
ODBC Parameters
ODBC DSN Parameters
Remote/Local Collectors Configuration Parameters
Tabs
General Tab
Event Destinations Tab
Event Sources Tab
Settings Tab
Log Collection: Troubleshoot
Meta Export Installation and Configuration
Overview
Workflow of NetWitness MetaExport
Configuration Process
VM Sizing Recommendations
Install NetWitness MetaExport
Configure LogStash Keystore
Configure NetWitness MetaExport
Event Source Management
NetWitness Event Sources
Event Source Management
Alarms and Notifications
Automatic Alerting
Common Scenarios for Monitoring Policies
Manage Event Source Groups
Create Event Source Groups
Create Event Source Group Form
Acknowledge and Map Event Sources
Edit or Delete Event Source Groups
Remove Idle Event Sources
Create an Event Source and Edit its Attributes
Bulk Edit Event Source Attributes
Import Event Sources
Export Event Sources
Sort Event Sources
Monitor Polices
Configure Event Source Group Alerts
Set Up Notifications
Disable Notifications
Configure Automatic Alerting
View Event Source Alarms
Event Source References
Discovery Tab
Manage Tab
Manage Tab - Historical Graph View
Manage Event Source Tab
Event Sources View
Create/Edit Group Form
Details View
Manage Parser Mappings
Alarms Tab
Monitoring Policies Tab
Settings Tab
Log Parser Rules Tab (version 11.1 only)
Troubleshooting/Appendix
Alarms and Notifications Issues
Duplicate Log Messages
Troubleshoot Feeds
Import File Issues
Negative Policy Numbering
Viewing Logs from Pre-11.0 Log Decoder
Log Parser Customization
Log Parser Rules Customization
Add or Delete Log Parser
JSON Mappings
Create Custom Log Parser Rules
Log Parsers and the Default Log Parser
Use Cases
Extend a Log Parser Example
Select the Reference Log Decoder
Move Log Parser Rules to Production
Troubleshooting and Limitations
Log Parser Rules Tab
Logstash Integration Configuration
Overview
Dataflow
Install Logstash
Install and Configure the NetWitness Codec
Configure Logstash Output Plugins
Configure Event Source
Advanced NetWitness Configuration
Coding Appendix: Linux event Source Example
Coding Appendix: Build a Parser
Archiver Configuration For Logs
Archiver Overview
Basic Archiver Configuration
Add the Archiver Service
Add Log Decoder as a Data Source to Archiver
Configure Archiver Storage and Log Retention
Configure Hot, Warm, and Cold Storage
Configure Log Storage Collections
Define Retention Rules
Add Archiver as a Data Source to Reporting Engine
Configure Archiver Monitoring
Additional Archiver Configuration
Configure Data Backup and Restore
Retrieve Hash Information
Archiver References
Archiver Collection Dialog
Archiver Services Config View - General Tab
Archiver Service Configuration
Data Retention Tab - Archiver
Services Config View - Archiver
Workbench Configuration For Logs
Overview
Configuration Procedures
Add Workbench Service as a Data Source to Broker
Add Workbench as a Data Source to Reporting Engine
Manage Collections
Services Config View
Services Config View - Collections Tab
Services Config View - General Tab
Troubleshooting
Event Stream Analysis Configuration
Event Stream Analysis Overview
Configure ESA Correlation Rules
Additional ESA Correlation Rules Procedures
Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys
Configure Advanced Settings for ESA Correlation
Configure Character Case for Advanced ESA Rules
Deploy Endpoint Risk Scoring Rules on ESA
Change Memory Threshold for ESA Rules
Start, Stop, or Restart ESA Service
View Audit Logs and Verify ESA Component Versions
ESA Primary Disaster Recovery
Alerting with ESA Correlation Rules
Getting Started with ESA
Best Practices
Troubleshoot ESA
View Memory Metrics for Rules
How ESA Handles Sensitive Data
ESA Rule Types
ESA Permissions
Practice with Sample Rules
Working with Trial Rules
Add Rules to the Rules Library
Download Configurable RSA Live ESA Rules
Customize an RSA Live ESA Rule
Add a Rule Builder Rule
Step 1. Name and Describe the Rule
Step 2. Build a Rule Statement
Step 3. Add Conditions to a Rule Statement
Working With Rules
Edit, Duplicate or Delete a Rule
Filter or Search for Rules
Import or Export Rules
Choose How to Be Notified of Alerts
Notification Methods
Add Notification Method to a Rule
Add a Data Enrichment Source
Enrichment Sources
Configure a Context Hub List as an Enrichment Source
Configure an In-Memory Table as an Enrichment Source
Add an Enrichment to a Rule
Deploy Rules to Run on ESA
ESA Rule Deployment Steps
Additional ESA Rule Deployment Procedures
View ESA Stats and Alerts
View Stats for an ESA Service
View a Summary of Alerts
Add an Advanced EPL Rule
Event Processing Language (EPL)
ESA Annotations
Example Advanced EPL Rules
Configure an In-Memory Table Using an EPL Query
ESA Alert References
RulesTab
Rule Library Panel
Rule Builder Tab
Build a Statement Dialog
Advanced EPL Rule Tab
Rule Syntax Dialog
Services Tab
Settings Tab
Context Hub Configuration
How Context Hub Works
Configure Lists as a Data Source
Configure Archer as a Data Source
Configure Active Directory Data Source
Configure Respond Data Source
Configure File Reputation Server Data Source
Configure STIX as a Data Source
Configure RESTAPI as a Data Source
Configure Data Sources Settings
Import or Export Lists for Context Hub
Manage Meta values for Context Hub Lists
Manage Meta Type and Meta Key Mapping
Context Hub Data Sources Tab
Context Hub Lists Tab
Context Hub STIX Tab
Troubleshooting
Malware Analysis Configuration
How Malware Analysis Works
Basic Setup
Configure Malware Analysis Operating Environment
Configure General Malware Analysis Settings
Configure Indicators of Compromise
Configure Installed Antivirus Vendors
Enable Community Scoring
(Optional) Configure Auditing on Malware Analysis Host
(Optional) Configure Hash Filter
(Optional) Configure Malware Analysis Proxy Settings
(Optional) Register for a ThreatGRID API Key
Additional Procedures for Configuring Malware Analysis
Create Custom Alert in CEF Format
Enable Custom YARA Content
Supported Antivirus Vendors
Malware Analysis References
Services Config View - General Tab
Services Config View - Indicators of Compromise Tab
Services Config View - IOC Summary Tab
Services Config View - Auditing Tab
Services Config View - Hash Tab
Services Config View - AV Tab
Services Config View - Proxy Tab
Services Config View - ThreatGRID Tab
Services Config View - Integration Tab
NetWitness Endpoint Configuration
NetWitness Endpoint Overview
Agent Modes
Endpoint Server Configuration
Deploy Endpoint Application Rules and ESA Correlation Rules
Setup Meta Forwarding to Log Decoder
Endpoint Sources
Create Groups and Policies
Manage Groups
Manage Policies
Change Policy Ordering for Groups
Configure Data Retention Policy
Manage Role Permissions at Endpoint Server Level
Manage Inactive Agents
Configure Retention Policy for Memory Dumps and MFT
(Optional) Installing and Configuring Relay Server
Endpoint YARA Rules
Configure OPSWAT
Integrate NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.3
Endpoint References
General Tab
Data Retention Scheduler Tab
Packager Tab
Relay Server Tab
Endpoint Sources - Groups
Endpoint Sources - Policies
Troubleshooting
Appendices
Reset File Collection Bookmarks
Supported File Log Event Source Types
Specify UNC Paths
Respond Configuration for Incident Management
About this Document
NetWitness Respond Configuration Overview
Configuring NetWitness Respond
Step 1. Configure Alert Sources to Display Alerts in the Respond View
Step 2. Assign Respond View Permissions
Step 3. Enable and Create Incident Rules for Alerts
Additional Procedures for Respond Configuration
Set Up and Verify Default Incident Rules
Configure Risk Scoring Settings for Automated Incident Creation
Configure Custom Respond Server Alert Normalization
Configure Analyst UI for Respond Server Alert Normalization
Configure Incident Email Notification Settings
Set a Retention Period for Alerts and Incidents
Obfuscate Private Data
Manage Incidents in Archer Cyber Incident & Breach Response
Configure the Option to Send Incidents to Archer
Configure Threat Aware Authentication
Set a Counter for Matched Alerts and Incidents
Edit the Incident Rules Export ZIP File
Configure a Database for the Respond Server Service
Generic Bi-directional NetWitness Integration
NetWitness Respond Configuration Reference
Configure View
Incident Rules View
Incident Rule Details View
Incident Email Notification Settings View
Aggregation Rules Tab (11.0 and earlier)
New Rule tab (11.0 and earlier)
Reporting Configuration
How Reporting Engine Works
Configure Reporting Engine
Configure the Data Sources
(Optional) Add Workbench as Data Source to Reporting Engine
(Optional) Add Archiver as Data Source to Reporting Engine
(Optional) Integrate EndPoint Information Into Reports
(Optional) Add Collection as Data Source to Reporting Engine
Configure Data Privacy for Reporting Engine
Configure Data Source Permissions
Configure Reporting Engine Settings
Enable LDAP Authentication
Add Additional Space for Large Reports
Managing Log File Parameters
Configure Task Scheduler for a Reporting Engine
How to Define Reports, Charts, and Alerts
Configure Reporting Engine General Settings
Reporting Engine Reference
Reporting Engine General Tab
Reporting Engine Sources Tab
Reporting Engine Output Actions Tab
Reporting Engine Manage Logos Tab
Warehouse Connector Configuration
How Warehouse Connector Works
Install Warehouse Connector Service on a Log Decoder or Decoder
Configure a Warehouse Connector Service
Configure the Data Source for Warehouse Connector
Configure the Destination
Configure the Destination Using NFS
Configure the Destination Using SFTP
Configure the Destination Using WebHDFS
Configure a Stream
Monitor a Warehouse Connector
Add Warehouse as a Data Source to Reporting Engine
Analyze a Warehouse Report
View the Warehouse Connector Service
Troubleshoot the Warehouse Connector
Manage a Stream
Manage a Lockbox
Warehouse Connector Pre-Upgrade and Post-Upgrade Steps
Warehouse Connector Configuration References
General Tab Settings
Appliance Service Configuration Tab Settings
Sources and Destinations Configuration
Add Stream Dialog
Streams Configuration
Lockbox Settings
UEBA Configuration
UEBA Configuration Overview
UEBA Configuration
UEBA Configuration Troubleshooting
Service Configuration
Introduction
Admin-server Configuration
Analysis-server Configuration
Config-server Configuration
Content-server Configuration
Contexthub-server Configuration
Correlation-server Configuration
Endpoint-broker-server Configuration
Endpoint-server Configuration
Enrichment-server Configuration
Integration-server Configuration
Investigate-server Configuration
Launch-framework Configuration
License-server Configuration
Metrics-server Configuration
Node-infra-server Configuration
No-op-server Configuration
Orchestration-server Configuration
Relay-server Configuration
Respond-server Configuration
Security-server Configuration
Source-server Configuration
System Security and User Management
Set Up System Security
Configure Password Complexity
Change the Default Admin Passwords
Configure System-Level Security Settings
(Optional) Configure External Authentication
Configure Active Directory
Configure PAM Login Capability
(Optional) Configure PKI Authentication
(Optional) Use a Custom Server Certificate
(Optional) Create a Customized Login Banner
How Role-Based Access Control Works
Role Permissions
Manage Users with Roles and Permissions
Review the Preconfigured NetWitness Platform Roles
(Optional) Add a Role and Assign Permissions
Verify Query and Session Attributes per Role
Set Up Users
(Optional) Map User Roles to External Groups
Search for External Groups
Set Up Multi-Factor Authentication
Set Up Single Sign-On Authentication
Configure Single Sign-On
(Optional) Set Up Public Key Infrastructure (PKI) Authentication
Configure PKI Authentication
Import Server Certificate and Trusted CA Certificate
(Optional) Configure the CRL Manually
Enable PKI Authentication
Disable PKI
Delete Server Certificate and Trusted CA Certificate
Troubleshooting
References
Admin Security View
Users Tab
Add or Edit User Dialog
Roles Tab
Add or Edit Role Dialog
External Group Mapping Tab
Add Role Mapping Dialog
Search External Groups Dialog
Settings Tab
PKI Settings Tab
Login Banner Tab
Single Sign-On Settings Tab
Data Privacy Management
Data Privacy Overview
Recommended Configurations
Quick Start Procedures
Prepare to Configure Data Privacy
Configure the Recommended Data Privacy Solution
In-Depth Procedures
Configure Data Obfuscation
Configure Data Retention
Configure User Accounts for Use in Data Privacy
Data Privacy References
System Configuration
System Configuration Overview
Standard Procedures
Access System Settings
Configure the Customer Experience Improvement Program
Configure Notification Servers
Notification Servers Overview
Configure the Email Settings as Notification Server
Configure Script as a Notification Server
Configure the SNMP Settings as Notification Server
Configure a Syslog Notification Server
Configure Notification Outputs
Notification Outputs Overview
Configure Email as a Notification
Configure Script as a Notification
Configure SNMP as a Notification
Configure Syslog as a Notification
Configure Templates for Notifications
Configure Global Notification Templates
Define a Template for ESA Alert Notifications
Import and Export a Global NotificationsTemplate
Configure Email Server and Notification Account
Configure Global Audit Logging
Configure a Destination to Receive Global Audit Logs
Define a Template for Global Audit Logging
Define a Global Audit Logging Configuration
Verify Global Audit Logs
Configure Centralized Audit Logging
Configure Investigation Settings
Configure Live Services Settings
Live Feedback Overview
Upload Data to NetWitness
Configure Log File Settings
Configure Syslog and SNMP Settings
AdditionalProcedures
Configure Core Dump Retention
Configure Proxy for NetWitness Platform
Add Custom Context Menu Actions
Configure NTP Servers
Troubleshooting System Configuration
References
Global Audit Logging Configurations Panel
Add New Configuration Dialog
Supported CEF Meta Keys
Supported Global Audit Logging Meta Key Variables
Global Audit Logging Operation Reference
Local Audit Log Locations
Global Notifications Panel
Define Notification Server Dialogs
Define Notification Output Dialogs
Define Notification Template Dialog
Output Tab
Servers Tab
Templates Tab
HTTP Proxy Settings Panel
Email Configuration Panel
Investigation Configuration Panel
Live Services Configuration Panel
NTP Settings Panel
Context Menu Actions Panel
Legacy Notifications Configuration Panel
System Maintenance
Overview
Review Best Practices
Health and Wellness
Monitor Health and Wellness using NetWitness Platform UI
Manage Policies
Include the Default Email Subject Line
Monitor System Statistics
Filter System Statistics
Create Historical Graph of System Statistics
Monitor Service Statistics
Add Statistics to a Gauge or Chart
Edit Properties of Statistics Gauges
Edit Properties of Timeline Charts
Monitor Hosts and Services
Filter Hosts and Services in the Monitoring View
Monitor Host Details
Monitor Service Details
Monitor Event Sources
Configure Event Source Monitoring
Filter Event Sources
Create Historical Graph of Events Collected for an Event Source
Monitor Alarms
Monitor Health and Wellness Using SNMP Alerts
Troubleshooting Health & Wellness
Monitor using New Health and Wellness
Configuring Alert Notifications
Adding Alert Notifications
Suppressing Notifications
Monitoring through Dashboards
Creating Custom dashboard
Monitoring through Alerts
Creating Custom Monitors
Adding Custom Trigger to an Existing Monitor
Managing Dashboards and Alerts
Managing Alert Notifications
Advanced Configurations
Backup and Restore New Health and Wellness
Troubleshooting Health and Wellness
Appendices
New Health and Wellness Dashboards
New Health and Wellness Monitors
Uninstall New Health and Wellness
Manage NetWitness Platform Updates
Reissue Certificates
DisplaySystem and Service Logs
Access Reporting Engine Log File
Search and Export Historical Logs
Maintain Queries Using URL Integration
Manage the deploy_admin Account
NW Server Host Secondary IP Configuration Management
Change Host Network Configuration
Manage Custom Host Entries
Configure FIPS Support
Configure DISA STIG Hardening
Troubleshoot NetWitness Platform
Debugging Information
Error Notification
Miscellaneous Tips
Troubleshoot Feeds
Troubleshooting Cert-Reissue Command
References
Health and Wellness
Health and Wellness View - Alarms View
Event Source Monitoring View
Health and Wellness Historical Graphs
Historical Graph View for Events Collected from an Event Source
Historical Graph View for System Stats
Health and Wellness Settings View - Archiver
Health and Wellness Settings View - Event Sources
Health and Wellness Settings View - Warehouse Connector
Monitoring View
Archiver Details View
Broker Details View
Concentrator Details View
Decoder Details View
ESA Correlation Details View
ESA Analytics Details View
Host Details View
Log Collector Details View
Log Decoder Details View
Malware Details View
Warehouse Connector Details View
Policies View
Health and Wellness Email Templates
NetWitness Platform Out-of-the-Box Policies
System Stats Browser View
New Health and Wellness Settings
System View - System Info Panel
System Updates Panel - Settings View
System Logging - Settings View
System Logging - Realtime View
System Logging - Historical View
Disaster Recovery Tool
Disaster Recovery
Disaster Recovery Azure
Disater Recovery AWS
Investigate and Respond
NetWitness Investigation
How NetWitness Investigate Works
Configuring NetWitness Investigate Views and Preferences
Configure the Navigate View and Legacy Events View
Configure the Events View
Beginning an Investigation
Begin an Investigation in the Navigate or Legacy Events View
Begin an Investigation in the Events View
Refining the Results Set
Use Meta Groups to Focus on Relevant Meta Keys
Use Columns and Column Groups in the Events List
Use Saved Queries to Encapsulate Common Areas for Investigation
Drill into Metadata in the Events View
Filter Results in the Events View
Filter Results in the Navigate View
Filter Results in the Legacy Events View
Create a Query in the Navigate and Legacy Events Views
Search for Text Patterns in the Navigate and Legacy Events Views
View and Modify Queries Using URL Integration
Create a Future Alert from Events View
Generate Reports from Events View
Create Events Widget from Investigate View
Reconstructing and Analyzing Events
Examine Event Details in the Events View
Analyze Events in the Events View
Reconstruct an Event in the Legacy Events View
Look Up Additional Context for Results
Launch a Lookup of a Meta Key
Launch a Malware Analysis Scan from the Navigate View
Group Events from Split and Related Sessions in the Events and Legacy Events Views
Visualize Metadata as Parallel Coordinates
Visualize the Current Drill Point in Informer
Downloading and Acting Upon Results
Download Data in the Events View
Export or Print a Drill Point in the Navigate View
Export Events in the Legacy Events View
Add Events to an Incident in the Events View
Add Events to an Incident in the Legacy Events View
Troubleshooting Investigate
Investigate Reference Materials
Add Events to an Incident Dialog
Add/Remove from List Dialog
Column Groups Dialogs
Context Lookup Panel
Create an Incident Dialog
Events View
Events View - Email Tab
Events View - File Tab
Events View - Host Tab
Events View - Packet Tab
Events View - Text Tab
Investigate Dialog
Investigation Tab - User Preferences Panel
Investigate View
Legacy Event Reconstruction View
Legacy Events View
Manage Default Meta Keys Dialog
Meta Groups Dialogs
Navigate View
Query Dialog
Saved Queries Dialogs
Create Springboard Panel Dialog
Create Future Alert Dialog
Schedule Report Dialog from Events View
Create Chart Dialog from Events View
Timeline Settings Panel
Create Search Pattern Dialog
Settings Dialogs for Investigate Views
Malware Analysis
Malware Analysis Functions
Malware Scoring Modules
Conducting Malware Analysis
Begin a Malware Analysis Investigation
Implement Custom YARA Content
Examine Scan Files and Events in List Form
Configure the Malware Analysis Summary of Events View
Filter Dashlet Data in the Summary of Events View
Upload Files for Malware Analysis Scanning
View Detailed Malware Analysis of an Event
Malware Analysis Reference Materials
Malware Analysis View
Malware Analysis Events List and Files List
Scan For Malware Dialog
Select a Malware Analysis Service Dialog
NetWitness Endpoint Investigation
Introduction to Endpoint Investigation
Workflow of an Investigation
Investigate Files
Investigate Hosts
Standalone Scan on Air-gapped Windows Hosts
Investigate Process
Change File Status and Remediate
Analyze Downloaded Files
Perform Forensic Investigation
Analyze Events
Network Isolation
High Availability (Endpoint Recovery)
NetWitness Endpoint with Third-Party Antivirus Products
Troubleshooting NetWitness Endpoint
NetWitness Endpoint Reference Materials
Files View
Hosts View
Hosts View - Details Tab
Hosts View - Process Tab
Hosts View - Autoruns Tab
Hosts View - Files Tab
Hosts View - Drivers Tab
Hosts View - Libraries Tab
Hosts View - Anomalies Tab
Hosts View - Downloads Tab
Hosts View - System Information
Hosts View - Agent History Tab
Hosts View - YARA Rules Tab
User and Entity Based Analytics
Introduction
UEBA use Cases for Windows Logs
Investigate High-Risk Entities
Search for an Entity
Identify High-Risk Entities
Begin an Investigation of High-Risk Entities
Take Action on High-Risk Entities
Manage High-Risk Entities
View Contextual Information for Users
Investigate Top Alerts
Filter Alerts
Investigate Indicators
Manage Top Alerts
Modeled Behaviors for Users
View NetWitness UEBA Metrics in Health and Wellness
Monitor Health and Wellness of UEBA
Reference
Overview View Tab
Users Tab
Alerts Tab
User Profile View
Appendix: UEBA Windows Audit Policy
Respond to Incidents
NetWitness Respond Process
Responding to Incidents
Determine which Incidents Require Action
Investigate the Incident
Use MITRE ATT&CK® Framework
Generate Reports from Respond View
Escalate or Remediate the Incident
Incident Response Use Case Examples
Reviewing Alerts
Whitelist Alerts
Review Endpoint Alerts using Process Tree
ESA Primary Disaster Recovery
NetWitness Respond Reference Information
Incidents List View
Incident Details View
Alerts List View
Alert Details View
Tasks List View
Whitelists List View
Schedule Report Dialog from Respond View
Add/Remove From List Dialog
Context Lookup Panel - Respond View
Generate Reports
Reporting Overview
Configure and Generate a Report
Configure a Rule
Create and Schedule a Report
View a Report
Investigate a Report
Manage a List or Rule or Report
Working with Charts
Chart Overview
Configure a Chart
Schedule a Chart
View a Chart
Test a Chart
Investigate a Chart
Manage Chart Groups and Charts
Working with Alerts
Alert Overview
Configure Reporting Engine
Configure an Alert
Schedule an Alert
View an Alert
Investigate an Alert
Manage Alerts and Alert Templates
Appendix
Rule Syntax
Warehouse DB Simple Rules
Warehouse DB Advanced Rules
Task Scheduler for Warehouse Reporting
Query Aggregates
Troubleshoot Reporting
Reporting References
Build Chart View
Build List View
Build Report View
Build Rule View
Chart Permissions Dialog
Chart View
Execution History Panel
Generate List Dialog
Import Chart Dialog
Import Report Dialog
Investigate a Chart View
List Permissions Dialog
List View
Reports Permissions Dialog
Report View
Rule Permissions Dialog
Rule View
Select a Logo Dialog
Schedule a Chart View
Schedule Report Panel
Scheduled Reports View
Test a Chart View
View a Chart Panel
View All Charts Panel
View a Report Panel
View All Reports Panel
Alerting References
Alert List View
Alert Permissions Dialog
Alert Schedules View
Create or Modify Alert Panel
Investigate an Alert View
Import Alert Dialog
Template References
Alert Template View
Create or Modify Template View
View Alerts Schedule View
View Alerts View
Develop and Integrate
Archer Integration
Archer Integration
Configure NetWitness Suite to Work With Archer
Manage Unified Collector Framework
Troubleshoot Archer Integration
Endpoint Integration
Endpoint Integration
Configure Endpoint Alerts via Message Bus
Configure Contextual Data from Endpoint via Recurring Feed
Configure Endpoint Alerts via Syslog into a Log Decoder
RESTful API Guide
Intro
Usage
Enable
Packets
Parser/Feed Upload
Statistics Graph
SDK Commands
NetWitness Core Services API Guide
NetWitness API Guide
NetWitness Shell User Guide
shell
tree
NetWitness NwConsole Guide
Access NwConsole and Help
Basic Command Line Parameters and Editing
Connecting to a Service
Monitoring Stats
Useful Commands
SDK Content Command
SDK Content Command Examples
Commands Used for Troubleshooting
Service Level Objective and CVEs
Getting Help with NetWitness
Product Resources
Advisories
NetWitness Platform
Product Advisories
Security Advisories
Service Notifications
Technical Advisories
NetWitness Orchestrator
Product Advisories
Security Advisories
Service Notifications
Technical Advisories
Blog
Discussions
Documentation
NetWitness Platform
Cloud SIEM
Detect AI
Hardware Setup Guides
Investigator
Orchestrator
Threat Intelligence
Downloads
RSA NetWitness Platform
RSA NetWitness Investigator
RSA NetWitness Endpoint
Events
Ideas
Integrations
Knowledge Base
NetWitness Platform
NetWitness Endpoint 4.x
Training
Videos
Malware Analysis Configuration Guide for 11.7
Malware Analysis Configuration Guide for 11.7
Attachments
Labels
(4)
Labels:
Configuration
Documentation
PDF Documentation
Version 11.7
No ratings
On this page