This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Online Documentation
Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Table of Contents

Product Resources

What's New in 12.1.1.0 Release

12.1.1.0 Release Notes describe new features, enhancements, security fixes, upgrade paths, fixed issues, known issues, end-of-life functionality, build numbers, and self-help resources.

Enhancement: Policy-based Centralized Content Management (CCM)

The following enhancements are made for Policy-based Centralized Content Management in 12.1.1.0 version.

  • Administrator can clone Application Rules and Network Rules with a unique rule name and same rule value.

    IMPORTANT:
    - The Rule Name is the unique title of the rule, which is used as a reference to the rule within the Content Library.
    - The Rule Value is a string or text which is registered to a meta key when the rule is triggered with an "alert" output. It may be the same as the rule name, but it is not unique within the Content Library.

    1211_CloneRule_1222.png

  • Single CCM toggle is introduced to enable or disable CCM for all 12.0+ Decoders and Log Decoders at once. The toggle button is available via backend of source-server.

  • When you upgrade a Decoder or Log Decoder from 11.x, 12.0 or 12.1 version to 12.1.1 version, a backup of all the content is created automatically. Backup file will be available on Core Services' host under the following path: For Log Decoder - /var/netwitness/logdecoder/logdecoder_backupcontent_ccm.tar. For Network Decoder - /var/netwitness/decoder/decoder_backupcontent_ccm.tar

  • In 12.1 and later versions, you can only manage the ESA deployments and Data Sources through Centralized Content Management.

    Go to ConfigureIcon_12x10.png (CONFIGURE) > Policies > Content > Event Stream Analysis page to manage the ESA deployments and Data Sources.

    Refer the following screenshot.

    esa_deployments_policies.PNG

  • A new unified deployment view (ESA DEPLOYMENTS) tab is created to manage deployments from a single view across all policies within CCM.

    122_UnifiedESADeploymentView_1222_1917x1048.png

  • Navigation is made simple to edit policy wizard from the Edit deployment view > View rules.

    • The edit deployment screen will save the current state and close. The user will be redirected to the edit policy wizard on the new tab.

  • A new search option is created from the listed ESA rules in the View ESA rules modal in the edit and create deployment views.

  • Caution banners are created to convey the customer about the requirement of a deployment while creating ESA related policies.

  • After upgrading to 12.1 and later versions, you can only manage the ESA Rules in the ESA Rules page. Refer the following screenshot.

    esa_rules_tab_configure_1929x910.png

  • After upgrading to the 12.1.1.0 version, all the ESA deployments will be migrated to ConfigureIcon_14x12.png (CONFIGURE) > Policies page. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.1.x.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.

  • You must upgrade the ESA hosts immediately after upgrading the Admin Server.

    For more information on Centralized Content Management and managing the deployments, see Centralized Management Guide for 12.1.1.

Security Fixes

The following ciphers in the NetWitness Platform XDR are disabled and removed.

  • DHE-RSA-AES128-SHA

  • DHE-RSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • DHE-RSA-AES128-SHA256

  • DHE-RSA-AES256-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • RSA-AES128-SHA256

  • RSA-AES128-SHA256(AES-GCM)

  • RSA-AES256-SHA384

  • AES128-SHA

  • AES256-SHA

  • RSA-AES128-SHA256(AES-CBC)

  • RSA-AES256-SHA256

IMPORTANT: If the communication between the external integrated devices and the NetWitness Platform XDR is interrupted, you must disable the use of the above ciphers on the external integrated devices.

Note: If you have the Export Connector plugin in your deployment, you must do the following:
- If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 12.1.1.0 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks.
- If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 12.1.1.0 patch upgrade.

For more information on the various vulnerabilities fixed in this release, see https://community.netwitness.com/t5/netwitness-platform-product/nw-2023-01-multiple-components-within-netwitness-platform/ta-p/694185.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.1.1.0:

  • NetWitness 11.6.x.x to 12.1.1.0
  • NetWitness 11.7.x.x to 12.1.1.0
  • NetWitness 12.0.x.0 to 12.1.1.0
  • NetWitness 12.1.0.0 to 12.1.1.0
  • NetWitness 12.1.0.1 to 12.1.1.0

Product Version Life Cycle for NetWitness Platform

For information about versions that reach End of Primary Support (EOPS), see Product Version Life Cycle for NetWitness Platform XDR.

Labels (2)
0 Likes
Was this article helpful? Yes No
No ratings

On this page

© 2022 RSA Security LLC or its affiliates. All rights reserved.