220.127.116.11 Release Notes describe new features, enhancements, security fixes, upgrade paths, fixed issues, known issues, end-of-life functionality, build numbers, and self-help resources.
Enhancement: Policy-based Centralized Content Management (CCM)
The following enhancements are made for Policy-based Centralized Content Management in 18.104.22.168 version.
Administrator can clone Application Rules and Network Rules with a unique rule name and same rule value.
- The Rule Name is the unique title of the rule, which is used as a reference to the rule within the Content Library.
- The Rule Value is a string or text which is registered to a meta key when the rule is triggered with an "alert" output. It may be the same as the rule name, but it is not unique within the Content Library.
Single CCM toggle is introduced to enable or disable CCM for all 12.0+ Decoders and Log Decoders at once. The toggle button is available via backend of source-server.
When you upgrade a Decoder or Log Decoder from 11.x, 12.0 or 12.1 version to 12.1.1 version, a backup of all the content is created automatically. Backup file will be available on Core Services' host under the following path: For Log Decoder - /var/netwitness/logdecoder/logdecoder_backupcontent_ccm.tar. For Network Decoder - /var/netwitness/decoder/decoder_backupcontent_ccm.tar
In 12.1 and later versions, you can only manage the ESA deployments and Data Sources through Centralized Content Management.
Go to (CONFIGURE) > Policies > Content > Event Stream Analysis page to manage the ESA deployments and Data Sources.
Refer the following screenshot.
A new unified deployment view (ESA DEPLOYMENTS) tab is created to manage deployments from a single view across all policies within CCM.
Navigation is made simple to edit policy wizard from the Edit deployment view > View rules.
A new search option is created from the listed ESA rules in the View ESA rules modal in the edit and create deployment views.
Caution banners are created to convey the customer about the requirement of a deployment while creating ESA related policies.
After upgrading to 12.1 and later versions, you can only manage the ESA Rules in the ESA Rules page. Refer the following screenshot.
After upgrading to the 22.214.171.124 version, all the ESA deployments will be migrated to (CONFIGURE) > Policies page. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.1.x.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.
You must upgrade the ESA hosts immediately after upgrading the Admin Server.
For more information on Centralized Content Management and managing the deployments, see Centralized Management Guide for 12.1.1.
The following ciphers in the NetWitness Platform XDR are disabled and removed.
IMPORTANT: If the communication between the external integrated devices and the NetWitness Platform XDR is interrupted, you must disable the use of the above ciphers on the external integrated devices.
Note: If you have the Export Connector plugin in your deployment, you must do the following:
- If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 126.96.36.199 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks.
- If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 188.8.131.52 patch upgrade.
For more information on the various vulnerabilities fixed in this release, see https://community.netwitness.com/t5/netwitness-platform-product/nw-2023-01-multiple-components-within-netwitness-platform/ta-p/694185.
The following upgrade paths are supported for NetWitness 184.108.40.206:
- NetWitness 11.6.x.x to 220.127.116.11
- NetWitness 11.7.x.x to 18.104.22.168
- NetWitness 12.0.x.0 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
- NetWitness 184.108.40.206 to 220.127.116.11
Product Version Life Cycle for NetWitness Platform
For information about versions that reach End of Primary Support (EOPS), see Product Version Life Cycle for NetWitness Platform XDR.