What's New in 12.2.0.0 Release

NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

What's New in 12.2.0.0 Release

The NetWitness 12.2.0.0 Release Notes describe new features, enhancements, security fixes, upgrade paths, fixed issues, known issues, end-of-life functionality, build numbers, and self-help resources.

Enhancements

The following sections are a complete list and description of enhancements to specific capabilities:

Policy-based Centralized Content Management
Respond
Core Database Tuning
Endpoint Enhancements
Concentrator, Decoder, and Log Decoder Services
Integration

To locate the documents that are referred to in this section, see https://community.netwitness.com/t5/netwitness-platform-online/netwitness-platform-all-documents/ta-p/676246.

The Product Documentation section has links to the documentation for this release.

Policy-based Centralized Content Management

The following enhancements are made for Policy-based Centralized Content Management in 12.2.0.0 version:

In order to enable the administrator to choose when to enable CCM, a single CCM toggle is introduced in the UI to enable or disable CCM for all 12.0 and later versions of Decoder Services. The toggle is available on the Content page and the toggle can be used to enable or disable CCM for all eligible Core Services at once. The CCM toggle has three states:
- State1: None of the Decoder Services are managed by CCM
  
  This is the default status. The default status is applicable only:
  - If customers are upgrading from 11.x to 12.2 version
  - If customers have turned off the feature in previous versions
- State 2: All Decoder Services are managed by CCM
- State 3: Some Decoder Services are managed by CCM
  
  State1: None of the Decoder Services are managed by CCM
  
  State 2: All Decoder Services are managed by CCM
  
  State 3: Some Decoder Services are managed by CCM
The administrator can edit the rule value while editing or cloning the Application Rule or Network Rule.
During policy creation or modification, the administrator can create a new group and assign it to the policy if there are no unassigned groups available for the policy.
For a policy, the administrator can subscribe to multiple content at once. This feature is available from 12.1.0.0 version or later.
During policy creation, the administrator can add all content to the policy based on the resource type.
For a policy failed status, a caution icon message banner is displayed in the Policies view and Groups view, indicating that the policy status failed for multiple reasons. Administrator can now see the policy overview section in the UI to find the failure reason and the workaround.

Added + Add New Datasource option to add data sources in Create Deployment view and Edit Deployment view. Administrator can now add new data sources from the Create Deployment view, and Edit Deployment view when the required data source is unavailable.

For more information on the enhancements, see Policy-based Centralized Content Management Guide.

Respond

The following enhancements are made for Respond component in 12.2.0.0 version:

Introduced new pagination settings for the Incidents list view and Alerts list view. Administrator can now see all the available incidents with this feature and do the pagination settings for the following:
- Navigate through required page numbers.
- Set the incidents per page as per the options available.

For more information, see Incidents List View and Alerts List View topics in NetWitness Respond User Guide.

Introduced new Syslog Notification Settings.
- Administrators can now configure syslog alerts for new incidents added to the incidents queue. In addition, a new template field is added with Default Respond SMTP Template. Administrators can now select the pre-configured custom syslog notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.

Enhanced Email Notification Settings.
- A new template field is added in the Email Notification Settings with Default Respond SMTP Template. Administrator can now select the pre-configured custom email notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.

For more information, see Configure Incident Notification Settings topic in the NetWitness Respond Configuration Guide.

Endpoint Enhancements

The following section describes the new enhancements for Endpoint component:

Hosts View Enhancements

The Hosts view is enhanced to help analysts get an accurate number of Hosts and the list of Windows, Mac, and Linux machines on which the suspicious Autoruns are configured.

To optimize the view for analysts, a few columns in the Hosts > Autoruns view such as Global Risk Score, Local Risk Score, Reputation, File Status, Downloaded, File Creation Time, and Signature are removed.

The columns such as Registry Path, Filename, File Path, On Hosts, Type, and Launch Arguments are re-arranged in the following order:

Registry Path
On Hosts
Type
Launch Arguments
Filename
File Path

For more information, see the Hosts View - Autoruns Tab topic in the NetWitness Endpoint User Guide.

Advanced Linux Agent - Process Event Tracking Enhancement

Linux Agent - Process Event Tracking is introduced to help analysts view the createprocess activities. Analysts can view and monitor process events to detect threats on Linux machines.

For more information, see Introduction to Endpoint Investigation topic in the NetWitness Endpoint User Guide.

REST API Enhancements

New REST API's such as Host Tag Management and Reset Risk Score are added to help you access them while plugging into your custom deployments.

For more information, see NetWitness API Guide.

Supported Operating Systems Enhancements

Administrators have the option to deploy Endpoint agents on the following Operating Systems:
- macOS Ventura (13)
- Windows 11 (version 22H2)
For more information, see Introduction to Endpoint Agent Installation topic in the NetWitness Endpoint Agent Installation Guide.

Core Database Tuning

Introduced a new index config threshold slice.memory.max. When the index slice memory usage exceeds the threshold, an index save will save the index to disk, keeping the index memory usage in control. With this new setting, administrators can freely enable indexing all unique meta values on the meta keys they choose.

For more information, see the Index All Values topic in the NetWitness Core Database Tuning Guide.

Concentrator, Decoder, and Log Decoder Services

HTTP2 parser now supports demultiplex interleaved streams and extracts the application payload for detections in other parsers looking at tokens in the payload. This also benefits analysts to reconstruct HTTP/2 sessions, download them as PCAPs, and extract data from the compressed payloads.

For more information, see the Visibility into HTTP/2 Sessions topic in the NetWitness Decoder Configuration Guide.
Introduced the following Logstash event sources to collect logs from different event sources.
- HTTP Receiver
- IPFIX
- Kubernetes
For more information, see the Configure Logstash Event Sources topic in the NetWitness Log Collection Guide.

Integration

NetWitness Platform XDR supports the integration of the following parser services to collect logs. These services are supported on NetWitness Platform XDR 11.7.0.0 or later.

Zscaler ZIA
Zscaler ZPA
OPSWAT Meta Access Cloud
Symantec Endpoint Security Events
Symantec Endpoint Security Incidents
S3 Universal Connector support for access logs from Application Load Balancer (ALB).

For more information on integrating the parser services, see NetWitness Platform Integrations Guide.

Security Fixes

For more information on Security Fixes, see https://community.netwitness.com/t5/netwitness-platform-advisories/ct-p/netwitness-advisories#security.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.2.0.0

NetWitness 12.1.1.0 to 12.2.0.0
NetWitness 12.1.0.1 to 12.2.0.0
NetWitness 12.1.0.0 to 12.2.0.0
NetWitness 12.0.0.0 to 12.2.0.0
NetWitness 11.7.2.0 to 12.2.0.0
NetWitness 11.7.1.2 to 12.2.0.0
NetWitness 11.7.1.1 to 12.2.0.0
NetWitness 11.7.1.0 to 12.2.0.0
NetWitness 11.7.0.2 to 12.2.0.0
NetWitness 11.7.0.1 to 12.2.0.0
NetWitness 11.7.0.0 to 12.2.0.0

NetWitness 11.6.x.x to 12.2.0.0

For more information on upgrading to 12.2.0.0, see Upgrade Guide for NetWitness 12.2.0.0

Before upgrading the UEBA host to 12.2.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.2.0.0.

Product Version Life Cycle for NetWitness Platform

See for Product Version Life Cycle for NetWitness Platform a list of versions that reach End of Primary Support (EOPS).

NetWitness Community

Table of Contents

Product Resources