NetWitness Community

1 Like

The NetWitness 12.3.0.0 Release Notes describe new features, enhancements, security fixes, upgrade paths, fixed issues, known issues, end-of-life functionality, build numbers, and self-help resources.

(view in My Videos)

Enhancements

The following sections are a complete list and description of enhancements to specific capabilities:

Policy-based Centralized Content Management (CCM)
Investigate
Context Hub
Insight
SASE Capability
Springboard
Respond
Endpoint Enhancements
User and Entity Behavior Analytics
Concentrator, Decoder, and Log Decoder Services
Log Integrations
Security
Platform

To locate the documents that are referred to in this section, see https://community.netwitness.com/t5/netwitness-platform-online/netwitness-platform-all-documents/ta-p/676246.

The Product Documentation section has links to the documentation for this release.

Policy-based Centralized Content Management (CCM)

The following enhancements are made for Policy-based Centralized Content Management in 12.3.0.0 version:

Addition of Services Tab in Content Panel

NetWitness has introduced the Services tab to view and manage the 12.3 and above services. The dedicated Services List page lists all Decoder and Log Decoder services available in the 12.3+ version. From this page, you can initiate migration, view the content of each service after migration, and conveniently enable or disable CCM for individual services.

To go to Services tab, click (CONFIGURE) > Policies > Content > Services.
Once you click the Services tab:
- You can view the list of services. By default, 15 services are displayed per page. you can go to the next page by clicking . You can also directly go to the last page by clicking .
- You can filter the services based on various parameters by clicking .
- You can click a service to view the details of the service.
- You can automatically migrate content from selected services to CCM Content Library. This feature simplifies the process and saves time by eliminating the need for manual content migration. To migrated content, select the service(s) and click Migrate Content.
  
  In this UI, you can migrate Application Rules, Network Rules, LUA Parser, Live Feeds and Live Log Devices. You can continue to manage Custom Feeds and Log Parser Rules from Legacy Custom Feeds UI and Log Parser Rules UI.
- During the migration process, you can create default policy and group for each service selected for migration. Once the migration process is complete, the policy and group will be listed under Policy Listing page and Group Listing page.
  
  The policy and group which is created for the service will be in 'Unpublished' state and it can be published only after it is reviewed. In the Policy Listing page, the Publish button for such a policy will be disabled. The policy can be published only after reviewing it either from Policy Details page or Edit Policy Page.
  
  While publishing a policy, the content deployed from the policy is merged with the content present in the service. This ensures that duplicate content is overwritten, and unique content present in the service is retained, avoiding unnecessary redundancy and data loss.
- If the migration process is successful and the policy is created successfully for the selected service, you can view the details of the policy. To view the policy details, click policy name under the Policies column in Services List page.
- If the migration process is successful, you can view the details of the migrated content. To view the migrated content details, click View Content hyperlink under the Action column in Services List page.
- You can search the migrated content based on various parameters.
  
  - For Application Rule and Network Rule, the search is based on Rule Name and Rule Value.
  - For Feeds, Log Device and LUA Parser, the search is based on the Name.
- If the migration has failed due to some reason, then you can view the logs. To view the logs, click View Error Log hyperlink under the Action column in Services List page.
- Even if only some content from a service is migrated to Content Library, NetWitness has also provided you an option to create policy and group for such a service. To create policy and group for such partially migrated service, click View Error Log -> View Migrated Content -> Create Policy and Group.
- You can enable or disable CCM for individual Decoder Service. To enable or disable CCM, select the service and click Manage Service Content.
  
  For more information, see the Manage Services in the see Policy-based Centralized Content Management Guide.

Application and Network Rule Enhancements

NetWitness has enhanced the Application and Network Rules to help administrators manage the rules efficiently by adding the following improvements:

Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key in the Application Rule tab. With this enhancement, administrators can now select a custom meta key from the drop-down, and a meta value corresponding to the rule name will be generated when the session metadata matches the rule.
Administrators can now select the Notify option to trigger alert generation and choose the Severity level while creating or modifying the Application Rules. The severity levels are Critical, High, Medium, and Low.

Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key alert in the Network Rule tab.

For more information, see the Create an Application Rule and Create a Network Rule topics in the Policy-based Centralized Content Management Guide.

Deployment Statistics

Introducing the new enhanced statistics feature Deployment Stats which provides users with comprehensive insights into the performance and status of their deployments.

The old legacy Services tab has been deprecated, making the CCM the primary location for accessing and managing statistics.

- The statistics associated with engines, rules, and alerts have been moved to the new Centralized Content Management (CCM) pages as part of the ongoing migration.

DeploymentStats_12.3.png

Users can easily access and analyze deployment statistics, including engine, rule, and alert metrics, to monitor the effectiveness and efficiency of their configurations.

The ability to enable and disable rules at the runtime of the engine provides greater flexibility and control over rule execution.
Users can now view the timestamp indicating when the statistics were last fetched, ensuring the accuracy and relevance of the displayed information.
On-demand stats fetching allows users to retrieve the latest statistics anytime, keeping them updated with the system's performance.
In addition to the existing statistics, users can now view individual data source statistics for each engine, enabling a more granular analysis of data source performance.

Create and Edit ESA Rules from CCM (Redirection to ESA Rules Tab)

Introduced a new redirection feature, The ESA rule creation, and editing features have been seamlessly integrated into the existing CCM design, providing a consistent experience and optimizing usability.

Users can now create and edit ESA rules within the streamlined workflow making necessary modifications to rules minimizing the clicks redirecting to the ESA Rules Tab, ensuring a smoother experience.

Endpoint Rule Management

Users can now enable or disable endpoint rules per deployment, allowing them to tailor rule execution to specific deployment requirements.

Fast Deployment Support

Fast Deploy is supported, which allows users to expedite the deployment process for compatible configurations, saving time and effort.

FastDeploy12.3.png

Deployment Updates, Indicators and Notifications

Users can easily track updates made to deployments, with a clear indicator signaling the presence of updates.

Stay informed and effortlessly monitor the status and progress of your deployments.

Users will be notified if another user is currently editing a deployment, preventing conflicts and ensuring smooth collaboration.

Notifications and severity configurations for rules in a deployment can be easily viewed, enabling users to stay informed about rule behavior and potential security threats.

For more information on the enhancements, see Policy-based Centralized Content Management Guide.

Investigate

The following section describes the new enhancements for the Investigate component:

NetWitness enhancements in the Investigate > Events view provide increased flexibility and improved investigative workflow. These enhancements empower analysts to complete investigations and increase efficiency of administrators.

Select Query Results Panel Layout

The Query Builder allows you to select the Query Results panel layout before executing the query.

For example, if you select, Show: Meta and Events option from the dropdown menu, the query results are by default displayed in two separate panels, i.e., Meta and Events.

For more information, see Access the Events View topic in the NetWitness Investigate User Guide.

Timeline Enhancements

The enhanced Timeline displays activity for the specified service and time range as a bar chart. This allows analysts to detect significant spikes that could indicate anomalies. Using the visual representation, analysts can conduct a more detailed investigation of the events that occurred during that specific period.

With the enhanced timeline, analyst can now expand the timeline, zoom into the interested zone in the timeline, change the axis settings, or reset the query to the original requested form.

12.3_Timeline.png

For more information, see Timeline topic in the NetWitness Investigate User Guide.

Introducing Advanced Query Bar

NetWitness introduces the new Advanced Query Bar under Investigate > Events panel to provide a seamless experience to the users while they write queries. Advanced Query Bar provides a search bar with the ability to accept a query construction in text form just like an Integrated Development Environment (IDE), instead of the pill-based entry of Guided Mode. Advanced Query Bar provides following benefits:

Syntax or error highlighting: The syntax of each query is validated and a red outline marks invalid filters.
Auto suggestions: Suggestions such as meta key, an alias for medium, an operator in a drop-down list to help in query construction.
Recent queries: Displays recent queries.

Create Future Alert using Events Query

During the investigation, administrators and analysts can now create an application rule for any suspicious activity from the Investigate > Events view. You can create application rules with a flexible query that covers a wide set of events and system information from your network, including suspected breach activities and misconfigured servers. Once the rule is applied to a matched policy with Decoder services, it generates alerts whenever a match occurs and helps analysts to triage, investigate, and respond to threats.

For more information, see the Create a Future Alert from Events View topic in the NetWitness Investigate User Guide.

Generate Custom Reports from Investigate Events View

NetWitness Investigate Events view has been enhanced with integrated reporting capabilities enabling increased flexibility and streamlined workflow. Administrators and analysts can now convert their investigation queries into adhoc and schedule reports seamlessly from the Investigate > Events view. This eliminates the need to switch back to the reporting pages and reconfigure queries, saving time and effort.

The following are the key benefits of generating reports from the Events view:

Quickly configure and generate the reports.
Share generated reports directly with administrators or other analysts by configuring email IDs, facilitating efficient communication and collaboration.
Report generation now adopts preconfigured settings by default, reducing the need for manual configuration and accelerating the reporting process.
Generated reports can be used to monitor security incidents and malware activity.
Set up scheduled reports to run at regular intervals and trigger an email with events each time they run.

For more information, see the Generate Reports from Events View topic in the NetWitness Investigate User Guide.

Search Meta Information Quickly from Events Meta Panel

Analysts can now search for meta keys and meta values quickly from the Events Meta panel using the newly added Filter option. This enhancement allows analysts to refine their search results by entering specific meta values or keys and the results are highlighted with blue indicator and helps analysts to investigate seamlessly rather than scrolling through a long list of metadata.

For more information, see the Filter Meta Information using Events Meta Panel topic in the NetWitness Investigate User Guide.

Support for VirusTotal Hashes Lookup from Events View

NetWitness now includes files and file hashes VirusTotal Lookup capabilities from the Investigate > Events view. With this enhancement, analysts can perform a VirusTotal Lookup on files with file hashes (MD5, SHA1, and SHA256) to get more information about the file, which automatically redirects them to VirusTotal's website. Once the hashes match VirusTotal's recognized types, they undergo a malware scan. The results are returned to determine if a file is malicious or not. This enhancement makes it easier for analysts to identify viruses, malware, and other malicious files with VirusTotal Lookup and helps them to perform investigation more effectively.

For more information, see Launch a VirusTotal Lookup for a File and Perform Lookups of Meta Values in Events topics in the NetWitness Investigate User Guide.

Introducing Meta Settings Panel

NetWitness introduces the new Meta Settings panel under the Investigate > Events > Events Meta view to allow analysts to configure the number of sessions required for the specific meta key value within the Events view. This enhancement provides analysts with the following configuration options:

Max Threshold Value: This option allows analysts to set the maximum number of sessions that are loaded for a meta key value in the Events panel. If you set a higher threshold, you will get more accurate counts, but it will take longer to load the data. The Max Threshold Value should be between 1 - 2147483647. The default value is 100,000.

Max Value Results: This option allows analysts to set the maximum number of values to load in the Events view when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The Max Value Results should be between 100-100000. The default value is 1000.

Max Meta Value Characters: This option allows analysts to set the maximum number of characters in a meta value name displayed in the Events Meta panel. The Max Meta Value Characters should be between 60-512. The default value is 60.

These new configuration options give analysts more control over how metadata is displayed and loaded in the Events view. This helps analysts to perform the investigation more efficiently.

For more information, see Configure Events View Meta Value Loading Parameters topic in the NetWitness Investigate User Guide.

Render Threads Setting for Events Meta Value

NetWitness now allows analysts to set the Render Threads value under the System > Investigation > Events tab > Render Threads Setting. This setting controls the number of concurrent meta key values that are loaded by the user in the Events Meta panel. By increasing the number of render threads, the meta values within the Events Meta panel are loaded concurrently. The Render Threads value should be between 1-8. The default value is 2.

For more information, see the Configure Events View Settings topic in the System Configuration Guide.

Enhanced Query Console

The Query Console has been enhanced to help the analysts with query construction on the Investigate > Events view. Analysts can now quickly view the Query Examples, Current Query, or Recent Queries on the Query Console directly.

For more information, see Query Console topic in the NetWitness Investigate User Guide.

Context Hub

The following section describes the new enhancements for Context Hub component:

Additional Data for Context Lookup Lists Panel

Administrators can now configure additional data of interest from the lists on the Context Hub Lists page. These additional details from the lists are reflected in the Context Lookup Lists panel when you view the context for an event on the Events or Respond view. This helps analysts with better visibility for further analysis and investigation.

For more information, see the Manage Meta values for Context Hub Lists topic in the Context Hub Configuration Guide.

New Permission at the Users Level for Context Lookup

NetWitness introduces a new permission named contexthub-server.contextlookup.read for Context Lookup. This permission is enabled only for administrators, analysts, malware analysts, SOC managers, and Respond administrators. With this enhancement, administrators can now assign role permissions that prevent users from viewing context enrichment that is not relevant to them or performing the Add/Remove from List actions. Additionally, this can prevent unauthorized users from accessing sensitive information.

For more information, see Role Permissions topic in the System Security and User Management Guide.

REST API Data Source Enhancements

Administrators can now view the data for Responsive Preview under the Meta and Field Mapping and perform Field mapping operations for REST API data sources with or without authentication. This enhancement helps administrators to avoid reconfiguring the REST API data source and saves time.

For more information, see Configure REST API as a Data Source topic in the Context Hub Configuration Guide.

Insight

Introducing NetWitness Insight

NetWitness Insight is a SaaS solution available as an extension for a NetWitness Network, Detection & Response (NDR) customer. NetWitness Insight is an advanced analytics solution that leverages unsupervised machine learning to empower the response of the Security Operations Center (SOC) team. NetWitness Insight continuously examines network data collected by the Decoder to discover, profile, categorize, characterize, prioritize, and track all assets. NetWitness Insight identifies the assets in the enterprise to alert analysts of their presence. The discovered assets are automatically categorized into groups of similar servers and prioritized based on their network profiles. These assets are presented to analysts in a Springboard panel to guide them to focus on certain assets to protect their organization. Contextual information about the asset is available anywhere analysts interact with IP addresses in Respond and Investigate workflows. Incidents and alerts can be created based on asset changes.

For more information, see the NetWitness Insight section in the NetWitness Documentation Portal.

SASE Capability

Available in preview mode, this new integration with major SASE vendors provides further network visibility for NetWitness Network (NDR) customers. Previously limited to logs, these integrations deliver original network traffic to NetWitness, providing analysts with deep network visibility and detection for SASE remote communications. Please contact your account representative to get a preview.

Springboard

The following section describes the new enhancements for the Springboard component:

Improved Color Visualization for Springboard Panels

NetWitness Springboard now allows analysts to choose from a variety of color palettes when creating or editing panels using the new Visualization Color Theme option. This enhancement gives analysts more control over the appearance of their panels, making them more visually appealing and easier to understand. As a result, analysts can visualize the data better and perform analysis and investigations more efficiently.

For more information, see Managing the Springboard topic in the NetWitness Getting Started Guide.

Respond

NetWitness latest enhancements to reporting capabilities in Respond view provide users with increased flexibility and streamlined workflows. These improvements address the challenges you face during investigation and reporting. The following enhancements are made to the Respond component.

Respond Reporting Enhancements

With the new upgrades to Respond reporting, administrators and analysts can efficiently capture, analyze, and share their findings with management, resulting in enhanced reporting experience within NetWitness.

respond_report_12.3.png

Integrated reporting capabilities into the events and respond views allow administrators and analysts to seamlessly tie their investigations to reports to capture and report their findings to the management.
Users can review incidents and alerts within the Respond view and generate comprehensive reports directly from the interface. Analysts and administrators can document their analysis and share detailed reports with stakeholders.
Reports generated from the Respond view now leverage the powerful filtering capabilities available within Respond, ensuring that the reports accurately reflect the specific incidents or alerts reviewed.
Introduced a simplified workflow driven by customizable templates, this feature eliminates the complexity of the current reporting workflow and reduces the input required from analysts and administrators.
Report creation now defaults to preconfigured settings, minimizing the need for manual configuration and expediting the reporting process.
Analysts can now email the generated reports directly to administrators or other analysts, facilitating efficient communication and collaboration.

For more information, see the Generate Reports from Respond View topic in the NetWitness Respond User Guide.

Respond Server Support for Core Alerts and Insight Alerts

The Respond Server support for NetWitness Core Alerts and NetWitness Insight Alerts update improves your security by helping you detect and respond to incidents more effectively. This includes improvements that make managing and analyzing core and insight alerts within the NetWitness platform easier.

Normalisation Support: We have added support for normalizing these alerts, enabling the detection of suspicious logs and network traffic patterns. This enhancement helps you proactively identify potential security threats and take swift action.

Filtering Support: Improved the filtering on alerts, providing a more detailed and comprehensive view empowering you to make faster and more informed decisions.

OOTB Incident Aggregation Rule for Core Alerts and Insight Alerts:To simplify incident response, we have included an Out-of-the-Box (OOTB) incident aggregation rule specifically designed for core alerts and insight alerts. This rule automates grouping related core alerts and insight alerts into a single incident, streamlining your incident management process and saving valuable time.

For more information, see the Respond Server Support topic in the NetWitness Respond User Guide.

Alerts View Enhancements

The Respond > Alerts view is enhanced with the Whitelist Alert feature to help administrators and analysts whitelist the non-suspicious Endpoint alerts. You can select the entities such as File, User, and Host and define the Whitelist condition to avoid triggering of the unwanted alerts for the required entities.

For more information, see Whitelist Endpoint Alerts topic in the NetWitness Respond User Guide.

Respond View Enhancements

The new Whitelists tab added in the Respond view enables you to view and manage the Endpoint Whitelists created after whitelisting the non-suspicious Endpoint alerts.

For more information, see Whitelist Endpoint Alerts topic in the NetWitness Respond User Guide.

Endpoint Enhancements

The following section describes the new enhancements for Endpoint component:

Files View Enhancements

The Files view is enhanced to help administrators and analysts block the new file hashes and manage the existing blocked file hashes. You can block up to a maximum of 50,000 file hashes using this feature.

123_Blocked File Hashes_highlighted.png

For more information, see Manage Blocked File Hashes topic in the NetWitness Endpoint User Guide.

Hosts View Enhancements

The Hosts view is enhanced with the Remote Shell feature to help administrators and analysts access the remote agents and perform remediation actions during investigation. You can execute the commands only in the quiet mode.

For more information, see Remote Shell topic in the NetWitness Endpoint User Guide.

Advanced Linux Agent - File Event Tracking Enhancement

Linux Agent - File Event Tracking is introduced to help analysts view the file related activities by an executable, such as writetoexecutable. Analysts can view and monitor file events to detect threats on Linux machines.

For more information, see Introduction to Endpoint Investigation topic in the NetWitness Endpoint User Guide.

File Log Collection Enhancement

NetWitness Platform supports collection of MicrosoftIIS logs. You can select MicrosoftIIS from the Log File Type drop-down list in (Admin) > Endpoint Sources > Policies > Define File Policy Settings to collect and monitor MicrosoftIIS file logs. For more information, see Appendices topic in the NetWitness Endpoint Configuration Guide.

User and Entity Behavior Analytics

The following section describes the new enhancements for UEBA component:

Enhanced Configuration Support for Multiple UEBA Servers

NetWitness introduces the ability to deploy multiple UEBA servers in your environment, providing increased flexibility and control. With this enhancement, administrators can distribute the UEBA server deployment across dedicated servers, such as one server for Logs and Endpoint data and another for Network (TLS) data. This data segregation ensures that each server can focus on its designated data type, resulting in faster and more streamlined processing. With the data segregation, analysts can now select the specific data type using the drop-down option provided for Multiple UEBA servers. This feature helps analysts to focus on the relevant users, network entities, and alerts associated with each UEBA server.

For more information, see the Configure Multiple UEBA Servers topic in the NetWitness UEBA Configuration Guide.

Introducing Contextual Information for Users

Analysts can now view contextual information about users on the NetWitness Users page. This enhancement enables analysts to make better decisions and take appropriate actions. A single place contains contextual information about users to help analysts identify and prioritize areas of investigation. The Context Highlights panel enables analysts to view contextual information for selected users, including total Respond alerts and incidents associated with them. Moreover, analysts can also switch to the Investigate view for a deeper look at users for focused analysis and investigation.

For more information, see the View Contextual Information for Users topic in the NetWitness UEBA Users Guide.

UEBA Performance Improvement

NetWitness UEBA (On-premises) has been enhanced to improve the performance of its data processing capabilities by updating the adaptor task and effectively allocating available free memory on UEBA services. This results in faster processing time and better performance for all UEBA tasks.

Concentrator, Decoder, and Log Decoder Services

Application Rule Enhancements

NetWitness has enhanced the Application Rules to help administrators manage the rules efficiently by adding the following improvements:

Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key in the Application Rule tab. With this enhancement, administrators can now select a custom meta key from the drop-down, and a meta value corresponding to the rule name will be generated when the session metadata matches the rule.
Administrators can now select the Notify option to trigger alert generation and choose the Severity level while creating or modifying the Application Rules. The severity levels are Critical, High, Medium, and Low.

For more information, see the Configure Application Rules topic in the Decoder and Log Decoder Configuration Guide.

Logstash Event Sources

Introducing NetWitness JDBC Logstash Input plugin support to collect logs from the following databases.

Oracle 11g, 12c, 18c, and 19c
IBMDB2

You can also use Custom Typespec to collect logs from databases that are not supported out of the box.

For more information, see the Configure Logstash Event Sources topic in the NetWitness Log Collection Guide.

Log Integrations

NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 11.7.0.0 or later.

As a launch partner for AWS AppFabric, NetWitness empowers customers to use this simplified, standardized method of securing new and existing AWS apps. For more information, see S3 Universal Connector.
FluentD
Jamf Protect
JDBC Oracle 11g, 12c, 18c, and 19c (Supported from 12.3 onwards)
JDBC IBMDB2 (Supported from 12.3 onwards)
Custom JDBC Typespec (Supported from 12.3 onwards)
Microsoft Azure Log Analytics (Support for Azure Kubernetes logs)
OPSWAT Meta Access Cloud
S3 Universal Connector (Support for Cloudflare RBI logs)
Symantec Data Center Security (Symantec DCS)
VMware Unified Access Gateway (UAG)

For more information on integrating the parser services, see NetWitness Platform Integrations Guide.

Security

Customers can use keytool to import certificates to JVM trust. This has helped them to move away from communicating over untrusted channel.

For more information on using keytool to import certificates to JVM trust, see the article Custom Certificate Issue in CCM.

Platform

The following section describes the new enhancements for Platform component:

Backup and Restore Improvements

The Passwordless remote copying feature allows administrators to avoid entering the password in the Command Line Interface (CLI) while exporting and importing the data using the NetWitness Recovery Tool (NRT) and the NetWitness Recovery Wrapper Tool.

For more information, see Recovery Tool User Guide.
NetWitness Platform allows the non-root users to perform backup and recovery of data using the NetWitness Recovery tool (NRT) and the NetWitness Recovery Wrapper tool.

For more information, see Recovery Tool User Guide.
NetWitness Recovery Wrapper Tool is enhanced with the following options to allow administrators to backup group of the hosts:
- Category Group: This group allows you to create a backup of all the hosts specific to a given category such as Log Hybrid, Log Collector, Standalone Broker in the environment.
- Host Group: This group allows you to create a backup of all the hosts specific to a given group created on the /admin/appliances page.
  You can use the backup to restore any of the hosts in case of configuration issues or catastrophic failures.
  
  For more information, see Recovery Tool User Guide.

Security Fixes

For more information on Security Fixes, see https://community.netwitness.com/t5/netwitness-platform-advisories/ct-p/netwitness-advisories#security.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.3.0.0

NetWitness 12.2.0.1 to 12.3.0.0
NetWitness 12.2.0.0 to 12.3.0.0

NetWitness 12.1.1.0 to 12.3.0.0
NetWitness 12.1.0.1 to 12.3.0.0
NetWitness 12.1.0.0 to 12.3.0.0
NetWitness 12.0.0.0 to 12.3.0
NetWitness 11.7.3.0 to 12.3.0.0
NetWitness 11.7.2.0 to 12.3.0.0
NetWitness 11.7.1.2 to 12.3.0.0
NetWitness 11.7.1.1 to 12.3.0.0
NetWitness 11.7.1.0 to 12.3.0.0
NetWitness 11.7.0.2 to 12.3.0.0
NetWitness 11.7.0.1 to 12.3.0.0
NetWitness 11.7.0.0 to 12.3.0.0

For more information on upgrading to 12.3.0.0, see Upgrade Guide for NetWitness 12.3.0.0

Before upgrading the UEBA host to 12.3.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.3.0.0.

Product Version Life Cycle for NetWitness Platform

See for Product Version Life Cycle for NetWitness Platform a list of versions that reach End of Primary Support (EOPS).