What's New in 12.3.1.0 Release

NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

What's New in 12.3.1.0 Release

The NetWitness 12.3.1.0 Release Notes describe new features, enhancements, security fixes, upgrade paths, fixed issues, known issues, end-of-life functionality, build numbers, and self-help resources.

Enhancements

The following sections are a complete list and description of enhancements to specific components:

Investigate
Respond
Insight
User and Entity Behavior Analytics
Endpoint
Policy-based Centralized Content Management (CCM)
Concentrator, Decoder, and Log Collector Services
Log Integrations
Upgrade
Security
User Interface

To locate the documents that are referred to in this section, see https://community.netwitness.com/t5/netwitness-platform-online/netwitness-platform-all-documents/ta-p/676246.

The Product Documentation section has links to the documentation for this release.

Investigate

The following section describes the new enhancements for the Investigate component:

Generate Charts from Events View

Administrators and analysts can now generate Adhoc and Schedule charts from the Investigate > Events page. With this enhancement, administrators and analysts can create various types of charts based on Event Count, Session Size, Packet Count, and Meta Key. These charts offer a more in-depth understanding of events and make it easier for analysts to investigate efficiently. Additionally, analysts can share these visualizations with others in various formats like PDF and CSV files, facilitating seamless collaboration and communication.

For more information, see Generate Reports from Events View topic in the NetWitness Investigate User Guide.

Create Real-time Charts from Events View

Administrators and analysts can now create real-time charts based on data from the Investigate > Events page. This feature provides a dynamic way to visualize your data and gain valuable insights as the data is continuously updated based on the configured time interval. This feature enables administrators and analysts to create a variety of chart types based on Event Count, Session Size, Packet Count, and Meta Key. It provides an all-in-one solution for tracking trends for analysts. Additionally, analysts can add these real-time charts to their Default Dashboard, allowing them to track critical data seamlessly within the organization.

For more information, see Generate Reports from Events View topic in the NetWitness Investigate User Guide.

Events View UI Improvements

The Events small timeline view has been improved with the addition of a border, making it easier for analysts to differentiate between the small and large timelines. This enhancement eliminates any confusion when using the zoom feature on the timeline and provides a clear view of the presented data.

For more information, see Timeline topic in the NetWitness Investigate User Guide.

When viewing session reconstructions in the Events view, the left click function is disabled for the time and event time in the Collection Time column of the events table to prevent accidental alterations, resulting in a smoother and more efficient workflow.

Load Service Hierarchy Faster on Events View

The Investigate > Events page may take longer than expected to load if the list of services to load has Core hosts that are switched off adversely. In such scenarios, NetWitness Platform users can customize the hierarchy-call-time-out parameter in the Admin > Services > Investigate Server > Explore view. This customization will allow the Services to load quickly before the request is timed out. The default value is 5 seconds.

Note: The duration it takes for NetWitness Platform to load Services is the result of the total time it takes to communicate with all services present in a deployment. This load time may vary due to several factors, such as inaccessible services, stale connections, or incorrect host connection status in the cache due to a host being improperly switched off

For more information, see Edit Service Hierarchy Timeout Settings topic in the Hosts and Services Getting Started Guide.

For information on the recommended procedures for shutting down hosts, please see Delay in Loading NetWitness Investigate > Events Page in NetWitness 11.7 and later.

Respond

The following sections describes the new enhancements for the Respond component:

Support for Custom Aggregation Rule Schema Configuration

A new custom_aggregation_rule_schema.json file is created in this release. This feature allows administrators to manage all the custom meta fields without modifying the Out-of-the-Box (OOTB) configuration. It enables administrators to add, edit, and delete alert fields to the requirements. It also ensures a seamless upgrade experience.

To simplify customization and avoid modifying the default configuration, administrators can use the custom_aggregation_rule_schema.json file for smoother management and the migration a seamless transition. Importing incident rules is also more convenient, and backward compatibility is maintained automatically.

For more information, see Configuring NetWitness Respond topic in the NetWitness Respond Configuration Guide.

Enhanced Source Display in NetWitness Respond

Enhanced NetWitness Respond to list available services based on NetWitness orchestrated services. This can avoid confusion caused by outdated or nonexistent services and ensure that users only see the relevant services.

If a service is removed, it will be marked as decommissioned in the UI instead of immediately being removed from the source list. This approach prevents disruptions in source availability for ongoing activities while creating visibility into service's status.

For more information, see Reviewing Alerts topic in the NetWitness Respond User Guide.

Insight

The following section describes the new enhancements for the NetWitness Insight:

Detect New Assets in Insight (BETA)

NetWitness Insight introduces a new alert named New asset discovered in environment. This alert is generated on the Respond > Alerts page whenever a new asset Server type is detected in the environment for the first time or if an existing asset has not been observed by NetWitness Insight for the last 30 days. This alert is generated for assets identified as server by NetWitness Insight. This feature enhances visibility and provides analysts with an improved understanding of the assets present in the environment, enabling them to better protect them from any potential attacks.

This feature is currently available in BETA mode and is disabled by default. Please contact NetWitness Customer Support team to enable the feature.

new asset alert_1231_1610.png

Historical Service Trend Chart Improvements

The following improvements are made to Historical Service Trend chart in 12.3.1.0 version:

Added a new Service filter feature that allows you to filter services using a searchable drop-down menu. Analysts can now filter services by multiple values simultaneously, making it easier to compare services and discover insights.

Improved pagination functionality now allows analysts to navigate between the first and last pages seamlessly.

Services in the chart legend are sorted from highest to lowest enterprise traffic using the latest date data. When services have the same percentage value, they are sorted alphabetically.

For more information, see the NetWitness Insight section in the NetWitness Documentation Portal.

Email Notification on Exceeding Daily License Usage

NetWitness Insight customers exceeding the daily license usage limit three or more times within the last 14 days will receive an email notification.

User and Entity Behavior Analytics

The following section describes the new enhancements for UEBA component:

Support for Citrix NetScaler and Palo Alto Networks VPN Devices

NetWitness UEBA has added support for the Citrix NetScaler and Palo Alto Networks VPN devices. With this enhancement, UEBA can now process Citrix NetScaler and Palo Alto Networks VPN logs, which helps you gather and analyze user activity information.

For more information, see the UEBA Supported Sources by Schema section in the UEBA Configuration Guide.

UEBA Performance Improvements

Optimized the database for inserting and querying data, resulting in faster query response times.
The modeling process for network data has been improved by excluding randomized JA3 entities, resulting in improvements in the overall performance.
Optimized the modeling process to generate and update multiple models in parallel.
Airflow retention DAGs processing times have been reduced due to faster cleanup of outdated data.

For more information on the supported scale, see the Learning Period Per Scale for 12.3.1 topic in the UEBA Configuration Guide.

Endpoint

The following section describes the new enhancements for Endpoint component:

Supported Operating System Enhancements

Administrators have the option to deploy Endpoint agents on the following versions of Linux and Mac Operating System:

Red Hat Enterprise Linux 9.x
Alma Linux 9.0
Oracle Linux 8.8
SUSE Linux Enterprise Server 12 SP1 and 15 SP4
macOS Sonoma (14)

For more information, see Introduction to Endpoint Agent Installation topic in the NetWitness Endpoint Agent Installation Guide.

Source Server Explore View Enhancements

The Source server Explore view ( AdminIcon (1).png Admin > Services > View > Explore) is enhanced with endpoint/recovery configuration option to help administrators configure Endpoint recovery in case of any disaster.

For more information, see High Availability (Endpoint Recovery) topic in the NetWitness Endpoint User Guide.

Policy-based Centralized Content Management (CCM)

The following enhancements are made to Policy-based Centralized Content Management in 12.3.1.0 version:

Pagination is added in the Content Library, Groups Listing and Policy Listing pages which enables you to navigate through the list. By default, 50 rows are displayed per page. However, NetWitness allows you to modify the number of rows displayed per page.

For more information, see the View a Group, View Application Rule Details and View a Policy topics in the Policy-based Centralized Content Management Guide.
Administrators can directly update any content, that are part of Policies, in the Content Library. The changes will be reflected in the Services once the Policy is republished.
The search experience for selected content during Policy creation is improved. A Search box is added under the Selected Content in the Define Policy screen. You can search the selected content by typing the initial content text in the Search box.

For more information, see the Create and Publish Policies topic in the Policy-based Centralized Content Management Guide.
UI Improvements:
- In the Filters panel of Policy Listing, Groups Listing and Services Listing pages, the respective parameters 'Policy Name', 'Group Name' and 'Service Name' is changed to 'Name'.
  
  For more information, see the View a Policy, View a Group and View a Service topics in the Policy-based Centralized Content Management Guide.

Concentrator, Decoder, and Log Collector Services

The following section describes the new enhancements for the Decoder and Log Collector components:

HTTP2 Improvements

Created additional meta keys for more visibility. Also enhanced this feature to avoid any duplicate metas generated for HTTP2 sessions.

For more information, see Visibility into HTTP/2 Sessions topic in the NetWitness Decoder Configuration Guide.

Support for Syslog Length Prefixed Logs

Introduced a new event category called syslog-length-prefix under the Syslog Collection in the Log Collector to provide support for syslog length prefixed logs during syslog collection.

For more information, see Configure Syslog Event Sources topic in the Log Collection Guide.

Log Integrations

NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 11.7.0.0 or later.

Google Cloud Platform (Support for VPC Flow Logs, Google Kubernetes Engine (GKE) Logs, Cloud Storage Logs, and Audit Logs)

Kaspersky Anti-Virus (Support to export events in CEF format)

Microsoft Exchange Server (Support for MS Exchange Server 2019)
Universal REST API (Support for Sailpoint IIQ)
Radware DDOS
S3 Universal Connector (Support for Amazon CloudFront).

For more information on integrating the parser services, see NetWitness Platform Integrations Guide.

Upgrade

Administrators are advised to run the nw-precheck-tool command through the CLI method to generate the system upgradability health report. The report helps administrators to troubleshoot any anomalies and minimize upgrade failures. The tool-tip message appears when you hover over the drop-down menu options Update Host and Check for Updates.

For more information, see the Run Pre-Upgrade Checks topic in the Upgrade Guide for NetWitness 12.3.1.0.

Customer Experience Improvement Program (CEIP)

NetWitness now displays a NetWitness Platform CEIP dialog to all users (with Manage Live Setting and config-server manage configuration permissions) who previously have not enabled the CEIP program and upgrading to a major or minor platform version. For example, in NetWitness Platform version 12.3.1.0, the major version is represented by 12 while the minor version is represented by 3.

For more information, see Configure the Customer Experience Improvement Program in the System Configuration Guide.

Security

To further improve security, all NetWitness services and scripts will utilize trusted certificate-based authentication or deploy admin password for the RabbitMQ account. Additionally, the guest user account password is set to random value to restrict full Administrator Access to only authorized users on the host.

User Interface

The following section describes the new enhancements for the NetWitness user interface:

NetWitness Product Name Change

NetWitness shortened the product name to "NetWitness Platform". This change aims to streamline and align our branding with our overall product strategy.

Security Fixes

For more information on Security Fixes, see https://community.netwitness.com/t5/netwitness-platform-advisories/ct-p/netwitness-advisories#security.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.3.1.0

NetWitness 12.3.0.0 to 12.3.1.0
NetWitness 12.2.0.1 to 12.3.1.0
NetWitness 12.2.0.0 to 12.3.1.0

NetWitness 12.1.1.0 to 12.3.1.0
NetWitness 12.1.0.1 to 12.3.1.0
NetWitness 12.1.0.0 to 12.3.1.0
NetWitness 12.0.0.0 to 12.3.1.0
NetWitness 11.7.3.0 to 12.3.1.0
NetWitness 11.7.2.0 to 12.3.1.0
NetWitness 11.7.1.2 to 12.3.1.0
NetWitness 11.7.1.1 to 12.3.1.0
NetWitness 11.7.1.0 to 12.3.1.0
NetWitness 11.7.0.2 to 12.3.1.0
NetWitness 11.7.0.1 to 12.3.1.0
NetWitness 11.7.0.0 to 12.3.1.0

For more information on upgrading to 12.3.1.0, see Upgrade Guide for NetWitness 12.3.1.0

Warning: Before upgrading the UEBA host to 12.3.1.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.3.1.0.

Product Version Life Cycle for NetWitness Platform

See for Product Version Life Cycle for NetWitness Platform a list of versions that reach End of Primary Support (EOPS).

NetWitness Community

Table of Contents

Product Resources