What's New in 12.4.0.0 Release

NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

What's New in 12.4.0.0 Release

The NetWitness 12.4.0.0 Release Notes describe new features, enhancements, security fixes, upgrade paths, fixed issues, known issues, end-of-life functionality, build numbers, and self-help resources.

Enhancements

The following sections are a complete list and description of enhancements to specific capabilities:

Upgrade
Investigate
Respond
Response Actions
Insight
User and Entity Behavior Analytics
Endpoint
Policy-based Centralized Content Management (CCM)
Concentrator, Decoder, Log Collector, and Archiver Services
Log Integrations
Security

To locate the documents that are referred to in this section, see https://community.netwitness.com/t5/netwitness-platform-online/netwitness-platform-all-documents/ta-p/676246.

The Product Documentation section has links to the documentation for this release.

Upgrade

The following section describes the new enhancement for Upgrade:

Alma OS Migration

RedHat announced that CentOS Linux 7 will reach the end of life (EOL) on June 30, 2024. To address this change, NetWitness Platform is now integrated with the new version, AlmaLinux. When you upgrade to the NetWitness 12.4 version, you will be automatically migrated from CentOS 7.9 to AlmaLinux 8.9. The NetWitness Platform 12.4 upgrade process is easy and regular, like any other previous upgrades. You do not have to follow any specific procedure for upgrading to AlmaLinux OS.
AlmaLinux provides several key benefits and new features:

The upgrade to AlmaLinux is an inherently automated process with zero manual intervention.
It comes with a pre-upgrade tool that helps administrators discover and mitigate issues before running the actual upgrade process.
Saves time and administrative efforts.
Retains control over installed applications.
Preserves most of the configuration information.

NetWitness Platform streamlines the upgrade process, saves time and resources, and maintains control over installed applications and configurations when migrating from CentOS 7.9 to AlmaLinux 8.9.

Investigate

The following section describes the new enhancements for the Investigate component:

Interactive Network Parser Creation

In the Investigate > Events view, users can convert the exact patterns selected or keywords found in the network traffic they review in text session reconstruction into a network parser. This streamlined process allows the user to generate meta to trigger an incident (e.g., a future detection) without understanding how to create the parser.

Users can also create a network parser using keywords from the (Configure) > Policies > Content Library > More > Search Pattern Rule view.

12.4_create_search_pattern_0124.png

12.4_search_pattern_rules_0124.png

For more information, see Create a Search Pattern in the Text Tab topic in the NetWitness Investigate User Guide and Manage Search Pattern Rule topic in the Policy-based Centralized Content Management Guide.

Download More Sessions than Displayed in Events Table

A new user preference, Maximum Session Export Limit, has been added to the Events Preferences panel in the Investigate > Events view. Analysts can use this setting to adjust the number of available sessions for exporting using the Download All menu options. This enhancement makes the number of exported sessions independent from the number of sessions displayed in the Events table.

12.4_new_preference_sessions_0124.png

For more information, see Set User Preferences for the Events View topic in the NetWitness Investigate User Guide.

Option to Download Files with Custom Names

Analysts can now use custom names when downloading event files from the Events panel view. Custom names make it easier to organize and manage downloaded event files, saving analysts time and effort.

12.4_download_pcap_files.png

For more information, see Download Data in the Events View topic in the NetWitness Investigate User Guide.

Respond

The following sections describes the new enhancements for the Respond component:

MITRE ATT&CK® Integration with NetWitness

MITRE ATT&CK® is a curated knowledge base of adversary Techniques and Tactics. It provides an appropriate level of categorization for adversary action and specific ways of defending against it. Analysts can view the high-level list of specified tactics, techniques, and sub-techniques, along with their details, and learn how potential threats and vulnerabilities in their environment are associated with the MITRE ATT&CK framework.

The new ATT&CK© Explorer Panel provides information about the adversary tactics and techniques associated with the Incidents in the Respond view.

124_att&ckcexplorer_0224.PNG

NetWitness Live is integrated with MITRE ATT&CK framework to help analysts to view the MITRE ATT&CK Tactics and Techniques associated with the Application Rules and Event Stream Analysis Rules. The Service Details Right panel ( (Configure) > Policies > Content > Content Library > Application Rule or Event Stream Analysis Rule > click a row > Service Details Right panel) is enhanced to provide information about the MITRE ATT&CK Tactics and Techniques.

You can tag MITRE ATT&CK Tactics and Techniques while creating a custom Application Rule or Event Stream Analysis Rule.

You can also select the MITRE ATT&CK Tactics and Techniques while creating an incident from the Investigate > Events view.

With this, the ATTACK.TACTIC and ATTACK.TECHNIQUE metakeys in the Events Metadata panel has been enhanced with MITRE ATT&CK© Lookup integration to help you gain more information on the specific tactic and technique associated with the event.

124_mitreatt&cklookup_0224.png

124_att&ckexplorerpanel_0224.PNG

The new ATT&CK© Explorer Panel is displayed when you click MITRE ATT&CK© Lookup.

For more information, see NetWitness Respond User Guide for 12.4, NetWitness Investigate User Guide, and Policy-based Centralized Content Management Guide.

Response Actions

Response Actions are the reactive operations performed on configured metas using a third-party tool or connector such as ThreatConnect after triaging an event. Response Actions, the new feature added in (CONFIGURE) > More allows you to perform the following actions:

Create and manage Response Actions for the supported metas available in Respond, Investigate, Hosts, and Users view.
Perform Quick Actions on the configured meta and post the meta with additional parameters to the connector for taking further actions.

For more information, see NetWitness Response Actions Configuration Guide for 12.4.

Insight

The following sections describes the new enhancements for the Insight component:

Whitelist Insight Alerts in Respond View

Administrators and analysts can now whitelist unwanted and recurring Insight alerts generated in the Respond > Alerts view. This enhancement provides the ability to select specific values, such as IP Address and Asset Type, and define a Whitelist condition to prevent unwanted alerts from being generated for these values. Using this enhancement, analysts can streamline the alert management process by excluding specific IP addresses or asset types that are known to be reliable and secure. This optimization minimizes unnecessary alerts generated on the Respond > Alerts view, reducing the time and effort required to review and analyze alerts.

For more information, see the NetWitness Insight section in the NetWitness Documentation Portal.

User and Entity Behavior Analytics

The following section describes the new enhancements for UEBA component:

Support for Cisco Adaptive Security Appliance (ASA) and Fortinet VPN Devices

NetWitness UEBA has added support for the Cisco ASA and Fortinet VPN devices. With this enhancement, UEBA can now process Cisco ASA and Fortinet VPN logs, which helps to gather and analyze user activity information.

For more information, see the UEBA Supported Sources by Schema section in the UEBA Configuration Guide.

UEBA Performance Improvements

The following performance improvements are made for UEBA in the 12.4.0.0 version:

Optimized the aggregation and accumulation models to generate and store models in parallel.

Optimized the hourly score aggregation task to aggregate and score in parallel.

For more information on the supported scale, see the Learning Period Per Scale for 12.4 topic in the UEBA Configuration Guide.

Endpoint

The following section describes the new enhancements for Endpoint component:

View Installed Applications

The Hosts details > System Info view has been enhanced to allow analysts to view the information about the various applications installed on a Windows machine.

For more information, see NetWitness Endpoint User Guide for 12.4.

Standalone Scan for Linux Agents

Administrators can execute offline or standalone scans on Linux hosts to perform threat analysis on the Air-gapped Linux machines.

For more information, see NetWitness Endpoint User Guide for 12.4.

Policy-based Centralized Content Management (CCM)

The following enhancements are made for CCM in 12.4.0.0 version:

Enhancements for Proper Functioning and Deployment of Custom Parsers into Services through CCM

Introduced the capability to import individual XML (Log Device content type) to Content Library. You can upload either the base parsers or extended parsers as a standalone XML file. While importing XML files, you can optionally associate it with its corresponding base parser, effectively treating it as an extension parser. To import a standalone XML as an extended parser, select Import as Extended Custom Parser in the Import screen.

The Content Library now displays base parsers and extension parsers as distinct items, providing a clear and organized view for users. This separation ensures that users can easily identify and manage both types of parsers within the library. Furthermore, when an extension parser is added to a policy, the corresponding base parser is automatically included in the policy as well. This streamlined integration simplifies the process for users, eliminating the need to manually link base and extension parsers when creating or editing policies.

For more information, see the Import Content to Content Library section in the Policy-based Centralized Content Management Guide.

Enhancements during Removal of a Service from Group

While removing a service from the group, you can opt to either delete the content from service and then remove the service from the group or remove the service from the group without deleting the content.

For more information, see the Edit a Group, Edit a Policy and Delete a Policy sections in the Policy-based Centralized Content Management Guide.

Capability to Remigrate Content from Service

CCM is enhanced to re-migrate content from a service even if it is already migrated and/or assigned to Groups and Policies.While migrating content from a service already associated to a policy, you can optionally update the associated policy with migrated content. To update the existing policy and group for service after remigrating the service, the options available in the Migrate Content from Service page are updated to Create/Update Policy and Group for Each Service and Skip Creating/Updating a Policy and Group.

For more information, see the Migrate Content from Service section in the Policy-based Centralized Content Management Guide.

UI Enhancements

The MORE navigation menu is added to the CCM UI to view Bundles, Search Patterns, and Integrations by default. As you select the content type from the MORE menu, that content type appears on the left of the MORE menu.

Concentrator, Decoder, Log Collector, and Archiver Services

The following enhancements are made for Concentrator, Decoder, Log Collector, and Archiver Services in 12.4.0.0 version:

Capability to Deprecate the Use of IP Address for Basic Authentication

Netwitness has deprecated the use of IP address for Windows Collection Basic Authentication. Now, you must use the FQDN in the Event Source Address and add an entry of the same FQDN in '/etc/hosts' while configuring Basic Authentication.

New Utility to Stream Meta From Decoders to 3rd Party Tools

Introduced a beta utility to stream meta from network decoders to other 3rd party tools, making it easy to integrate NetWitness Platform with other products. All or a subset of meta data can be streamed to limit the amount sent to the 3rd party tool depending on the use case.

For more information, see Meta Export Installation and Configuration Guide.

Log Integrations

NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 12.2.0.0 or later.

Palo Alto Prisma Access

Note: From 12.4 onwards, VMWare plugin is also available for the collection of VMWare events and tasks.

For more information on integrating the parser services, see NetWitness Platform Integrations Guide.

Security

Single Sign-On (SSO) Authentication Independent of Active Directory (AD) Configuration in NetWitness

Starting from NetWitness Platform version 12.4, NetWitness offers SSO that is independent of AD configuration in NetWitness. It allows user authorization by using the list of user groups embedded in the SAML authentication token received from ADFS and verifying them against user groups already set up in NetWitness. This eliminates the need for users to configure or rely on Active Directory settings within NetWitness for user authentication. NetWitness now supports both Azure ADFS and Microsoft ADFS.

For more information, see Set Up Single Sign-On Authentication topic in the System Security and User Management Guide.

Security Fixes

For more information on Security Fixes, see https://community.netwitness.com/t5/netwitness-platform-advisories/ct-p/netwitness-advisories#security.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.4.0.0

NetWitness 12.3.1.0 to 12.4.0.0
NetWitness 12.3.0.0 to 12.4.0.0
NetWitness 12.2.0.1 to 12.4.0.0
NetWitness 12.2.0.0 to 12.4.0.0

For more information on upgrading to 12.4.0.0, see Upgrade Guide for NetWitness 12.4.0.0

IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.4.0.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.4.

IMPORTANT: The Warehouse connector uses a lockbox to store credentials securely for data integration sources and destinations. However, users upgrading from earlier versions to the 12.4 version cannot start the configured streams without migrating their existing credentials in the new lockbox. As a result, users must manually create a new lockbox key and then refresh the password for their sources and destinations configured in Warehouse Connector, wherever applicable. For detailed instructions on creating the new lockbox key, refer to the Warehouse Connector section under the Post Upgrade Tasks in the Upgrade Guide for NetWitness 12.4.0.0.

Product Version Life Cycle for NetWitness Platform

See Product Version Life Cycle for NetWitness Platform for a list of versions that reach End of Primary Support (EOPS).

NetWitness Community

Table of Contents

Product Resources