The NetWitness 12.5.1.0 Release Notes describe new features, enhancements, security updates, upgrade paths, fixed issues, known issues, end-of-life functionality, build numbers, and self-help resources.

Enhancements

The following sections are a complete list and description of enhancements to specific capabilities:

To locate the documents that are referred to in this section, see https://community.netwitness.com/t5/netwitness-platform-online/netwitness-platform-all-documents/ta-p/676246.

The Product Documentation section has links to the documentation for this release.

Dashboard

The following section describes the new enhancement for the Dashboard component:

Home View Widgets

NetWitness introduces the Whats New widget and enhanced FirstWatch Threat Logic & Live Content Updates, and Content Available widgets with new configuration options. Administrators, Analysts, and SOC Managers can access the respective widgets that display certain data in the graphical form. Updated and new NetWitness content, messages outlining campaigns, threats, or content life cycle updates, and many more are displayed in these widgets.

1251_WhatsNewWidget1_1024_286x210.png 1251_WhatsNewWidget2_1024_284x210.png

1251_ContentAvailableConfigRN_1024.PNG

1251_Capture_FirstWatchConfiguration_1024_625x227.png

Investigate

The following section describes the new enhancements for the Investigate component:

Added Packet Count Option in Timeline Settings

Analysts can now set the Packet Count option in the Timeline Settings of the Investigate > Events view. This enhancement allows analysts to easily track the total number of packets captured at specific times, providing crucial data for network traffic analysis and investigation on the Timeline view. This enhancement further helps analysts to gain valuable insights into network behavior patterns.

1251_Packet_Count1_2276x1040.png

For more information, see Use Timeline Settings section of the Begin an Investigation in the Events View topic in the NetWitness Investigate User Guide.

Service Search Option in Events View

Analysts can now easily locate specific services using the service search option in the Investigate > Events view. This enhancement is particularly useful in environments with a complex service hierarchy, enabling analysts to easily identify and focus on the specific service of interest among many deployed services.

For example, in environments with numerous Concentrator services, analysts can now easily find a specific Concentrator by using the service search option instead of manually scrolling through a long list of services. This option significantly enhances the efficiency of service-related investigations and analysis workflows.

1251_Search_Service_2462x926.png

For more information, see Search for a Service section of the topic Begin an Investigation in the Events View in the NetWitness Investigate User Guide.

SASE Capability

The following section describes the new enhancement for SASE:

NetWitness SASE Integration with Palo Alto Networks

Introduces Beta NetWitness integration with Palo Alto Prisma SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Palo Alto SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response.

Note: NetWitness Platform SASE deployments with Palo Alto Networks support up to 800 Mbps and can accommodate 1,500 users per region. On average, this translates to approximately 0.53 Mbps of data per user.

For more information, see the SASE Integration Overview Guide.

Policy-based Centralized Content Management (CCM)

The following enhancements are made for CCM in 12.5.1.0 version:

Dynamic Distribution of GeoIP Data

NetWitness 12.5.1 introduces an approach to import GeoIP files on the Content Library page for customers not connected to the NetWitness live. This feature empowers the users with detailed geographical insights while maintaining optimal system performance.

By identifying the geographical origins of network traffic, users can protect sensitive data and systems, ensuring that only authorized personnel from specific regions can access certain resources. Users connected to NetWitness Live will continue to receive automatic updates with the latest GeoIP files as usual.

Note: The daily distribution of GeoIP contextual data does not require CCM and supports air-gapped customers.

1251_GeoIPFileAdded_1024.PNG

Add to Policy Option

The Policies tab in CCM is enhanced with the Add to Policy option. Users can directly add Application or Network Rules to a policy if it does not exist. All dependents and their corresponding content are also included in the policy.

1251_Policies_AppRule_AddtoPolicyTest_1024.PNG

Order View

When creating a new policy or editing an existing one, users can view the order of the selected Application or Network Rules. The selected rules are displayed sequentially under the Order column in the Selected Content view under the Define Policy option. This order will be maintained while being published to the decoders.

1251_Policies_AppRuleOrder_1024.PNG

For more information, see the Centralized Content Management Guide.

 

Administration and Configuration

The following section describes the new enhancements for the administration and configuration:

Improved Authentication with New Automatic External Provider Retry Option

NetWitness Platform 12.5.1 introduces a new configuration parameter that enhances user authentication resiliency. Previously, when a user was registered with multiple external authentication providers and their primary provider became unavailable, login attempts would fail. With this enhancement, administrators can now enable automatic authentication attempts across all configured external authentication providers. To use this feature, the retry-failed-external-authentication-with-all-available-external-providers parameter must be enabled, and the user must log in using the same username that is present on other external authentication providers as well. This improvement ensures uninterrupted access even if the primary authentication method becomes unavailable, providing users with a more robust and flexible authentication experience.

1251_Authentication_Users_Retry1_2106x971.png

For more information see (Optional) Configure External Authentication section of the Retry Failed External Authentication with Other Available External Providers topic in the System Security and User Management Guide for 12.5.1.0.

ESA

The following section describes the new enhancements for ESA:

ESA Esper Version 9.0 Update

The ESA Correlation server is updated from Esper version 8.8 to 9.0. NetWitness Platform now supports the new constructs available in the Esper 9.0 release.

Log Collections

The following section describes the new enhancements for the Log Collections:

New JDBC Integrations for Log Collection

The ongoing transition from ODBC drivers to an open-source JDBC solution for Log Collection continues. The transition is currently underway, with several new integrations included in this 12.5.1 release. This change ensures efficient and reliable data collection for users.

For more information, see the NetWitness Platform Integrations page.

Log Integrations

Supports the integration of the Netskope V2 Connector to capture Events, Alerts and Incidents, WatchGuard EPDR, Azure DevOps Audit Logs, MSSQL 2022 event sources to collect and parse logs.

For more information on integrating the parser services, see NetWitness Platform Integrations Guide.

Security Updates

Addresses the latest security vulnerabilities reported against various libraries the NetWitness Platform uses, including one critical (CVE-2024-42472), 29 major, 177 Moderate, and 9 minor vulnerabilities.

For more information on Security Fixes, see https://community.netwitness.com/t5/netwitness-platform-advisories/ct-p/netwitness-advisories#security.

Network Configuration Updates

In 12.5.1, for Fresh Install, the network configuration of NW hosts migrated from ifcfg format to NetworkManager supported key file format. This implementation does NOT apply for upgrades to 12.5.1.0.

The following changes are observed post NetworkManager implementation:

  1. The name of the network interface file(s) changed from ifcfg-emX (where X is 1,2,3 or 4) to emX.connection (where X is 1,2,3 or 4). For example: ifcfg-em1 versus em1.connection

  2. The location of the network interface files changed from /etc/sysconfig/network-scripts/ to /etc/NetworkManager/system-connections.

    For example: /etc/sysconfig/network-scripts/ifcfg-em1 versus /etc/NetworkManager/system-connections/em1.connection

  3. The network interface definitions for the host have migrated from ifcfg file format to keyfile format (plain text key-value pairs, like ifcfg files, grouped into sections).

    Sample /etc/NetworkManager/system-connections/em1-connection file content for static IP assignment:

    1251_NetworkManager_1124.png

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.5.1.0

  • NetWitness 12.5.0.0 to 12.5.1.0

  • NetWitness 12.4.2.0 to 12.5.1.0

  • NetWitness 12.4.1.0 to 12.5.1.0

  • NetWitness 12.4.0.0 to 12.5.1.0

  • NetWitness 12.3.1.0 to 12.5.1.0

  • NetWitness 12.3.0.0 to 12.5.1.0

  • NetWitness 12.2.0.1 to 12.5.1.0

  • NetWitness 12.2.0.0 to 12.5.1.0

For more information on upgrading to 12.5.1.0, see the Upgrade Guide for NetWitness 12.5.1.0

IMPORTANT: NetWitness advises users to check their software versions, as versions 12.2 and earlier have reached End of Life (EOL) as of March 31, 2024. For more information, see https://community.netwitness.com/t5/product-life-cycle/product-version-life-cycle-for-rsa-netwitness-platform/ta-p/569875. To take advantage of the latest features and security updates, NetWitness recommends upgrading to version 12.5.1.0.

IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.5.1.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.5.1.0.

IMPORTANT: The Warehouse connector uses a lockbox to store credentials securely for data integration sources and destinations. However, users upgrading from earlier versions to the 12.5.1.0 version cannot start the configured streams without migrating their existing credentials in the new lockbox. As a result, users must manually create a new lockbox key and then refresh the password for their sources and destinations configured in Warehouse Connector, wherever applicable. For detailed instructions on creating the new lockbox key, refer to the Warehouse Connector section under the Post Upgrade Tasks in the Upgrade Guide for NetWitness 12.5.1.0.

Product Version Life Cycle for NetWitness Platform

See for Product Version Life Cycle for NetWitness Platform a list of versions that reach End of Primary Support (EOPS).