The following section describes the new enhancement for the Dashboard component:
Home View Widgets
NetWitness introduces the Whats New widget and enhanced FirstWatch Threat Logic & Live Content Updates, and Content Available widgets with new configuration options. Administrators, Analysts, and SOC Managers can access the respective widgets that display certain data in the graphical form. Updated and new NetWitness content, messages outlining campaigns, threats, or content life cycle updates, and many more are displayed in these widgets.
Investigate
The following section describes the new enhancements for the Investigate component:
Added Packet Count Option in Timeline Settings
Analysts can now set the Packet Count option in the Timeline Settings of the Investigate > Events view. This enhancement allows analysts to easily track the total number of packets captured at specific times, providing crucial data for network traffic analysis and investigation on the Timeline view. This enhancement further helps analysts to gain valuable insights into network behavior patterns.
For more information, see Use Timeline Settings section of the Begin an Investigation in the Events View topic in the NetWitness Investigate User Guide.
Service Search Option in Events View
Analysts can now easily locate specific services using the service search option in the Investigate > Events view. This enhancement is particularly useful in environments with a complex service hierarchy, enabling analysts to easily identify and focus on the specific service of interest among many deployed services.
For example, in environments with numerous Concentrator services, analysts can now easily find a specific Concentrator by using the service search option instead of manually scrolling through a long list of services. This option significantly enhances the efficiency of service-related investigations and analysis workflows.
For more information, see Search for a Service section of the topic Begin an Investigation in the Events View in the NetWitness Investigate User Guide.
SASE Capability
The following section describes the new enhancement for SASE:
NetWitness SASE Integration with Palo Alto Networks
Introduces Beta NetWitness integration with Palo Alto Prisma SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Palo Alto SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response.
Note: NetWitness Platform SASE deployments with Palo Alto Networks support up to 800 Mbps and can accommodate 1,500 users per region. On average, this translates to approximately 0.53 Mbps of data per user.
For more information, see the SASE Integration Overview Guide.
Policy-based Centralized Content Management (CCM)
The following enhancements are made for CCM in 12.5.1.0 version:
Dynamic Distribution of GeoIP Data
NetWitness 12.5.1 introduces an approach to import GeoIP files on the Content Library page for customers not connected to the NetWitness live. This feature empowers the users with detailed geographical insights while maintaining optimal system performance.
By identifying the geographical origins of network traffic, users can protect sensitive data and systems, ensuring that only authorized personnel from specific regions can access certain resources. Users connected to NetWitness Live will continue to receive automatic updates with the latest GeoIP files as usual.
Note: The daily distribution of GeoIP contextual data does not require CCM and supports air-gapped customers.
Add to Policy Option
The Policies tab in CCM is enhanced with the Add to Policy option. Users can directly add Application or Network Rules to a policy if it does not exist. All dependents and their corresponding content are also included in the policy.
Order View
When creating a new policy or editing an existing one, users can view the order of the selected Application or Network Rules. The selected rules are displayed sequentially under the Order column in the Selected Content view under the Define Policy option. This order will be maintained while being published to the decoders.
Administration and Configuration
The following section describes the new enhancements for the administration and configuration:
Improved Authentication with New Automatic External Provider Retry Option
NetWitness Platform 12.5.1 introduces a new configuration parameter that enhances user authentication resiliency. Previously, when a user was registered with multiple external authentication providers and their primary provider became unavailable, login attempts would fail. With this enhancement, administrators can now enable automatic authentication attempts across all configured external authentication providers. To use this feature, the retry-failed-external-authentication-with-all-available-external-providers parameter must be enabled, and the user must log in using the same username that is present on other external authentication providers as well. This improvement ensures uninterrupted access even if the primary authentication method becomes unavailable, providing users with a more robust and flexible authentication experience.
For more information see (Optional) Configure External Authentication section of the Retry Failed External Authentication with Other Available External Providers topic in the System Security and User Management Guide for 12.5.1.0.
ESA
The following section describes the new enhancements for ESA:
ESA Esper Version 9.0 Update
The ESA Correlation server is updated from Esper version 8.8 to 9.0. NetWitness Platform now supports the new constructs available in the Esper 9.0 release.
Log Collections
The following section describes the new enhancements for the Log Collections:
New JDBC Integrations for Log Collection
The ongoing transition from ODBC drivers to an open-source JDBC solution for Log Collection continues. The transition is currently underway, with several new integrations included in this 12.5.1 release. This change ensures efficient and reliable data collection for users.
Addresses the latest security vulnerabilities reported against various libraries the NetWitness Platform uses, including one critical (CVE-2024-42472), 29 major, 177 Moderate, and 9 minor vulnerabilities.
In 12.5.1, for Fresh Install, the network configuration of NW hosts migrated from ifcfg format to NetworkManager supported key file format. This implementation does NOT apply for upgrades to 12.5.1.0.
The following changes are observed post NetworkManager implementation:
The name of the network interface file(s) changed from ifcfg-emX (where X is 1,2,3 or 4) to emX.connection (where X is 1,2,3 or 4). For example: ifcfg-em1 versus em1.connection
The location of the network interface files changed from /etc/sysconfig/network-scripts/ to /etc/NetworkManager/system-connections.
For example: /etc/sysconfig/network-scripts/ifcfg-em1 versus /etc/NetworkManager/system-connections/em1.connection
The network interface definitions for the host have migrated from ifcfg file format to keyfile format (plain text key-value pairs, like ifcfg files, grouped into sections).
Sample /etc/NetworkManager/system-connections/em1-connection file content for static IP assignment:
Upgrade Paths
The following upgrade paths are supported for NetWitness 12.5.1.0
IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.5.1.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.5.1.0.
IMPORTANT: The Warehouse connector uses a lockbox to store credentials securely for data integration sources and destinations. However, users upgrading from earlier versions to the 12.5.1.0 version cannot start the configured streams without migrating their existing credentials in the new lockbox. As a result, users must manually create a new lockbox key and then refresh the password for their sources and destinations configured in Warehouse Connector, wherever applicable. For detailed instructions on creating the new lockbox key, refer to the Warehouse Connector section under the Post Upgrade Tasks in the Upgrade Guide for NetWitness 12.5.1.0.
Product Version Life Cycle for NetWitness Platform
The following section describes the new enhancements for the Dashboard component:
New Home Pages
NetWitness introduces a new Home page menu that consists of Admin, Analyst, and Manager views. Each home page is comprised of multiple widgets. Administrators, Analysts, and SOC Managers can access the respective widgets that display certain data in graphical form. The data can be associated with Endpoints, Users, Assets, Content, Incidents, Alerts, MITRE ATT&CK, Retention, and many more.
The following section describes the new enhancements for the Investigate component:
Web Reconstruction from Events View
Analysts can safely reconstruct the web view of the target event from the Events > Web Reconstruction view if a user has visited web pages related to a particular event. NetWitness can reconstruct the same web page by using the data available in packets, displaying the web page, and relating it to the images and CSS styles as accurately as possible. This web reconstruction process enables analysts to gain valuable insights into the web activity performed, facilitating effective analysis and investigation.
A new user preference, Enhance Reconstruction for Web View, has been added to the Events Preferences panel in the Investigate > Events view. This preference is enabled by default for all users. This option improves the reconstruction of websites that reconstruct an event by using CSS, images, and links to format the view in an effective way, thus allowing analysts to better understand the context and details of the events they are reconstructing. This enhancement allows analysts to conduct a more informed and accurate analysis and take appropriate actions.
Introducing Web View Reconstruction Settings from System View
NetWitness introduces the new Web View Reconstruction Settings from the (Admin) > System > Investigation view. This setting from the Events tab allows administrators to enhances the reconstruction of web views by scanning and reconstructing related events with the same supporting files. When reconstructing a web view spanning multiple events, the system can improve the target event's reconstruction by including related events that contain relevant images and CSS files. Only HTTP service-type events with the same source address as the target event and a timestamp within a specified time range before and after the target event will be scanned. Administrators can also configure the maximum number of related events to scan, providing greater flexibility and precision in web view reconstruction. The Advanced Settings option displays all configurable settings in this section.
For more information, see the Web View Reconstruction Settings section of the Investigation Configuration Panel topic in the System Configuration Guide.
Create Custom Events Widget from Query
During the investigation, administrators and analysts can now create an Event widget from the Investigate > Events view. Users can add any number of filters to the query search bar and convert these searches into Event widgets for improved detection and monitoring. The newly created widget will be saved for quick access under the Home page library. Users can then add the Event widget to the Dashboard Layout view (Admin, Analyst, or Manager) under the Home page and customize its configuration to suit their needs. This feature enhances the monitoring and analysis of events, allowing users to track and watch relevant and important events in real time.
Analysts can now sort the results of each meta key by the number of packets in the session on the Investigate > Events page. You can sort the results by Value or Total and in ascending or descending order. By sorting the meta key results by packet count, you can easily find the most or least frequent meta values that occurred in the user environment and can be used for further investigation or analysis.
For more information, see the Set the Ordering Method for Meta Values section of the Drill into Metadata in the Events View topic in the NetWitness Investigate User Guide for 12.5.
Respond
The following section describes the new enhancements for the Respond component:
Alerts View Enhancement
The Export option in Respond > Alerts > Select an alert > More Actions allows you to export and download the original and normalized alerts along with the events in JSON format. NetWitness Platform allows you to export up to 1000 alerts at a time for offline investigation.
For more information, see Export Alerts Data in NetWitness Respond User Guide for 12.5.
OOTB Response Actions
Introduction of Out of the Box (OOTB) actions as part of the Response Actions Service. The OOTB actions "Contain Host" and "Lift Containment on Host" are enabled for CrowdStrike and CrowdStrike integrated through NetWitness Orchestrator. This enhancement allows analysts to manually execute response actions after reviewing an incident or automatically as part of a triggered incident. The Response Actions with CrowdStrike are available directly or through NetWitness Orchestrator.
For more information, see Response Actions in NetWitness Response Actions Configuration Guide for 12.5.
Whitelist Enhancement
The Whitelist feature has been enhanced to include alerts for Event Stream Analysis and NetWitness Core services. You can now whitelist unwanted and recurring non-suspicious alerts for these services. This allows you to select specific entities and set whitelist conditions to prevent unwanted alerts for those entities.
For more information, see Whitelists List View in NetWitness Respond User Guide for 12.5.
Insight
The following section describes the new enhancements for the Insight component:
New Assets View for Network Assets Detection and Investigation
NetWitness introduces a new Assets view within the Hosts > Assets menu. This view provides a centralized location where all the Network assets are detected within your environment along with their associated details, such as the asset IP, asset type, asset category, enterprise network exposure, peer network exposure, peer activity exposure, first seen, and last seen. You can use filters to narrow down the assets by different criteria. This view helps analysts to easily identify and prioritize assets behaving abnormally or unfamiliar assets, enabling them to take immediate action to mitigate any potential security risks.
New Insight Alerts for Network Assets
NetWitness introduces two new Insight alerts to help you monitor and respond to changes in your network assets. These alerts are available in the Respond > Alerts view and are based on the asset type and the exported services of each asset.
Asset type change over time: This alert is generated when there is a change in an asset's type (for example, client to server) after the same type was observed for 7 consecutive days.
Asset exported services change over time: This alert is generated if there is a change in the number of services exported by an asset after the same number of services was observed for 7 consecutive days, even if the asset category remains unchanged.
These alerts help analysts to identify and investigate any potential anomalies or threats in their environment.
The following section describes the new enhancements for UEBA component:
UEBA Anomaly Detection using Day of the Week
NetWitness UEBA enhances its anomaly detection capabilities by introducing the Day of the Week feature. This feature enables the detection of non-standard access patterns that may indicate a compromised account or an insider threat. When a monitored user or a network entity activity on a particular day of the week differs from its usual baseline, UEBA flags it as an anomaly, generates a Non-Standard Access or Non-Standard Activity alert, and notifies the analysts for further investigation and verification. For further information on the monitored activities tracked for Non-Standard Access and Non-Standard Activity, please see the topic Alert Types in the NetWitness UEBA User Guide.
For example, the user accessed the Active Directory on an abnormal day. The user typically works from Monday to Friday, but they logged in on a Sunday and made active directory changes. This behavior was detected as an anomaly by NetWitness UEBA based on the day of the week enhancement, which indicates that this is an unusual day for this user to make changes in AD, generating an alert for the analysts to investigate.
MITRE ATT&CK Mapping for UEBA
NetWitness now integrates MITRE ATT&CK framework mapping for UEBA alerts and incidents. This mapping helps analysts understand the attacker's potential tactics, techniques, and sub-techniques behind detected activities by correlating them with known behaviors. When investigating UEBA alerts and incidents, analysts can see a list of mapped tactics and techniques from the Respond view, along with a dedicated ATT&CK Explorer panel that provides further context and related information, which eliminates the need to visit MITRE's website for ATT&CK information. This enhancement provides valuable insights into threat severity and nature, enabling faster and more informed response decisions.
For example, A UEBA alert identified suspicious remote access behavior from a user account. This behavior aligns with the MITRE ATT&CK tactic of Lateral Movement and technique using Remote Services, alerting analysts to investigate a possible attempt to obtain data and take necessary actions.
For more information on the Mitre ATT&CK framework usage for UEBA, see the topic Use MITRE ATT&CK® Framework in the NetWitness Respond Guide 12.5.
Added JA4 Support in UEBA for Improved Client Identification and Threat Detection
NetWitness has added support for the JA4 fingerprint and is the default for UEBA from the 12.5 version or later. This change is implemented because JA4 is identified as the most reliable and improved client identification method. JA4 leverages TLS Client Hello packets to identify application-specific traffic patterns and create unique fingerprints for each application. This reduces the total number of unique fingerprints for modern browsers. As a result, a single client will have only one JA4 fingerprint instead of multiple ones, making it easier to track and monitor. This improvement in UEBA with JA4 helps to identify the fingerprints of malicious applications and enables analysts to proactively identify and mitigate threats hidden within encrypted traffic.
Enhanced UEBA for Detection of Kerberos and Explicit Logon Activity
NetWitness UEBA has enhanced its detection capabilities for logon activities by introducing two new indicators and modeled behaviors specifically for Kerberos and Explicit Logons. This enhancement allows for more precise differentiation between various logon events within your environment, significantly reducing false positives and inconsistencies related to Kerberos and Explicit logon activities. By separating these logon types, analysts can more effectively identify abnormal logon behaviors and protect their environment from possible threats. These new indicators provide deeper insights into logon activities, helping analysts effectively monitor and investigate any suspicious or malicious behavior.
For example, A Multiple Failed Logons alert can be triggered when anomalous activity is identified for multiple failed authentication attempts in both Kerberos and Explicit Logon activity.
For more information, see the Logon Activity Indicators section of the NetWitness UEBA Use Cases topic in the NetWitness UEBA User Guide for 12.5.
SASE Capability
The following section describes the new enhancement for SASE:
NetWitness SASE Integration with Netskope (Private Preview Mode)
Introduces NetWitness integration with Netskope SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Netskope SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response. In 12.5 release, NetWitness SASE integration with Netskope is in Private Preview Mode.
Endpoint
The following section describes the new enhancements for Endpoint component
Exclusion of Specific Files and Folders from Agent Full System Scans
You can configure the NetWitness Platform to exclude specific files and folders from NetWitness Endpoint Agent full system scans. When you exclude files or folders, the NetWitness Endpoint Agent ignores them when it scans for security risks. If you exclude files and folders with large sizes, you might find that Endpoint Agent scan time is reduced. Excluding a file or folder from the NetWitness Endpoint Agent scans reduces the protection level of hosts on your network. It should be used only if you have a specific need and are confident the items are not infected. You can exclude files and folders only from a Full System Scan.
Optimizing Performance: Load Balancing Capabilities in Endpoint Servers
The newly introduced load balancing feature enables administrators to distribute agents' loads equally across the endpoint servers in the environment.
When organizations become larger, the need to add new agents for deployments increases, and distributing agents across Endpoint Servers becomes difficult. Administrators must download a different Packager for each endpoint server and use policies to distribute the load based on conditions. Using the load balancing feature, customers only need to download one agent packager and push it to all the endpoint agents. Based on the defined load and parameters, the agents will be equally distributed across Endpoint Servers.
By implementing load balancing, organizations can ensure that their deployment scales efficiently, reducing the risk of overloading any single endpoint server and maintaining optimal performance across the network. To use the load balancing capability, you need to enable load balancing.
For more information on load balancing, see “About Load Balancing” “Enable Load Balancing” topics in theNetWitness Endpoint User Guide.
Ability to Monitor Endpoint Agents' Last-seen Details
NetWitness Platform enables administrators and analysts to regularly create reports detailing the number of endpoint agents that haven't reported for a specified number of days, ensuring compliance and governance in the organization. Understanding when the endpoint agent was last active provides insights into the overall performance of the endpoint devices. Monitoring the endpoint agents’ last-seen status is crucial for ensuring security, compliance, operational efficiency, and effective resource management within an organization.
The following enhancements are made for CCM in 12.5.0.0 version:
Support for Native Parsers
View Parser Metadata Configuration
The Policy Details > Parser view has been enhanced to view the Parser Metadata Configuration on the right hand side panel displaying all the Metas for selected Parser.
The Policy Details > Parser view has been enhanced to enable or disable specific parser meta giving you the capability to decide whether to user native parsers or not. You can:
Enable all meta
Disable all meta
Make all meta as transient
Enable individual meta
Disable individual meta
Make individual meta as transient
View Native Parsers Enabled for Services and Attached to Policy
You can easily view the Native Parsers enabled for services and attached to a policy as they are automatically displayed in the Policy Details page.
Distinguish between Native Parsers and LUA Parsers while Creating a Policy
A distinguishable identifier is created for native parser in the Create Policy or Edit Policy page to help you distinguish between native parser and LUA parser while creating a policy.
You can filter the native parsers in the Create Policy, Edit Policy and Policy Details page enabling you to easily select or view the native parsers required for the policy. This will streamline the process and enable you to easily add or remove native parsers during policy creation or modification.
Concentrator, Decoder, Log Collector, and Archiver Services
The following enhancements are made for Concentrator, Decoder, Log Collector, and Archiver Services in 12.5.0.0 version:
Introducing JA4 TLS Fingerprinting
JA4 identifies application-specific traffic patterns by analyzing the TLS handshake negotiations (Client Hello), thus enhancing the UEBA threat detection capabilities.
For more information, see Support for the JA4 Entity for UEBA topic in the Decoder Configuration Guide.
Logstash Event Sources
Introduced NetWitness JDBC Logstash Input plugin support to collect logs from MSSQL, IBMDB2, and Oracle databases.
For more information, see Configure Logstash Event Sources in NetWitness topic in the Log Collection Guide.
Extended Meta
An optional configuration to increase the length of values that can be stored in the meta database to provide better accuracy when it comes to certain use cases requiring matches of long strings.
Extended Meta provides a way to selectively configure certain meta keys to support values greater than 256 bytes. With this feature, meta values previously truncated by the 256 bytes limit can now be extended up to 4,096 bytes in length.
For more information, see the Extended Meta Guidelines mentioned in the NetWitness Extended Meta User Guide for 12.5.
Application Rule Tracking
Counts how often an application rule is matched as well as the ability to reset the counter for troubleshooting purposes.
For more information, see the API Guide for 12.5.
Log Integrations
NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 12.2.0.0 or later.
The following section describes the new enhancements for the Context Hub component:
Improved Threat Intelligence with STIX 2.x Integration
NetWitness has enhanced its threat detection and security monitoring capabilities by integrating support for STIX 2.x feeds, including versions 2.0 and 2.1. Administrators can now utilize STIX 2.x (JSON format) to configure File, REST, and TAXII Server as data source indicators for Context Hub. This enhancement allows you to create custom feeds using STIX 2.x data sources. The NetWitness platform analyzes data in the background to extract valuable threat intelligence and identify malicious patterns, providing enriched context through Context Lookup on the Investigate and Respond pages and helping analysts to conduct investigations more effectively.
This enhancement simplifies the utilization of structured threat intelligence by eliminating many previous constraints, allowing for more descriptive and effective reporting of sightings. This integration involves the conversion of structured threat intelligence from STIX format into a format that the SIEM system can easily understand and use, thus enhancing its effectiveness in protecting against threats.
The following section describes the new enhancements for the Live Cloud Service component:
Manage Custom Community Content on NetWitness Live
NetWitness introduces the new My Content feature, allowing users to seamlessly manage custom content directly from the NetWitness Live UI. This includes uploading, deleting, and downloading user-created content like Log Devices, Event Stream Analysis rules, parsers, feeds, etc. This feature provides users with a more efficient way to share useful and relevant custom content among users, reducing the time and effort required to publish content through content publication teams. Users can choose from a range of content options that suit their needs and use cases.
Note: NetWitness Live My Content feature supports only Log Device and ESA contents in this release.
Addresses the latest security vulnerabilities reported against various libraries the NetWitness Platform uses, including one critical (CVE-2016-1000027), 35 major, 103 Moderate, and 16 minor vulnerabilities.
IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.5.0.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.5.
IMPORTANT: The Warehouse connector uses a lockbox to store credentials securely for data integration sources and destinations. However, users upgrading from earlier versions to the 12.5 version cannot start the configured streams without migrating their existing credentials in the new lockbox. As a result, users must manually create a new lockbox key and then refresh the password for their sources and destinations configured in Warehouse Connector, wherever applicable. For detailed instructions on creating the new lockbox key, refer to the Warehouse Connector section under the Post Upgrade Tasks in the Upgrade Guide for NetWitness 12.5.0.0.
Product Version Life Cycle for NetWitness Platform
The NetWitness 12.4.2.0 Release Notes describe several defects, critical security patches for vulnerabilities reported, upgrade paths, fixed issues, known issues, build numbers, and self-help resources.
Fixes and Security Patches
The following sections are a complete list and description of fixes and security patches:
The Product Documentation section has links to the documentation for this release.
Platform
AlmaLinux OS Upgrade: When you upgrade to the NetWitness 12.4.2 version, the system will be automatically migrated to AlmaLinux 8.10 version. The NetWitness Platform 12.4 upgrade process is an automatic in place upgrade of both the operating system and NetWitness software. You do not have to follow any specific procedure for upgrading the operating system to AlmaLinux 8.10.
Kernel updates fail to generate the required initramfs and vmlinuz binaries which are equivalent to the latest kernel required for booting the OS. This can lead to a kernel panic state if the node is rebooted without these files and can cause a NetWitness upgrade failure. This issue is now resolved in the 12.4.2 release.
HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to communicate only via HTTPS. The remote HTTPS server does not enforce HSTS in the NetWitness user interface, and vulnerability scanners have flagged this on a few ports. The absence of HSTS makes it vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue is now resolved in the 12.4.2 release.
NetWitness User Interface
The event time of Critical and High Alerts displayed on the Host Details view is incorrect. Also, an error message "Unable to fetch events, server may be down or inaccessible" is displayed. As a result, the High alerts are not rendered in the NetWitness UI. This issue is now resolved in the 12.4.2 release.
Unable to log in using AD accounts (Applies for PAM and Netwitness users) after upgrading to 12.4 when the user has more than one role, and the default landing page is not springboard. This issue is now resolved in the 12.4.2 release.
Event Source Management (ESM)
The Event Source Management server allows manual mapped parsers along with other parsers, which creates inconsistencies in parsing the logs. This issue is now resolved in the 12.4.2 release.
System Management Service (SMS)
The total number of events on the Event Sources tab and Investigate page do not match. Some of the events are missing in the Event Sources list. This issue is now resolved in the 12.4.2 release.
ESM alarms from log sources are not received after upgrading to 12.3.1. This issue is now resolved in the 12.4.2 release.
Even after deleting events from Event Sources, some events appear again in the Event Sources tab. This issue is now resolved in the 12.4.2 release.
Importing the attributes from the CMDB to the event source on ESM causes the ESM database to get corrupted. This issue is now resolved in the 12.4.2 release.
Legacy Web Server
No results appear when viewing the Investigate page and attempting a Context Lookup for a value. Context Lookup issue is detected only on the InvestigateNavigate and LegacyEvents page. This issue is now resolved in the 12.4.2 release.
This issue is not observed on the Investigate > Events page.
Security Updates
Addresses the latest security vulnerabilities reported against various libraries the NetWitness Platform uses, including two critical (CVE-2023-6816, CVE-2016-1000027), 36 major, 97 Moderate, and 16 minor vulnerabilities.
It is crucial to adhere to security best practices by avoiding the deployment of an Admin server node on a public IP address. This precaution is essential to mitigate the risk of potential directory traversal attacks, particularly through vulnerable endpoints such as /nwrpmrepo and /service-mappings.json files. These files contain sensitive information including private IPs, RPMs, and other executables, which must remain strictly restricted from exposure to the internet. Implementing this safeguard helps prevent unauthorized access to internal NetWitness environments.
IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.4.2.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.4.2.
IMPORTANT: The Warehouse connector uses a lockbox to store credentials securely for data integration sources and destinations. However, users upgrading from earlier versions to the 12.4 version cannot start the configured streams without migrating their existing credentials in the new lockbox. As a result, users must manually create a new lockbox key and then refresh the password for their sources and destinations configured in Warehouse Connector, wherever applicable. For detailed instructions on creating the new lockbox key, refer to the Warehouse Connector section under the Post Upgrade Tasks in the Upgrade Guide for NetWitness 12.4.2.0.
Product Version Life Cycle for NetWitness Platform
The following section describes the new enhancements for ESA component:
Enable Smooth Failover and Recovery with ESA Standby Node
The NetWitness Platform enables administrators to perform smooth failovers with minimal processes and tools involved in the entire design, making it easier for the clients to minimize downtime during service interruptions. Administrators can set up an ESA Standby node in the event of a disaster or unplanned outage of the original active ESA Primary node. Recovery involves switching from the active ESA Primary node to the ESA Standby node by taking Mongo and configuration backups of the active ESA Primary system and restoring them to the ESA Standby with the required configurations to ensure uninterrupted access to ESA correlation and context hub services. The new ESA Primary node should be configured with its unique IP and host details, ensuring a seamless setup process that is not hindered by prior configurations.
The following section describes the new enhancements for UEBA component:
Deprecation of JA3 Entity from UEBA
NetWitness no longer supports JA3 as an entity for UEBA, starting from version 12.4.1. This change is implemented because JA3 is identified as an unreliable client identification method. The effectiveness of JA3 fingerprinting in determining the true identity of clients is no longer accurate due to the adoption of client TLS extension randomization. With randomization, a single client can have numerous JA3 fingerprints instead of just one. This makes it difficult for UEBA to accurately distinguish between normal and malicious activity.
For more information, see NetWitness UEBA User Guide for 12.4.1.
Insight
This section describes the functional improvements made to the Insight component:
Improved Network Assets Identification and Classification
This release introduces improvements to the NetWitness Analytics network asset identification process to ensure accurate classification and reduce misconfigurations.
If users are running Port Scanners in their environment, it is important to remember that these Port Scanners can generate significant traffic. Such traffic could impact the NetWitness Analytics and result in misclassification of servers as clients, affecting enterprise network exposure, peer network exposure rankings, asset category, and detection accuracy for each asset. To prevent network asset misclassification, contact NetWitness Customer Support and provide them with the list of Port Scanner IPs. Your information will be used by NetWitness Analytics to improve asset identification and classification.
If users do not follow the RFC 1918 standard and use a different standard to define their internal IP addresses, NetWitness Analytics may not recognize them correctly. As a result, some internal assets may be classified as external assets or vice versa. To avoid this issue, contact NetWitness Customer Support and provide them with your internal IP ranges. Your information will be used by NetWitness Analytics to improve asset identification and classification.
Concentrator, Decoder, Log Collector, and Archiver Services
The following enhancements are made for Concentrator, Decoder, Log Collector, and Archiver Services in 12.4.1.0 version:
Improved Packet Decoder Parsing with Maximum Parse Limit Per Protocol
NetWitness Platform optimizes the Packet Decoders for the most effective detection and investigation, balancing high performance with depth of visibility.
Administrators can now change the scanning depth limit depending on the detected protocol. Additionally, different parse.bytes.max for each protocol can be set to focus on parsing and generating metadata for more valuable sessions.
Improved Packet Decoder Parsing with Maximum Parse Limit Step Function
NetWitness Platform allows parsers to constantly step through a session as tokens are found on a protocol basis to optimize generating meta in appropriately valuable sessions. The Step Scan enables the scan engine to continue scanning from the position of the last token found for the specified number of bytes. This process repeats each time a token is found and continues until the scan reaches the end of the stream or there are no more tokens. Administrators can optimize specific parsing traffic further into a session to get better visibility for protocols more prone to extensive sessions with potential threats.
Introduction of Meta Keys to Track Bytes Scanned per Session
NetWitness Platform has introduced two new meta keys to track the number of bytes scanned per session. These meta keys are scanned.client and scanned.server, which keeps track of the scanned bytes for the client and server streams. Administrators can review the progress of a session scan and compare it to the set parse limit and session size. This setting is disabled by default, but it can be turned on by ensuring that the parser ScannerAnalytics is enabled. These meta are indexed as UInt64 types with level IndexKeys, so all regular queries relating to integers are applicable.
Log Integrations
NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 12.2.0.0 or later.
IMPORTANT: It is crucial to adhere to security best practices by avoiding the deployment of an Admin server node on a public IP address. This precaution is essential to mitigate the risk of potential directory traversal attacks, particularly through vulnerable endpoints such as /nwrpmrepo and /service-mappings.json files. These files contain sensitive information including private IPs, RPMs, and other executables, which must remain strictly restricted from exposure to the internet. Implementing this safeguard helps prevent unauthorized access to internal NetWitness environments.
IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.4.1.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.4.1.
IMPORTANT: The Warehouse connector uses a lockbox to store credentials securely for data integration sources and destinations. However, users upgrading from earlier versions to the 12.4 version cannot start the configured streams without migrating their existing credentials in the new lockbox. As a result, users must manually create a new lockbox key and then refresh the password for their sources and destinations configured in Warehouse Connector, wherever applicable. For detailed instructions on creating the new lockbox key, refer to the Warehouse Connector section under the Post Upgrade Tasks in the Upgrade Guide for NetWitness 12.4.1.0.
Product Version Life Cycle for NetWitness Platform
The following section describes the new enhancement for Upgrade:
Alma OS Migration
RedHat announced that CentOS Linux 7 will reach the end of life (EOL) on June 30, 2024. To address this change, NetWitness Platform is now integrated with the new version, AlmaLinux. When you upgrade to the NetWitness 12.4 version, you will be automatically migrated from CentOS 7.9 to AlmaLinux 8.9. The NetWitness Platform 12.4 upgrade process is easy and regular, like any other previous upgrades. You do not have to follow any specific procedure for upgrading to AlmaLinux OS. AlmaLinux provides several key benefits and new features:
The upgrade to AlmaLinux is an inherently automated process with zero manual intervention.
It comes with a pre-upgrade tool that helps administrators discover and mitigate issues before running the actual upgrade process.
Saves time and administrative efforts.
Retains control over installed applications.
Preserves most of the configuration information.
NetWitness Platform streamlines the upgrade process, saves time and resources, and maintains control over installed applications and configurations when migrating from CentOS 7.9 to AlmaLinux 8.9.
SASE Capability
The following section describes the new enhancement for SASE:
NetWitness SASE Integrations
NetWitness SASE Integration with Palo Alto Networks - Introduces NetWitness integration with Palo Alto Prisma SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Palo Alto SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response.
NetWitness SASE Integration with Symantec by Broadcom (Private Preview Mode) - Introduces NetWitness integration with Symantec by Broadcom SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Broadcom SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response.
Note: In 12.4 release, NetWitness SASE integration with Symantec by Broadcom is in Private Preview Mode.
Administrators can now opt for a Hybrid Cloud model for SASE. The SASE Hybrid Cloud Configuration is a data-driven design. The SASE hybrid cloud provides more efficient and secure communications between the NetWitness platform components. The NetWitness Admin Server contains a script nw-create-cloud-hybrid, which will deploy the NetWitness Overlay Network and the defined NetWitness Nodes in their respective regions in the Google Cloud Platform (GCP). The NetWitness Peer-to-Peer Network (nw-ppn) provides secure, mutually authenticated, PKI-based communication between NetWitness components.
The following section describes the new enhancements for the Investigate component:
Interactive Network Parser Creation
In the Investigate > Events view, users can convert the exact patterns selected or keywords found in the network traffic they review in text session reconstruction into a network parser. This streamlined process allows the user to generate meta to trigger an incident (e.g., a future detection) without understanding how to create the parser.
Users can also create a network parser using keywords from the (Configure) > Policies > Content Library > More > Search Pattern Rule view.
Download More Sessions than Displayed in Events Table
A new user preference, Maximum Session Export Limit, has been added to the Events Preferences panel in the Investigate > Events view. Analysts can use this setting to adjust the number of available sessions for exporting using the Download All menu options. This enhancement makes the number of exported sessions independent from the number of sessions displayed in the Events table.
Analysts can now use custom names when downloading event files from the Events panel view. Custom names make it easier to organize and manage downloaded event files, saving analysts time and effort.
The following sections describes the new enhancements for the Respond component:
MITRE ATT&CK® Integration with NetWitness
MITRE ATT&CK® is a curated knowledge base of adversary Techniques and Tactics. It provides an appropriate level of categorization for adversary action and specific ways of defending against it. Analysts can view the high-level list of specified tactics, techniques, and sub-techniques, along with their details, and learn how potential threats and vulnerabilities in their environment are associated with the MITRE ATT&CK framework.
NetWitness Live is integrated with MITRE ATT&CK framework to help analysts to view the MITRE ATT&CK Tactics and Techniques associated with the Application Rules and Event Stream Analysis Rules. The Service Details Right panel ((Configure) > Policies > Content > Content Library > Application Rule or Event Stream Analysis Rule > click a row > Service Details Right panel) is enhanced to provide information about the MITRE ATT&CK Tactics and Techniques.
You can tag MITRE ATT&CK Tactics and Techniques while creating a custom Application Rule or Event Stream Analysis Rule.
You can also select the MITRE ATT&CK Tactics and Techniques while creating an incident from the Investigate > Events view.
Response Actions are the reactive operations performed on configured metas using a third-party tool or connector such as ThreatConnect after triaging an event. Response Actions, the new feature added in (CONFIGURE) > More allows you to perform the following actions:
Create and manage Response Actions for the supported metas available in Respond, Investigate, Hosts, and Users view.
Perform Quick Actions on the configured meta and post the meta with additional parameters to the connector for taking further actions.
The following sections describes the new enhancements for the Insight component:
Whitelist Insight Alerts in Respond View
Administrators and analysts can now whitelist unwanted and recurring Insight alerts generated in the Respond > Alerts view. This enhancement provides the ability to select specific values, such as IP Address and Asset Type, and define a Whitelist condition to prevent unwanted alerts from being generated for these values. Using this enhancement, analysts can streamline the alert management process by excluding specific IP addresses or asset types that are known to be reliable and secure. This optimization minimizes unnecessary alerts generated on the Respond > Alerts view, reducing the time and effort required to review and analyze alerts.
The following section describes the new enhancements for UEBA component:
Support for Cisco Adaptive Security Appliance (ASA) and Fortinet VPN Devices
NetWitness UEBA has added support for the Cisco ASA and Fortinet VPN devices. With this enhancement, UEBA can now process Cisco ASA and Fortinet VPN logs, which helps to gather and analyze user activity information.
For more information, see the UEBA Supported Sources by Schema section in the UEBA Configuration Guide.
UEBA Performance Improvements
The following performance improvements are made for UEBA in the 12.4.0.0 version:
Optimized the aggregation and accumulation models to generate and store models in parallel.
Optimized the hourly score aggregation task to aggregate and score in parallel.
For more information on the supported scale, see the Learning Period Per Scale for 12.4 topic in the UEBA Configuration Guide.
Endpoint
The following section describes the new enhancements for Endpoint component:
View Installed Applications
The Hosts details > System Info view has been enhanced to allow analysts to view the information about the various applications installed on a Windows machine.
The following enhancements are made for CCM in 12.4.0.0 version:
Enhancements for Proper Functioning and Deployment of Custom Parsers into Services through CCM
Introduced the capability to import individual XML (Log Device content type) to Content Library. You can upload either the base parsers or extended parsers as a standalone XML file. While importing XML files, you can optionally associate it with its corresponding base parser, effectively treating it as an extension parser. To import a standalone XML as an extended parser, select Import as Extended Custom Parser in the Import screen.
The Content Library now displays base parsers and extension parsers as distinct items, providing a clear and organized view for users. This separation ensures that users can easily identify and manage both types of parsers within the library. Furthermore, when an extension parser is added to a policy, the corresponding base parser is automatically included in the policy as well. This streamlined integration simplifies the process for users, eliminating the need to manually link base and extension parsers when creating or editing policies.
Enhancements during Removal of a Service from Group
While removing a service from the group, you can opt to either delete the content from service and then remove the service from the group or remove the service from the group without deleting the content.
CCM is enhanced to re-migrate content from a service even if it is already migrated and/or assigned to Groups and Policies.While migrating content from a service already associated to a policy, you can optionally update the associated policy with migrated content. To update the existing policy and group for service after remigrating the service, the options available in the Migrate Content from Service page are updated to Create/Update Policy and Group for Each Service and Skip Creating/Updating a Policy and Group.
The MORE navigation menu is added to the CCM UI to view Bundles, Search Patterns, and Integrations by default. As you select the content type from the MORE menu, that content type appears on the left of the MORE menu.
Concentrator, Decoder, Log Collector, and Archiver Services
The following enhancements are made for Concentrator, Decoder, Log Collector, and Archiver Services in 12.4.0.0 version:
Capability to Deprecate the Use of IP Address for Basic Authentication
Netwitness has deprecated the use of IP address for Windows Collection Basic Authentication. Now, you must use the FQDN in the Event Source Address and add an entry of the same FQDN in '/etc/hosts' while configuring Basic Authentication.
New Utility to Stream Meta From Decoders to 3rd Party Tools
Introduced a beta utility to stream meta from network decoders to other 3rd party tools, making it easy to integrate NetWitness Platform with other products. All or a subset of meta data can be streamed to limit the amount sent to the 3rd party tool depending on the use case.
NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 12.2.0.0 or later.
Single Sign-On (SSO) Authentication Independent of Active Directory (AD) Configuration in NetWitness
Starting from NetWitness Platform version 12.4, NetWitness offers SSO that is independent of AD configuration in NetWitness. It allows user authorization by using the list of user groups embedded in the SAML authentication token received from ADFS and verifying them against user groups already set up in NetWitness. This eliminates the need for users to configure or rely on Active Directory settings within NetWitness for user authentication. NetWitness now supports both Azure ADFS and Microsoft ADFS.
IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.4.0.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.4.
Product Version Life Cycle for NetWitness Platform
The following section describes the new enhancements for the Investigate component:
Generate Charts from Events View
Administrators and analysts can now generate Adhoc and Schedule charts from the Investigate > Events page. With this enhancement, administrators and analysts can create various types of charts based on Event Count, Session Size, Packet Count, and Meta Key. These charts offer a more in-depth understanding of events and make it easier for analysts to investigate efficiently. Additionally, analysts can share these visualizations with others in various formats like PDF and CSV files, facilitating seamless collaboration and communication.
Administrators and analysts can now create real-time charts based on data from the Investigate > Events page. This feature provides a dynamic way to visualize your data and gain valuable insights as the data is continuously updated based on the configured time interval. This feature enables administrators and analysts to create a variety of chart types based on Event Count, Session Size, Packet Count, and Meta Key. It provides an all-in-one solution for tracking trends for analysts. Additionally, analysts can add these real-time charts to their Default Dashboard, allowing them to track critical data seamlessly within the organization.
The Events small timeline view has been improved with the addition of a border, making it easier for analysts to differentiate between the small and large timelines. This enhancement eliminates any confusion when using the zoom feature on the timeline and provides a clear view of the presented data.
When viewing session reconstructions in the Events view, the left click function is disabled for the time and event time in the Collection Time column of the events table to prevent accidental alterations, resulting in a smoother and more efficient workflow.
Load Service Hierarchy Faster on Events View
The Investigate > Events page may take longer than expected to load if the list of services to load has Core hosts that are switched off adversely. In such scenarios, NetWitness Platform users can customize the hierarchy-call-time-out parameter in the Admin > Services > Investigate Server > Explore view. This customization will allow the Services to load quickly before the request is timed out. The default value is 5 seconds.
Note: The duration it takes for NetWitness Platform to load Services is the result of the total time it takes to communicate with all services present in a deployment. This load time may vary due to several factors, such as inaccessible services, stale connections, or incorrect host connection status in the cache due to a host being improperly switched off
The following sections describes the new enhancements for the Respond component:
Support for Custom Aggregation Rule Schema Configuration
A new custom_aggregation_rule_schema.json file is created in this release. This feature allows administrators to manage all the custom meta fields without modifying the Out-of-the-Box (OOTB) configuration. It enables administrators to add, edit, and delete alert fields to the requirements. It also ensures a seamless upgrade experience.
To simplify customization and avoid modifying the default configuration, administrators can use the custom_aggregation_rule_schema.json file for smoother management and the migration a seamless transition. Importing incident rules is also more convenient, and backward compatibility is maintained automatically.
Enhanced NetWitness Respond to list available services based on NetWitness orchestrated services. This can avoid confusion caused by outdated or nonexistent services and ensure that users only see the relevant services.
If a service is removed, it will be marked as decommissioned in the UI instead of immediately being removed from the source list. This approach prevents disruptions in source availability for ongoing activities while creating visibility into service's status.
The following section describes the new enhancements for the NetWitness Insight:
Detect New Assets in Insight (BETA)
NetWitness Insight introduces a new alert named New asset discovered in environment. This alert is generated on the Respond > Alerts page whenever a new asset Server type is detected in the environment for the first time or if an existing asset has not been observed by NetWitness Insight for the last 30 days. This alert is generated for assets identified as server by NetWitness Insight. This feature enhances visibility and provides analysts with an improved understanding of the assets present in the environment, enabling them to better protect them from any potential attacks.
This feature is currently available in BETA mode and is disabled by default. Please contact NetWitness Customer Support team to enable the feature.
Historical Service Trend Chart Improvements
The following improvements are made to Historical Service Trend chart in 12.3.1.0 version:
Added a new Service filter feature that allows you to filter services using a searchable drop-down menu. Analysts can now filter services by multiple values simultaneously, making it easier to compare services and discover insights.
Improved pagination functionality now allows analysts to navigate between the first and last pages seamlessly.
Services in the chart legend are sorted from highest to lowest enterprise traffic using the latest date data. When services have the same percentage value, they are sorted alphabetically.
Email Notification on Exceeding Daily License Usage
NetWitness Insight customers exceeding the daily license usage limit three or more times within the last 14 days will receive an email notification.
User and Entity Behavior Analytics
The following section describes the new enhancements for UEBA component:
Support for Citrix NetScaler and Palo Alto Networks VPN Devices
NetWitness UEBA has added support for the Citrix NetScaler and Palo Alto Networks VPN devices. With this enhancement, UEBA can now process Citrix NetScaler and Palo Alto Networks VPN logs, which helps you gather and analyze user activity information.
For more information, see the UEBA Supported Sources by Schema section in the UEBA Configuration Guide.
UEBA Performance Improvements
Optimized the database for inserting and querying data, resulting in faster query response times.
The modeling process for network data has been improved by excluding randomized JA3 entities, resulting in improvements in the overall performance.
Optimized the modeling process to generate and update multiple models in parallel.
Airflow retention DAGs processing times have been reduced due to faster cleanup of outdated data.
For more information on the supported scale, see the Learning Period Per Scale for 12.3 and 12.3.1 topic in the UEBA Configuration Guide.
Endpoint
The following section describes the new enhancements for Endpoint component:
Supported Operating System Enhancements
Administrators have the option to deploy Endpoint agents on the following versions of Linux and Mac Operating System:
The Source server Explore view (Admin > Services > View > Explore) is enhanced with endpoint/recovery configuration option to help administrators configure Endpoint recovery in case of any disaster.
The following enhancements are made to Policy-based Centralized Content Management in 12.3.1.0 version:
Pagination is added in the Content Library, Groups Listing and Policy Listing pages which enables you to navigate through the list. By default, 50 rows are displayed per page. However, NetWitness allows you to modify the number of rows displayed per page.
Administrators can directly update any content, that are part of Policies, in the Content Library. The changes will be reflected in the Services once the Policy is republished.
The search experience for selected content during Policy creation is improved. A Search box is added under the Selected Content in the Define Policy screen. You can search the selected content by typing the initial content text in the Search box.
In the Filters panel of Policy Listing, Groups Listing and Services Listing pages, the respective parameters 'Policy Name', 'Group Name' and 'Service Name' is changed to 'Name'.
Introduced a new event category called syslog-length-prefix under the Syslog Collection in the Log Collector to provide support for syslog length prefixed logs during syslog collection.
For more information, see Configure Syslog Event Sources topic in the Log Collection Guide.
Log Integrations
NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 11.7.0.0 or later.
Google Cloud Platform (Support for VPC Flow Logs, Google Kubernetes Engine (GKE) Logs, Cloud Storage Logs, and Audit Logs)
Administrators can now run the nw-precheck-cli command on the Hosts page to generate the system upgradability health report. The report helps administrators to troubleshoot any anomalies and minimize upgrade failures. The tool-tip message appears when you hover over the Update Host and Check for Update drop-down menu.
Customer Experience Improvement Program (CEIP)
NetWitness now displays a NetWitness Platform CEIP dialog to all users (with Manage Live Setting and config-server manage configuration permissions) who previously have not enabled the CEIP program and upgrading to a major or minor platform version. For example, in NetWitness Platform version 12.3.1.0, the major version is represented by 12 while the minor version is represented by 3.
For more information, see "Configure the Customer Experience Improvement Program" in the System Configuration Guide.
Security
To further improve security, all NetWitness services and scripts will utilize trusted certificate-based authentication or deploy admin password for the RabbitMQ account. Additionally, the guest user account password is set to random value to restrict full Administrator Access to only authorized users on the host.
User Interface
The following section describes the new enhancements for the NetWitness user interface:
NetWitness Product Name Change
NetWitness shortened the product name to "NetWitness Platform". This change aims to streamline and align our branding with our overall product strategy.
Warning: Before upgrading the UEBA host to 12.3.1.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.3.1.0.
Product Version Life Cycle for NetWitness Platform
The following enhancements are made for Policy-based Centralized Content Management in 12.3.0.0 version:
Addition of Services Tab in Content Panel
NetWitness has introduced the Services tab to view and manage the 12.3 and above services. The dedicated Services List page lists all Decoder and Log Decoder services available in the 12.3+ version. From this page, you can initiate migration, view the content of each service after migration, and conveniently enable or disable CCM for individual services.
To go to Services tab, click (CONFIGURE) > Policies > Content > Services.
Once you click the Services tab:
You can view the list of services. By default, 15 services are displayed per page. you can go to the next page by clicking . You can also directly go to the last page by clicking .
You can filter the services based on various parameters by clicking .
You can click a service to view the details of the service.
You can automatically migrate content from selected services to CCM Content Library. This feature simplifies the process and saves time by eliminating the need for manual content migration. To migrated content, select the service(s) and click Migrate Content.
In this UI, you can migrate Application Rules, Network Rules, LUA Parser, Live Feeds and Live Log Devices. You can continue to manage Custom Feeds and Log Parser Rules from Legacy Custom Feeds UI and Log Parser Rules UI.
During the migration process, you can create default policy and group for each service selected for migration. Once the migration process is complete, the policy and group will be listed under Policy Listing page and Group Listing page.
The policy and group which is created for the service will be in 'Unpublished' state and it can be published only after it is reviewed. In the Policy Listing page, the Publish button for such a policy will be disabled. The policy can be published only after reviewing it either from Policy Details page or Edit Policy Page.
While publishing a policy, the content deployed from the policy is merged with the content present in the service. This ensures that duplicate content is overwritten, and unique content present in the service is retained, avoiding unnecessary redundancy and data loss.
If the migration process is successful and the policy is created successfully for the selected service, you can view the details of the policy. To view the policy details, click policy name under the Policies column in Services List page.
If the migration process is successful, you can view the details of the migrated content. To view the migrated content details, click View Content hyperlink under the Action column in Services List page.
You can search the migrated content based on various parameters.
- For Application Rule and Network Rule, the search is based on Rule Name and Rule Value. - For Feeds, Log Device and LUA Parser, the search is based on the Name.
If the migration has failed due to some reason, then you can view the logs. To view the logs, click View Error Log hyperlink under the Action column in Services List page.
Even if only some content from a service is migrated to Content Library, NetWitness has also provided you an option to create policy and group for such a service. To create policy and group for such partially migrated service, click View Error Log -> View Migrated Content -> Create Policy and Group.
You can enable or disable CCM for individual Decoder Service. To enable or disable CCM, select the service and click Manage Service Content.
NetWitness has enhanced the Application and Network Rules to help administrators manage the rules efficiently by adding the following improvements:
Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key in the Application Rule tab. With this enhancement, administrators can now select a custom meta key from the drop-down, and a meta value corresponding to the rule name will be generated when the session metadata matches the rule.
Administrators can now select the Notify option to trigger alert generation and choose the Severity level while creating or modifying the Application Rules. The severity levels are Critical, High, Medium, and Low.
Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key alert in the Network Rule tab.
Introducing the new enhanced statistics feature Deployment Stats which provides users with comprehensive insights into the performance and status of their deployments.
The old legacy Services tab has been deprecated, making the CCM the primary location for accessing and managing statistics.
The statistics associated with engines, rules, and alerts have been moved to the new Centralized Content Management (CCM) pages as part of the ongoing migration.
Users can easily access and analyze deployment statistics, including engine, rule, and alert metrics, to monitor the effectiveness and efficiency of their configurations.
The ability to enable and disable rules at the runtime of the engine provides greater flexibility and control over rule execution.
Users can now view the timestamp indicating when the statistics were last fetched, ensuring the accuracy and relevance of the displayed information.
On-demand stats fetching allows users to retrieve the latest statistics anytime, keeping them updated with the system's performance.
In addition to the existing statistics, users can now view individual data source statistics for each engine, enabling a more granular analysis of data source performance.
Create and Edit ESA Rules from CCM (Redirection to ESA Rules Tab)
Introduced a new redirection feature, The ESA rule creation, and editing features have been seamlessly integrated into the existing CCM design, providing a consistent experience and optimizing usability.
Users can now create and edit ESA rules within the streamlined workflow making necessary modifications to rules minimizing the clicks redirecting to the ESA Rules Tab, ensuring a smoother experience.
Endpoint Rule Management
Users can now enable or disable endpoint rules per deployment, allowing them to tailor rule execution to specific deployment requirements.
Fast Deployment Support
Fast Deploy is supported, which allows users to expedite the deployment process for compatible configurations, saving time and effort.
Deployment Updates, Indicators and Notifications
Users can easily track updates made to deployments, with a clear indicator signaling the presence of updates.
Stay informed and effortlessly monitor the status and progress of your deployments.
Users will be notified if another user is currently editing a deployment, preventing conflicts and ensuring smooth collaboration.
Notifications and severity configurations for rules in a deployment can be easily viewed, enabling users to stay informed about rule behavior and potential security threats.
The following section describes the new enhancements for the Investigate component:
NetWitness enhancements in the Investigate > Events view provide increased flexibility and improved investigative workflow. These enhancements empower analysts to complete investigations and increase efficiency of administrators.
Select Query Results Panel Layout
The Query Builder allows you to select the Query Results panel layout before executing the query.
For example, if you select, Show: Meta and Events option from the dropdown menu, the query results are by default displayed in two separate panels, i.e., Meta and Events.
The enhanced Timeline displays activity for the specified service and time range as a bar chart. This allows analysts to detect significant spikes that could indicate anomalies. Using the visual representation, analysts can conduct a more detailed investigation of the events that occurred during that specific period.
With the enhanced timeline, analyst can now expand the timeline, zoom into the interested zone in the timeline, change the axis settings, or reset the query to the original requested form.
NetWitness introduces the new Advanced Query Bar under Investigate > Events panel to provide a seamless experience to the users while they write queries. Advanced Query Bar provides a search bar with the ability to accept a query construction in text form just like an Integrated Development Environment (IDE), instead of the pill-based entry of Guided Mode. Advanced Query Bar provides following benefits:
Syntax or error highlighting: The syntax of each query is validated and a red outline marks invalid filters.
Auto suggestions: Suggestions such as meta key, an alias for medium, an operator in a drop-down list to help in query construction.
Recent queries: Displays recent queries.
Create Future Alert using Events Query
During the investigation, administrators and analysts can now create an application rule for any suspicious activity from the Investigate > Events view. You can create application rules with a flexible query that covers a wide set of events and system information from your network, including suspected breach activities and misconfigured servers. Once the rule is applied to a matched policy with Decoder services, it generates alerts whenever a match occurs and helps analysts to triage, investigate, and respond to threats.
Generate Custom Reports from Investigate Events View
NetWitness Investigate Events view has been enhanced with integrated reporting capabilities enabling increased flexibility and streamlined workflow. Administrators and analysts can now convert their investigation queries into adhoc and schedule reports seamlessly from the Investigate > Events view. This eliminates the need to switch back to the reporting pages and reconfigure queries, saving time and effort.
The following are the key benefits of generating reports from the Events view:
Quickly configure and generate the reports.
Share generated reports directly with administrators or other analysts by configuring email IDs, facilitating efficient communication and collaboration.
Report generation now adopts preconfigured settings by default, reducing the need for manual configuration and accelerating the reporting process.
Generated reports can be used to monitor security incidents and malware activity.
Set up scheduled reports to run at regular intervals and trigger an email with events each time they run.
Search Meta Information Quickly from Events Meta Panel
Analysts can now search for meta keys and meta values quickly from the Events Meta panel using the newly added Filter option. This enhancement allows analysts to refine their search results by entering specific meta values or keys and the results are highlighted with blue indicator and helps analysts to investigate seamlessly rather than scrolling through a long list of metadata.
Support for VirusTotal Hashes Lookup from Events View
NetWitness now includes files and file hashes VirusTotal Lookup capabilities from the Investigate > Events view. With this enhancement, analysts can perform a VirusTotal Lookup on files with file hashes (MD5, SHA1, and SHA256) to get more information about the file, which automatically redirects them to VirusTotal's website. Once the hashes match VirusTotal's recognized types, they undergo a malware scan. The results are returned to determine if a file is malicious or not. This enhancement makes it easier for analysts to identify viruses, malware, and other malicious files with VirusTotal Lookup and helps them to perform investigation more effectively.
For more information, see Launch a VirusTotal Lookup for a File and Perform Lookups of Meta Values in Events topics in the NetWitness Investigate User Guide.
Introducing Meta Settings Panel
NetWitness introduces the new Meta Settings panel under the Investigate > Events > Events Meta view to allow analysts to configure the number of sessions required for the specific meta key value within the Events view. This enhancement provides analysts with the following configuration options:
Max Threshold Value: This option allows analysts to set the maximum number of sessions that are loaded for a meta key value in the Events panel. If you set a higher threshold, you will get more accurate counts, but it will take longer to load the data. The Max Threshold Value should be between 1 - 2147483647. The default value is 100,000.
Max Value Results: This option allows analysts to set the maximum number of values to load in the Events view when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The Max Value Results should be between 100-100000. The default value is 1000.
Max Meta Value Characters: This option allows analysts to set the maximum number of characters in a meta value name displayed in the Events Meta panel. The Max Meta Value Characters should be between 60-512. The default value is 60.
These new configuration options give analysts more control over how metadata is displayed and loaded in the Events view. This helps analysts to perform the investigation more efficiently.
NetWitness now allows analysts to set the Render Threads value under the System > Investigation > Events tab > Render Threads Setting. This setting controls the number of concurrent meta key values that are loaded by the user in the Events Meta panel. By increasing the number of render threads, the meta values within the Events Meta panel are loaded concurrently. The Render Threads value should be between 1-8. The default value is 2.
The Query Console has been enhanced to help the analysts with query construction on the Investigate > Events view. Analysts can now quickly view the Query Examples, Current Query, or Recent Queries on the Query Console directly.
The following section describes the new enhancements for Context Hub component:
Additional Data for Context Lookup Lists Panel
Administrators can now configure additional data of interest from the lists on the Context Hub Lists page. These additional details from the lists are reflected in the Context Lookup Lists panel when you view the context for an event on the Events or Respond view. This helps analysts with better visibility for further analysis and investigation.
New Permission at the Users Level for Context Lookup
NetWitness introduces a new permission named contexthub-server.contextlookup.read for Context Lookup. This permission is enabled only for administrators, analysts, malware analysts, SOC managers, and Respond administrators. With this enhancement, administrators can now assign role permissions that prevent users from viewing context enrichment that is not relevant to them or performing the Add/Remove from List actions. Additionally, this can prevent unauthorized users from accessing sensitive information.
Administrators can now view the data for Responsive Preview under the Meta and Field Mapping and perform Field mapping operations for REST API data sources with or without authentication. This enhancement helps administrators to avoid reconfiguring the REST API data source and saves time.
NetWitness Insight is a SaaS solution available as an extension for a NetWitness Network, Detection & Response (NDR) customer. NetWitness Insight is an advanced analytics solution that leverages unsupervised machine learning to empower the response of the Security Operations Center (SOC) team. NetWitness Insight continuously examines network data collected by the Decoder to discover, profile, categorize, characterize, prioritize, and track all assets. NetWitness Insight identifies the assets in the enterprise to alert analysts of their presence. The discovered assets are automatically categorized into groups of similar servers and prioritized based on their network profiles. These assets are presented to analysts in a Springboard panel to guide them to focus on certain assets to protect their organization. Contextual information about the asset is available anywhere analysts interact with IP addresses in Respond and Investigate workflows. Incidents and alerts can be created based on asset changes.
Available in preview mode, this new integration with major SASE vendors provides further network visibility for NetWitness Network (NDR) customers. Previously limited to logs, these integrations deliver original network traffic to NetWitness, providing analysts with deep network visibility and detection for SASE remote communications. Please contact your account representative to get a preview.
Springboard
The following section describes the new enhancements for the Springboard component:
Improved Color Visualization for Springboard Panels
NetWitness Springboard now allows analysts to choose from a variety of color palettes when creating or editing panels using the new Visualization Color Theme option. This enhancement gives analysts more control over the appearance of their panels, making them more visually appealing and easier to understand. As a result, analysts can visualize the data better and perform analysis and investigations more efficiently.
NetWitness latest enhancements to reporting capabilities in Respond view provide users with increased flexibility and streamlined workflows. These improvements address the challenges you face during investigation and reporting. The following enhancements are made to the Respond component.
Respond Reporting Enhancements
With the new upgrades to Respond reporting, administrators and analysts can efficiently capture, analyze, and share their findings with management, resulting in enhanced reporting experience within NetWitness.
Integrated reporting capabilities into the events and respond views allow administrators and analysts to seamlessly tie their investigations to reports to capture and report their findings to the management.
Users can review incidents and alerts within the Respond view and generate comprehensive reports directly from the interface. Analysts and administrators can document their analysis and share detailed reports with stakeholders.
Reports generated from the Respond view now leverage the powerful filtering capabilities available within Respond, ensuring that the reports accurately reflect the specific incidents or alerts reviewed.
Introduced a simplified workflow driven by customizable templates, this feature eliminates the complexity of the current reporting workflow and reduces the input required from analysts and administrators.
Report creation now defaults to preconfigured settings, minimizing the need for manual configuration and expediting the reporting process.
Analysts can now email the generated reports directly to administrators or other analysts, facilitating efficient communication and collaboration.
Respond Server Support for Core Alerts and Insight Alerts
The Respond Server support for NetWitness Core Alerts and NetWitness Insight Alerts update improves your security by helping you detect and respond to incidents more effectively. This includes improvements that make managing and analyzing core and insight alerts within the NetWitness platform easier.
Core Normalisation alert support: We have added support for core normalization alerts, enabling the detection of suspicious network traffic patterns. This enhancement helps you proactively identify potential security threats and take swift action.
Improved Core Alerts visualization: Upgraded the visualizations for core alerts, providing a more detailed and comprehensive view. These enhanced visual representations make spotting patterns, trends, and anomalies easier, empowering you to make faster and more informed decisions.
OOTB Incident Aggregation Rule for Core Alerts and Insight Alerts:To simplify incident response, we have included an Out-of-the-Box (OOTB) incident aggregation rule specifically designed for core alerts and insight alerts. This rule automates grouping related core alerts and insight alerts into a single incident, streamlining your incident management process and saving valuable time.
The Respond > Alerts view is enhanced with the Whitelist Alert feature to help administrators and analysts whitelist the non-suspicious Endpoint alerts. You can select the entities such as File, User, and Host and define the Whitelist condition to avoid triggering of the unwanted alerts for the required entities.
The new Whitelists tab added in the Respond view enables you to view and manage the Endpoint Whitelists created after whitelisting the non-suspicious Endpoint alerts.
The following section describes the new enhancements for Endpoint component:
Files View Enhancements
The Files view is enhanced to help administrators and analysts block the new file hashes and manage the existing blocked file hashes. You can block up to a maximum of 50,000 file hashes using this feature.
The Hosts view is enhanced with the Remote Shell feature to help administrators and analysts access the remote agents and perform remediation actions during investigation. You can execute the commands only in the quiet mode.
Advanced Linux Agent - File Event Tracking Enhancement
Linux Agent - File Event Tracking is introduced to help analysts view the file related activities by an executable, such as writetoexecutable. Analysts can view and monitor file events to detect threats on Linux machines.
NetWitness Platform XDR supports collection of MicrosoftIIS logs. You can select MicrosoftIIS from the Log File Type drop-down list in (Admin) > Endpoint Sources > Policies > Define File Policy Settings to collect and monitor MicrosoftIIS file logs. For more information, see Appendices topic in the NetWitness Endpoint Configuration Guide.
User and Entity Behavior Analytics
The following section describes the new enhancements for UEBA component:
Enhanced Configuration Support for Multiple UEBA Servers
NetWitness introduces the ability to deploy multiple UEBA servers in your environment, providing increased flexibility and control. With this enhancement, administrators can distribute the UEBA server deployment across dedicated servers, such as one server for Logs and Endpoint data and another for Network (TLS) data. This data segregation ensures that each server can focus on its designated data type, resulting in faster and more streamlined processing. With the data segregation, analysts can now select the specific data type using the drop-down option provided for Multiple UEBA servers. This feature helps analysts to focus on the relevant users, network entities, and alerts associated with each UEBA server.
Analysts can now view contextual information about users on the NetWitness Users page. This enhancement enables analysts to make better decisions and take appropriate actions. A single place contains contextual information about users to help analysts identify and prioritize areas of investigation. The Context Highlights panel enables analysts to view contextual information for selected users, including total Respond alerts and incidents associated with them. Moreover, analysts can also switch to the Investigate view for a deeper look at users for focused analysis and investigation.
For more information, see the View Contextual Information for Users topic in the NetWitness UEBA Users Guide.
UEBA Performance Improvement
NetWitness UEBA (On-premises) has been enhanced to improve the performance of its data processing capabilities by updating the adaptor task and effectively allocating available free memory on UEBA services. This results in faster processing time and better performance for all UEBA tasks.
Concentrator, Decoder, and Log Decoder Services
Application Rule Enhancements
NetWitness has enhanced the Application Rules to help administrators manage the rules efficiently by adding the following improvements:
Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key in the Application Rule tab. With this enhancement, administrators can now select a custom meta key from the drop-down, and a meta value corresponding to the rule name will be generated when the session metadata matches the rule.
Administrators can now select the Notify option to trigger alert generation and choose the Severity level while creating or modifying the Application Rules. The severity levels are Critical, High, Medium, and Low.
NetWitness Platform XDR supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform XDR 11.7.0.0 or later.
As a launch partner for AWS AppFabric, NetWitness empowers customers to use this simplified, standardized method of securing new and existing AWS apps. For more information, see S3 Universal Connector.
The following section describes the new enhancements for Platform component:
Backup and Restore Improvements
The Passwordless remote copying feature allows administrators to avoid entering the password in the Command Line Interface (CLI) while exporting and importing the data using the NetWitness Recovery Tool (NRT) and the NetWitness Recovery Wrapper Tool.
NetWitness Platform XDR allows the non-root users to perform backup and recovery of data using the NetWitness Recovery tool (NRT) and the NetWitness Recovery Wrapper tool.
NetWitness Recovery Wrapper Tool is enhanced with the following options to allow administrators to backup group of the hosts:
Category Group: This group allows you to create a backup of all the hosts specific to a given category such as Log Hybrid, Log Collector, Standalone Broker in the environment.
Host Group: This group allows you to create a backup of all the hosts specific to a given group created on the /admin/appliances page. You can use the backup to restore any of the hosts in case of configuration issues or catastrophic failures.
Before upgrading the UEBA host to 12.3.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.3.0.0.
Product Version Life Cycle for NetWitness Platform
Note: If you have the Export Connector plugin in your deployment, you must do the following: • If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 12.2.0.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see the Post-Upgrade Tasks section in https://community.netwitness.com/t5/netwitness-platform-online/upgrade-instructions-for-12-2-0-1/ta-p/698615.
• If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 12.2.0.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported for NetWitness 12.2.0.1:
12.2.0.0 to 12.2.0.1
12.1.1.0 to 12.2.0.1
12.1.0.1 to 12.2.0.1
12.1.0.0 to 12.2.0.1
12.0.0.0 to 12.2.0.1
11.7.3.0 to 12.2.0.1
11.7.2.0 to 12.2.0.1
11.7.1.2 to 12.2.0.1
11.7.1.1 to 12.2.0.1
11.7.1.0 to 12.2.0.1
11.7.0.2 to 12.2.0.1
11.7.0.1 to 12.2.0.1
11.7.0.0 to 12.2.0.1
11.6.1.4 to 12.2.0.1
11.6.1.3 to 12.2.0.1
Warning: Before upgrading the UEBA host to 12.2.0.1, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.2.
The Product Documentation section has links to the documentation for this release.
Policy-based Centralized Content Management
The following enhancements are made for Policy-based Centralized Content Management in 12.2.0.0 version:
In order to enable the administrator to choose when to enable CCM, a single CCM toggle is introduced in the UI to enable or disable CCM for all 12.0 and later versions of Decoder Services. The toggle is available on the Content page and the toggle can be used to enable or disable CCM for all eligible Core Services at once. The CCM toggle has three states:
State1: None of the Decoder Services are managed by CCM
This is the default status. The default status is applicable only: - If customers are upgrading from 11.x to 12.2 version - If customers have turned off the feature in previous versions
State 2: All Decoder Services are managed by CCM
State 3: Some Decoder Services are managed by CCM
State1: None of the Decoder Services are managed by CCM
State 2: All Decoder Services are managed by CCM
State 3: Some Decoder Services are managed by CCM
The administrator can edit the rule value while editing or cloning the Application Rule or Network Rule.
During policy creation or modification, the administrator can create a new group and assign it to the policy if there are no unassigned groups available for the policy.
For a policy, the administrator can subscribe to multiple content at once. This feature is available from 12.1.0.0 version or later.
During policy creation, the administrator can add all content to the policy based on the resource type.
For a policy failed status, a caution icon message banner is displayed in the Policies view and Groups view, indicating that the policy status failed for multiple reasons. Administrator can now see the policy overview section in the UI to find the failure reason and the workaround.
Added + Add New Datasource option to add data sources in Create Deployment view and Edit Deployment view. Administrator can now add new data sources from the Create Deployment view, and Edit Deployment view when the required data source is unavailable.
The following enhancements are made for Respond component in 12.2.0.0 version:
Introduced new pagination settings for the Incidents list view and Alerts list view. Administrator can now see all the available incidents with this feature and do the pagination settings for the following:
Navigate through required page numbers.
Set the incidents per page as per the options available.
Administrators can now configure syslog alerts for new incidents added to the incidents queue. In addition, a new template field is added with Default Respond SMTP Template. Administrators can now select the pre-configured custom syslog notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.
Enhanced Email Notification Settings.
A new template field is added in the Email Notification Settings with Default Respond SMTP Template. Administrator can now select the pre-configured custom email notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.
The following section describes the new enhancements for Endpoint component:
Hosts View Enhancements
The Hosts view is enhanced to help analysts get an accurate number of Hosts and the list of Windows, Mac, and Linux machines on which the suspicious Autoruns are configured.
To optimize the view for analysts, a few columns in the Hosts > Autoruns view such as Global Risk Score, Local Risk Score, Reputation, File Status, Downloaded, File Creation Time, and Signature are removed.
The columns such as Registry Path, Filename, File Path, On Hosts, Type, and Launch Arguments are re-arranged in the following order:
Registry Path
On Hosts
Type
Launch Arguments
Filename
File Path
For more information, see the Hosts View - Autoruns Tab topic in the NetWitness Endpoint User Guide.
Advanced Linux Agent - Process Event Tracking Enhancement
Linux Agent - Process Event Tracking is introduced to help analysts view the createprocess activities. Analysts can view and monitor process events to detect threats on Linux machines.
Introduced a new index config threshold slice.memory.max. When the index slice memory usage exceeds the threshold, an index save will save the index to disk, keeping the index memory usage in control. With this new setting, administrators can freely enable indexing all unique meta values on the meta keys they choose.
HTTP2 parser now supports demultiplex interleaved streams and extracts the application payload for detections in other parsers looking at tokens in the payload. This also benefits analysts to reconstruct HTTP/2 sessions, download them as PCAPs, and extract data from the compressed payloads.
NetWitness Platform XDR supports the integration of the following parser services to collect logs. These services are supported on NetWitness Platform XDR 11.7.0.0 or later.
Zscaler ZIA
Zscaler ZPA
OPSWAT Meta Access Cloud
Symantec Endpoint Security Events
Symantec Endpoint Security Incidents
S3 Universal Connector support for access logs from Application Load Balancer (ALB).
Before upgrading the UEBA host to 12.2.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.2.0.0.
Product Version Life Cycle for NetWitness Platform
The following enhancements are made for Policy-based Centralized Content Management in 12.1.1.0 version.
Administrator can clone Application Rules and Network Rules with a unique rule name and same rule value.
IMPORTANT: - TheRule Nameis the unique title of the rule, which is used as a reference to the rule within the Content Library. - TheRule Valueis a string or text which is registered to a meta key when the rule is triggered with an "alert" output. It may be the same as the rule name, but it is not unique within the Content Library.
Single CCM toggle is introduced to enable or disable CCM for all 12.0+ Decoders and Log Decoders at once. The toggle button is available via backend of source-server.
In 12.1 and later versions, you can only manage the ESA deployments and Data Sources throughCentralized Content Management.
Go to (CONFIGURE) >Policies>Content>Event Stream Analysispage to manage the ESA deployments and Data Sources.
Refer the following screenshot.
A new unified deployment view(ESA DEPLOYMENTS)tab is created to manage deployments from a single view across all policies within CCM.
Navigation is made simple to edit policy wizard from theEdit deploymentview >View rules.
The edit deployment screen will save the current state and close. The user will be redirected to theedit policywizard on the new tab.
A new search option is created from the listed ESA rules in theView ESA rulesmodal in the edit and create deployment views.
Caution banners are created to convey the customer about the requirement of a deployment while creating ESA related policies.
After upgrading to 12.1 and later versions, you can only manage the ESA Rules in theESA Rulespage. Refer the following screenshot.
After upgrading to the 12.1.1.0 version, all the ESA deployments will be migrated to (CONFIGURE) >Policiespage. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.1.x.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.
You must upgrade the ESA hosts immediately after upgrading the Admin Server.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 12.1.0.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, seePost-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 12.1.0.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported forNetWitness12.1.0.1:
The following enhancements are made for Policy-based Centralized Content Management in 12.1.0.0 version.
Administrators can create and upload content to the Content Library easily by:
Importing log parsers as a zip file instead of converting to ".envision" format.
Cloning existing Application Rules and Network Rules.
Administrators can switch services between legacy Content Management UI and the new Centralized Content Management via Groups and Policies using the "toggle" feature. This can prevent content being mistakenly added or modified outside of a Policy, causing an out-of-sync issue.
Each service can be toggled to work either with individual "Service or Config" interface or with Content Policies.
Toggling on Content Policy for a service will restrict the legacy UI to "read only" mode.
Administrators can now force publish all the content of a policy in two ways:
Policy Listing>More Actions>Force Publish
Policy Details>Force Publish
Administrators can easily find content, policies or groups of interest by using the "Filtering" capability of the UI inContent Library,Policy Listingpage,Policy Detailspage, andGroup Listingpage.
Administrators can receive meta key and operator suggestions while creating application and network rule conditions. This eases the creation of error-free rules. Administrators can also opt for 'Advanced mode' to create complex queries.
Addressed an issue where the Content Policy UI was not usable without an active connection to Live.
Administrators can now create, modify and publish policies and manage custom content in the Content Library even without an internet connection.
An Internet connection is still required in order to synchronize Live content with the Content Library.
Administrators can now manage ESA contents from the(Configure)>Policiespage:
Manage ESA content and handle multiple deployments seamlessly using Policy.
One-click management of subscriptions and automatic updates for ESA content.
Toggle theSubscribebutton to enable automatic updates of ESA content.
Seamlessly view ESA Live content along with your own custom content.
Add and manage ESA Correlation servers as part of groups.
Manage all the data sources for the ESA Correlation servers from theSettings>Event Stream Analysis>Data Sourcespage seamlessly.
The Respond view is enhanced to help analysts export and store the Incidents with Alerts and Events in JSON format for offline investigation.
Incidents List View Enhancements
The newExportdrop-down is added to allow analysts export and download the data such as fields or attributes associated with Alerts and Events of the selected Incidents.
You can export data of a maximum of ten incidents at a time. Once the data download is in progress, you can select a different set of ten incidents and export their data simultaneously. You can repeat this action until the conditionmax-user-tasks, which is the maximum limit set for exporting the incidents data in theRespondservice underrsa.respond.incident.exportsis met.
The following section describes the new enhancements for the NetWitness user interface:
NetWitness User Interface Enhancements
The 12.1.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform XDR, which updates the identity of NetWitness as a trusted brand.
As part of the repositioning, we are renaming our product as NetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.
Endpoint Investigation
Initiate YARA Scans at the Endpoint Agent Level
Analysts can initiate YARA scans at the endpoint agent level by selecting one or multiple endpoint agents.
Enhanced Process Tree View for Endpoint Alerts on Respond
The Process Tree view on theRespond>Alerts>Endpoint Alerts>Alert detailspage is enhanced with the newFile Actionstab next toInvestigate Timeline. With this enhancement, analysts can quickly save a local copy of the selected file, download it to the server, or block it.
Policy based Centralized Content Management is a unified approach to find, deploy, and manage content through the entire life cycle based on policies that can be assigned to groups of devices. It is a single location to view, modify and manage the content deployed across all services in the environment.
Benefits of Policy based Centralized Content Management:
Add content from RSA Live or add your own custom content.
Add or remove content without repeating the process on each individual service.
Add a new service to an existing group to automatically deploy all necessary content.
Simply toggle theSubscribebutton to enable automatic updates of content.One-click management of subscriptions and automatic updates
Provide highly responsive and updated UI for browsing RSA Live content that can help you with the following:
View Live and custom content along with your content policies and click to add content
Seamlessly view Live content along with your own custom content.
Centrally import and deploy live and custom content.
The following section describes the new enhancements for the Springboard component:
Enhanced Springboard to Support New Built-in Panels
NetWitness Platform Springboard introduces five more out-of-the-box panels based on the events processed and presented on Springboard view. On the Springboard, Administrators and Analysts can now view the following panels of events data which helps in threat hunting and investigation:
MITRE ATT&CK tactics
MITRE ATT&CK techniques
Indicators of Compromise
Enablers of Compromise
Behaviors of Compromise
Administrators can customize these panels to display only the event-focused data for analysts to carry out further investigation.
Administrators and Analysts can now add their own custom private board to the NetWitness Platform Springboard and add panels with important system indicators, which helps in threat hunting and investigation. The custom private board is visible only for users who created it. The board allows users to organize and manage information in an easy manner.
During investigation, Administrators and Analysts can add a Springboard panel from theInvestigate>Eventsview. You can add any number of filters on the query search bar and convert them to Springboard panels for further detection and watch results. The newly added panels will be saved under a custom private board. The board will allow users to organize and manage information in an easy manner.
The Respond view is enhanced to track and capture all the events performed by the users on an incident. The toolbar actions are enhanced to allow users select only the valid priority, status, and assignee for an incident.
Incident Workflow Enhancements
The following changes have been made to theChange Statusdrop-down list in theRespond> Incidentsview:
Added the new Incident statusReopento help users open the closed incidents.
RemovedNewandAssignedstatuses but they are still displayed in the Status column in theRespond> Incidents>Incidents Listview.
Streamlined the incident status change workflow. All the invalid statuses are grayed out, allowing the users to select only the valid status for any incident.
The newHistoryPanel is added to display every action performed by the user on an incident. The various actions performed on an incident are as shown below:
The following section describes the new enhancements for the Investigation component:
Indicators for Searchable Meta
The meta key and meta value pairings now display a binocular icon while viewing a text reconstruction in the Event Meta panel, indicating the search option. This enhancement helps the analysts to visually see the indication rather than going through the list of all metadata to figure out which ones may be searched.
Unified Discovery and Interaction of Events Metadata
Hosts and Files Alerts Details View
Analysts have a unified way to interact with events metadata presented in the Alerts tab of Hosts and Files details view to perform actions or review contextual information. Analysts can use the right and left click options to view the unified panel data.
For more information on Hosts and Files, seeAnalyze Hosts Using the Risk ScoreandAnalyze Files Using the Risk Scoretopics inNetWitness Platform Endpoint User Guide.
Respond View
Analysts have a unified way to interact with events metadata presented in the Respond view to perform actions or review contextual information.
On the Respond Indicators panel, Nodal Graph, and Events List view, analysts can use the left and right click options to view the unified panel data.
Enhanced Querying on Events View to Exclude any Specific Meta
Analysts can now exclude particular meta values while querying using the NOT(metacontains 'meta value') option available in the investigate unified panel. The specified meta value is removed from the query results when you use NOT(metacontains 'meta value') withAppendorRefocusoption on a specific meta value. This enhancement helps the analysts to view only the required data results in an optimized manner and conduct further investigation efficiently.
Analysts can directly view encrypted data that has been decrypted by the decoder, thereby reducing time and effort in converting data into readable format. The analysts can enable using theDisplay Decrypted Payloadtoggle option in theEvents>Textview.
Select Custom Date and Time Range in the Events View
Analysts can set a custom range in theInvestigate>Eventsview to select a specific time, date, month, and year using the calendar view that is displayed on clicking theCustom Rangeoption. This enhancement helps the analysts to select date and time quickly and avoid manual intervention therefore avoiding human errors (typos).
The following section describes the new enhancements for the NetWitness user interface:
NetWitness User Interface Enhancements
The 12.0.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform, which updates the identity of NetWitness as a trusted brand.
As part of the repositioning, we are renaming our product asNetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.
Endpoint Investigation
The following section describes the new enhancements for the Endpoint component:
Detection of removable Storage Devices
NetWitness Endpoint Agents are enhanced with the capabilities to detect and report removable storage devices. The Endpoint agents will detect and report when a removable storage device is plugged in or removed. This enhancement provides analysts with extended threat detection capabilities. For more information, see theNetWitness Endpoint User Guide.
Block Multiple File Hashes Using an Imported File
Administrators can import a file with a list of known file hashes that are not present in the environment and block them as soon as they are detected. This enhancement will help analysts to block multiple hashes without manual intervention.
Support for Arm-based Windows Machines
Administrators can install Endpoint agents on Arm-based Windows machines. This enhancement provides analysts with threat detection capabilities on more types of devices.
Download MFT from Multiple Hosts in One Step
Analysts can now download MFT(Master File Table) from multiple hosts on the Hosts list view in one step. This enhancement helps analysts download MFT without opening the Host details view of each host. For more information, SeeDownload Master File Tabletopic onNetWitness Endpoint User Guide.
Customizable Maximum File Download Limits
The limit to the maximum number of file downloads on the Endpoint server is enhanced. On the explore page of an Endpoint server, Administrators can set the limit from 100 to 1000 files. For more information, seeDownload Files Using Full Path or WildcardonNetWitness Endpoint User Guide.
Redesigned Alert Details View for Endpoint Alerts in Respond
In the Respond view, the alert details view for Endpoint alerts shows end-to-end details about an alert. The details are presented in the form of a process tree along with a right panel that provides detailed information about the alert categorized into the following sections:
Summary: A short summary of the alert.
Event Details: Shows the directory, user, hash, signature, risk score, etc.
Process Details: Shows the tactics, techniques, times and details about the targets.
Network Connections: Shows any network connection established ten minutes before and till ten minutes after the alert triggered time.
Origin: Shows how the selected file in the process tree is originated.
Exists on Hosts: The host in which the selected file in the process tree exists.
Besides the above sections, theInvestigate Timelinetakes to the investigate view that has more detailed information.
The following section describes the new enhancements for the Concentrator, Decoder, and Log Decoder components:
Log Parsing Enhancements
The following log parsing enhancements are made in 12.0.0.0 version. These are new elements that you use in the creation of a log parser:
New Selector Parsing Element Added to Dynamically Map Captured Values to a Meta Key
This will allow the log parser to automatically choose from two or more optional meta keys to assign to a parsed value depending upon the value of another meta key. Consider the following sample log snippet:
In the above example, if the value of Direction is ”src”, then the preferred meta key to use for the value of Address would likely beip.src. Conversely, if the value for Direction is ”dest”, then the meta keyip.dstmight be preferred. This can now be achieved with the newSELECTORlog parsing element.
Support for Advanced Parsing Elements within CEF Parser and DataType
Support added to CEF parser for VARTYPE, SCANNED, DataType, and Selector parsing elements.
Allows the CEF parser to take advantage of the fine parsing capabilities found in other parsers.
Dynamic parsing support including PARSERULESCAN added to DataType parsing element.
Allows nesting of dynamic parsing elements (parse rules) from within an existing DataType.
Enhanced Network Decoder to Decrypt Incoming TLS 1.3 Packets
The enhanced network packet decryption capability helps inspect TLS 1.3 encrypted communications using ephemeral session keys. Administrators can configure Network Decoder to enable decryption of incoming TLS 1.3 network packets.
The Event Stream Analysis is enhanced to reduce the time consumed for new rules deployment.
Improved ESA Rules Deployment
The ESA Rule Deployment has been enhanced with a new option to deploy the rules faster. If you want to push rule-related changes, you can quickly deploy the new rules by clicking theFast Deployoption. For more information, seeAlerting with ESA Correlation Rules User Guide.
Reports
The following section describes the new enhancements for the Reports component:
Build Rule View Enhancements
TheBuild Ruleview is enhanced to help users view the following information in the report generated:
The average time taken to assign the incident.
The average time taken to complete the task.
The average time taken to close the incident.
The following changes have been made in theBuild Ruleview:
Two new options are added in theFromfield:
incidentStats: The following metas are supported forincidentStats:
created
mtta.time: Displays the average time taken to acknowledge the incidents in a single day.
mtta.count: Displays the number of incidents acknowledged in a single day.
mttd.count: Displays the number of incidents detected in a single day.
mttd.time: Displays the average time taken to detect the incidents in a single day.
mttr.time: Displays the average time taken to resolve the incidents in a single day.
mttr.count: Displays the number of incidents resolved in a single day.
These metas are displayed in the report generated. Refer the following figure.
incidentUserStats: The following metas are supported forincidentUserStats:
userName: Displays the assignee's or the user's ID for the associated user stats.
totalClosedCount: Displays the total number of Incidents closed by the assignee till date.
meanTimeToDetect: Displays the average time taken by the user to detect the incidents in the time range selected.
mttdCount: Displays the count of incidents contributing to the MTTD value computed.
incidentIds: Displays the list of incident IDs closed by the user during the time range selected.
These metas are displayed in the report generated. Refer the following figure.
New metas are added forincident. The newly added metas are as shown below:
assignee.id
tta(Time to Acknowledge): Displays the time taken to assign an Incident after creating it.
ttd(Time to Detect): Displays the time taken for completing the task after the Incident is assigned.
ttr(Time to Resolve): Displays the time taken for closing the task after the Incident is created.
These metas are populated on theTest Ruleview. Refer the following figure.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.3 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for 11.7.3 - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.3 patch upgrade. In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for 11.7.3
Endpoint Enhancements
The Hosts and Files view is enhanced to help Analysts view the actual risk score of the Blacklisted files. The risk score of the files increases once they are blacklisted.
File Name column is exported when you export the Files attributes to a CSV file.
The timeouts or delays in mongo.db due to the presence of huge bash history for a few agents are resolved.
Usability Enhancements
The Test Chart feature in Reports (Reports > Charts > Add new chart > Test Chart) is enhanced to load with different time ranges.
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform XDR 11.7.3.0:
11.7.2.0 to 11.7.3.0
11.7.1.2 to 11.7.3.0
11.7.1.1 to 11.7.3.0
11.7.1.0 to 11.7.3.0
11.7.0.2 to 11.7.3.0
11.7.0.1 to 11.7.3.0
11.7.0.0 to 11.7.3.0
11.6.1.4 to 11.7.3.0
11.6.1.3 to 11.7.3.0
11.6.1.2 to 11.7.3.0
11.6.1.1 to 11.7.3.0
11.6.1.0 to 11.7.3.0
11.6.0.0 to 11.7.3.0
11.5.3.3 to 11.7.3.0
11.5.3.2 to 11.7.3.0
For more information on upgrading to 11.7.3.0, see Upgrade Guide for NetWitness Platform XDR 11.7.3.0
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.2 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for 11.7.2 - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.2 patch upgrade. In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for 11.7.2
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform XDR 11.7.2.0:
The NetWitness 11.7.1.2 release notes provides information about the changes in NetWitness Platform 11.7.
Fixed Issues
For more information on Fixed Issues, see Fixed Issues.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies to CVE-2021-44228. For more information, see the Security Advisory for Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.1.2 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.1.2 patch upgrade.
Note: The traces of the old .jar files with the vulnerable versions of log4j in /tmp/jetty folder are found while upgrading from 11.5.x.x and 11.6.x.x versions to 11.7.x.x version. As a result, the scans reported the presence of older versions of log4j vulnerability. This issue has been addressed and the /tmp/jetty folder is cleaned up to remove the older versions of log4j vulnerability.
The NetWitness 11.7.1.1 release notes provides information about the changes in NetWitness Platform 11.7.
Fixed Issues
For more information on Fixed Issues, seeFixed Issues.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies toCVE-2021-44228. For more information, see theSecurity Advisoryfor Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.1.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.1.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.1.1:
NetWitness11.5.3.2 to 11.7.1.1
NetWitness11.5.3.3 to 11.7.1.1
NetWitness11.6.0.0 to 11.7.1.1
NetWitness11.6.0.1 to 11.7.1.1
NetWitness11.6.1.0 to 11.7.1.1
NetWitness11.6.1.1 to 11.7.1.1
NetWitness11.6.1.2 to 11.7.1.1
NetWitness11.6.1.3 to 11.7.1.1
NetWitness11.6.1.4 to 11.7.1.1
NetWitness11.7.0.0 to 11.7.1.1
NetWitness11.7.0.1 to 11.7.1.1
NetWitness11.7.0.2 to 11.7.1.1
NetWitness11.7.1.0 to 11.7.1.1
Enhancements
The following section lists the enhancements to specific capabilities. To locate the document referred to in this section, go to the NetWitness Platform 11.x - All Documents. Product Documentation has links to the documentation for this release.
Reports
View Creator Information
The Created By column has been added to the Reports List page. This column enables you to view and analyze the ownership information of all the reports that exist in the system, which includes new, copied, and imported reports. When a report is exported, the owner details are retained. However, when a report is copied, the owner of the report changes to the user who created the copy. For more information, see theReporting User Guide.
Log Collection
Administrators can now fetch the user information from the logs collected through MSExchange Management channel.
To view the user information:
Navigate toServer Manager>Diagnostics>Event Viewer>Applications and Services Logs>MSExchange Management.
In theMSExchange Managementview, select the log file.
Click theDetailstab. Select theXML View.
SelectEventData. The third row in the<EventData>section displays the required user information.
Note: Alternatively, you can select the Friendly View under the Details tab to view the user information in the EventData section.
Administrators can pre-stage the upgrade repository by downloading the required packages (.zip) without affecting the system. This minimizes the upgrade downtime and ensures the upgrade is completed within the planned time. The Pre-Stage Host option is available on the NetWitness UI and requires the NetWitness Server Host to be connected to Live Services. For more information, seeHosts and Services Maintenance Procedurestopic in theHosts and Services Getting Started Guide.
Note: You can use this feature only if you upgrade from 11.7.1.0 to a higher version.
Support for Additional Pre-Upgrade Check Utility
Additional health-check utility is introduced for Administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.
The pre-upgrade check verifies the following:
(Component Hosts) Node X Service Status- Verifies the status of services (Active or In Active) on all the Node X.
(Component Hosts) Node X Certificates Check- Checks the certificate expiry, missing, corrupted, and issuer mismatch in all categories of Node X.
CPU-Memory Info- Provides CPU and Memory details along with the real-time available memory.
(Admin Server) Node 0 File System Utilization- Verifies the disk partition utilization of/var/netwitness/mongo,/var/netwitnessandrooton Node 0.
(Component Hosts) Node X File System Utilization- Verifies the disk partition utilization of/var/netwitness/mongo,/var/netwitnessandrootfor ESA Primary, Endpoint Log Hybrid, and UEBA services on Node X.
Mongo File (ESAPrimary)- Checks the ESA Primary node in the system and verifies the permission mode of mongo file.
Orchestration Server Normal Mode- Checks if the orchestration service is running in normal or safe mode.
(Admin Server) Node 0 Init status- Checks if there are any issues that might fail init process.
(Admin Server) Node 0 closed ports- Checks if the service ports required for NetWitness services are open and listening on Node 0.
(Component Hosts) Node X closed ports- Checks if the service ports required for NetWitness services are open and listening on Node X.
Unified Discovery and Interaction of Investigate Metadata- Analysts have a unified way to interact with metadata presented in the Events view to perform actions or review contextual information.
Analysts can perform actions and view the context data for a selected meta in the same window or a separate window that will enable the display of data in an optimized manner, and easily carry out further investigation.
Free-form Query Preference- With the new preference, analysts can choose to split the free-form queries into multiple guided filters or a single free-form query. Analysts can switch the modes using the Free Form Split checkbox.
Light Theme Overhaul– The existing light theme primary and secondary colors on the UI has been enhanced to provide better contrast and shading for improved user experience.
Capabilities for Detecting Ransomware that Use the Registry
Endpoint agents can detect ransomware that uses the registry to perform actions such as forcing Windows machines to reboot in safe mode, encrypting files, and deleting volume shadow copies.
Endpoint Agent Support for macOS Monterey and Windows 11
Endpoint Agents are enhanced to support macOS Monterey (12.0.1) and Windows 11. To view the list of supported operation systems, seeIntroduction to Endpoint Agent Installationon theNetWitness Endpoint Agent Installation Guide.
Support for Offline or Standalone Scans on Air-gapped Windows Hosts
Administrators can execute offline or standalone scans on air-gapped Windows hosts to perform threat analysis on the Windows hosts disconnected from the network. Administrators can download the Offline Scan Configuration file from UI and execute it on multiple air-gapped hosts. Then, the Offline Scan File(scan results file) can be transferred to the UI and uploaded to the Endpoint server for processing. SeeStandalone Scan on Air-gapped Windows Hoststopic onNetWitness Endpoint User Guidefor more information.
Support for Full System Scan
Analysts can perform a full system scan on system drives and all fixed drives in addition to the quick scan of executable files in memory. For more information, see Scan Hosts topic onNetWitness Endpoint User Guide.
Redesigned Alerts Tab for Optimized Navigation
Analyst can use the redesigned alerts tab to conveniently access all alert information and the associated events for optimized navigation on Host details view. For more information, seeNetWitness Endpoint User Guide.
Concentrator, Decoder, and Log Decoder Services
Centralized Configuration Management Enhancements
The enhanced centralized configuration management allows administrators to:
Reconfigure 10G Network Decoders from the Policy UI. Administrators can quickly create 10G policies for each Decoder group based on the hardware profile.
Clone policy from an existing service to save policy transition time for existing users.
Restart only specific services within a service group that require changes. This minimizes potential downtime.
Enhanced Network Decoder to Support Load Balancing Deployments
When you shut down the Decoders, the network interfaces connected to the Decoders are automatically shut down. Then, the load balancers divert the traffic to other available Decoders. This enhancement will protect customers from data loss when they use load balancers to distribute traffic between several Decoders. For more information, seeConfigure the Decoder Capture Failover in Load Balance Deploymentstopic onDecoder and Log Decoder Configuration Guide.
Event Stream Analysis (ESA)
Enhanced Performance when Retaining Incident Network Data Artifacts
Respond analysts saving artifacts of an incident will notice improved feedback for the tasks running and swifter completion of those tasks.
Analyst can use the new Retention Usage tab to view the statistics of all configured services and the percentage used by the pinned cache directories.
With this information, the analyst can:
Determine if the disk is running out of space and if additional space needs to be added or the persistence needs to be suspended for the existing events in an incident.
Obtain insights on the space requirements for retention functions.
In Respond > Incidents tab, analyst can click the Retention Usage tab to fetch all the statistics of all the configured services and the percentage used by the pinned cache directories.
Administrators can configure to ignore the case sensitivity of values a feed uses as part of the feed wizard in the UI. This allows the administrator to avoid converting the feed into an XML format or perform additional steps during deployment. For more information, seeCreating a Custom Feedin theLive Services Management Guide.
NetWitness Topology Feature
The following enhancements help administrators and analysts to:
Obtain quick insights using the Search Option– The search option helps locate a specific service, without having to look at the entire hierarchical layout.
View ESA hosts: ESA service and the connected services can be viewed in the hierarchical layout.
Improved error messaging to include the source string and target format when an unrecognized string format exception is generated to help users determine the root cause.
Support for new internal RAID controller (PERC H750) on Series 6 Appliances
The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances are replaced with PERC H750. All S6 appliances will have the new ISO to support PERC H750. All future S6 appliances and RMA will have PERC H750. Before adding a new appliance with PERC H750 to your existing deployment (For example, 11.7.0.0 or 11.7.0.1), you must first upgrade the Admin Server and Standby Admin Server to version 11.7.0.2 or higher.
The NetWitness 11.7.0.2 release notes provides information about the hardware changes in NetWitness Platform 11.7.
Security Fixes
The Log4j vulnerability in the commonly used open source logging library has been addressed. For more information, see the 11.7.0.1 Release Notes.
Support for new internal RAID controller (PERC H750) on Series 6 Appliances
The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances is replaced with PERC H750. All S6 appliances from now on will have the new ISO to support PERC H750.
Note: By default, all future S6 appliances and RMA will have PERC H750, so you must upgrade the Admin Server and Standby Admin Server to 11.7.0.2, before adding a new appliance with PERC H750 to your existing 11.7.0.0 or 11.7.0.1 deployment.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.0.2:
The NetWitness 11.7.0.1 release notes provides information about the changes in NetWitness Platform 11.7.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies toCVE-2021-44228. For more information, see theSecurity Advisoryfor Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.0.1 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.0.1 patch upgrade.
In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see Post-Upgrade Tasks.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.0.1:
As analysts review events, the new compact and expanded metadata views provide an alternative workflow to only view the high-level details of the event and in use cases where no raw data is present.
Improved Broker Query Experience
Analyst queries at the top-level Broker now by default provide partial results when one of the sub-services loses connectivity or times out. In addition, a hierarchical view of what is attached to the Broker is available to analysts to exclude certain sub-services prior to query if necessary.
Email Reconstruction Improvement
Analyst can view the content of all the emails in a single session using the Expand All Emails option available on the Email view.
Direct Query Interaction with Meta Keys in Event Filter Panel
Analyst steps to create a query have been streamlined by clicking directly on the meta key name to generate a query with only the meta key. Alternatively, searches with combination of key value pairs are available inside the Event Filter panel without requiring direct interaction with the query bar.
Network Fragment Identification
Analysts can view the related sessions for an event for analysis and investigation by hovering over the icon for the event.
Saved Time Ranges
Analysts can take advantage of the last five recently used time ranges for future searches saving the investigation time. The saved time ranges are displayed under the Recent Time Ranges section.
For more information, see theInvestigation User Guide.
Endpoint Investigation
Granular Role Based Access Control for Endpoint Server
With the enhanced RBAC (Role-Based Access Control), administrators can grant or revoke access to specific Endpoint servers rather than all. And the addition of new permissions called endpoint-server.file.analyze and endpoint-server.tag.manage, adds flexibility in managing user privileges. For more information on managing permissions for an individual Endpoint server, seeNetWitness Endpoint Configuration Guide.
Few Privileges Removed Fromendpoint-server.agent.manageAnd Added toendpoint-server.file.analyze
Analyze File, Save Local Copy and Scan with OPSWAT privileges are removed fromendpoint-server.agent.manageand added to a new permission calledendpoint-server.file.analyze. For more information see theSystem Security and User Management Guide.
Manage Hosts Using Tags
Analysts can create Tags to manage the hosts. Tags are custom texts (can combine alphanumeric and special characters) that you can create and assign to hosts. You can create host groups based on tags, and on the Hosts view, you can filter hosts by tags using the filters pane. Administrators can create and assign tags while generating the agent packager, and these are added to the hosts by default when the Endpoint agent is installed. For more information on managing tags, seeNetWitness Endpoint User Guide.
Enhanced Windows Agent to Support Detecting the Persistence Techniques Targeting the Registry
The enhanced Windows agents detects persistence techniques that use the Windows registry. The registry monitor is more reliable now as it detects suspicious activity in an enhanced manner. For more information, see theNetWitness Endpoint User Guide.
Enhanced Suspicious Thread Detection
This enhancement to the suspicious thread detection helps detect and report suspicious threads more effectively using different methods. This enhancement enables analysts to have access to all the details and capabilities related to the suspicious threads as before. For more information, referNetWitness Endpoint User Guide.
Delete Blocked Files Through Elevated Command Prompt
You can delete the blocked files on the host using the delete command on the elevated command prompt on the host.
Concentrator, Decoder, and Log Decoder Services
Introduction of Centralized Configuration Management
The management of general NetWitness core services namely Concentrator, Decoder, and Log Decoder configurations can be administered centrally from a single policy-based interface and distributed to multiple services. With centralized configuration management, administrators can:
Create a group of the same service type based on similar hardware profiles or other criteria
Add configuration items to policies in order to customize settings. Any settings which are not in the policy will be left as default
Apply customized settings to any number of services in one step
Restart all services within a group to apply changes
View when an action is required, such as service restart, unpublished policies or out-of-compliance services indicated by the icon.
Revert changes to a policy or group quickly
For more information, seeHost and Services Getting Started Guide.
Enhanced Query Accuracy
An optional index configuration is available on a per meta key basis to extend the default key-value search into an N-gram layout. In addition to enabling query and reporting capabilities, this combination also provides complete and accurate search results, even if a maximum value threshold has been met.
For more information, see N-grams in theCore Database Tuning Guide.
Event Stream Analysis (ESA)
Enhancements for persisting Events and Incidents
Analysts can persist events encompassed in an incident, thus enabling to view the incident in the future, regardless of its age. Analysts can:
Pin or unpin multiple events at an incident and alert level
View details on when the events were persisted.
Check the status of the persisted events, whether it is Completed, Partial, or None.
Administrators can set up permissions for users to persist raw data associated with a particular incident.
For more information, see theRespond User Guide.
Platform
Backup and Restore Improvements
A new NetWitness Recovery Wrapper tool is introduced to centrally back up and restore individual or multiple hosts. This tool allows custom files to be incorporated in restorations and handles all supported deployment installations (Physical, Virtual, and Cloud).
With NetWitness Recovery Tool administrators can:
Back up (export) an individual, a specific, or all hosts at a time
Restore (import) an individual host at a time
Customize files or folders during backup and restore
Copy backup data to remote host location from NetWitness hosts and vice versa
For more information, see "Disaster Recovery (Back Up and Restore)" topic in theNetWitness Recovery Tool User Guidefor NetWitness.
Upgrades
Introduction of Pre-Upgrade Check Utility
A new health-check utility is introduced for administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.
The pre-upgrade check verifies the following:
Security Client File Check- Ensuressecurity-client-amqp.ymlfile is not present
Node-0 NW Service-id Status- Ensures all the service-ids are intact with the services in Node 0
Broker Service Trustpeer Symlink- Ensures Broker symlink file(/etc/netwitness/ng/broker/trustpeers/)is not broken
Node-0 NW Services Status- Checks the status of all the services in Node 0
Yum External Repo Check- Ensures external repos are not available
RPM DB Index Check- Checks if the RPM DB is corrupted
Salt Master Communication- Verifies the salt communication from Node 0 to all the Nodes
Node-0 Certificates Check- Checks if any certificates are missing, expired, or invalid
For more information, seeUpgrade Guide for NetWitness 11.7.
NetWitness Services
Introduction of NetWitness Service Topology Map
A view of the hierarchical layout of all NetWitness core services depicting the collection and aggregation of services provides administrators and analysts quick insights into their deployment and the services that are online or offline. This topology displays only the Broker, Concentrator, Log Decoder, Packet Decoder, Hybrids, and Log Collector services.
Note: Reporting Engine, Malware Analysis, UEBA, Endpoint Server, Cloud Link service, and Warehouse Connectors are not supported.
On the compact view, the Event Filter Panel and Event Meta Labels are optimized to display maximum information on a single page. With this view, analysts can easily perform the investigation. The label and icon size on the Event Filter Panel are optimized so that the meta keys and values are displayed on the same line.
Timeline Options
Analysts can now easily view the timeline for event by clicking on the icon. By default the timelines is enabled for all events.
For more information, see the Investigate User Guide.
User Entity Behavior Analytics
Alert Feedback Enhancement
Analysts have the option to mark the status of mutliple alerts as Not a Risk or None. None is used when the events are Not a Risk. Multiple alerts grouped by date can be selected to perform this action. When the status is updated, the alert contribution score will change automatically, for example, if an alert is marked as Not a Risk, the alert score is reduced. If the status is updated as None, the score increases. For more information, see the UEBA User Guide.
Endpoint Investigation
Support for OPSWAT Scans
Analysts can simultaneously perform threat detection with multiple anti-malware engines with OPSWAT (MetaDefender Core). Executable files(PE, Macro, Script, ELF) will automatically be sent to the OPSWAT server for scanning. Analysts will get alerts if a file is found Infected or Suspicious (critical for Infected and High severity for Suspicious files). The risk score will also increase for the file and the corresponding host, thus helping to respond to threats quickly. For more information on how to use OPSWAT within the NetWitness Platform, see the NetWitness Endpoint User Guide. And, for more information on how to configure OPSWAT on endpoint servers, see NetWitness Endpoint Configuration Guide.
Create groups with Machine OU as a filter
Analysts can use Machine Organizational Unit (Machine OU) as a filter while creating groups on the Admin > Endpoint Sources > Groups view. Using Machine OU to filter hosts can save much time and effort as it is more effective than using IPV4 or domain names in an environment with thousands of agents.
Extended Agent Support for Mac BigSur (version 11) on M1
NetWitness Endpoint agents now support Mac BigSur on both M1 and Intel. For more information, see NetWitness Endpoint Agent Installation Guide.
Automatic download of memory DLL files
Analysts can now investigate the memory DLL files in detail. All memory DLL files that are detected during a scan, are automatically downloaded to the server irrespective of the file size.
Added agent folder protection in the driver
Netwitness platform version 11.6.1 and higher, the files inside the agent folder are protected from delete, rename, or modification operations. This protection will prevent malware from locking files inside the agent folder to block sending the tracking data.
Event Stream Analysis (ESA)
Optionally Persist Incident Artifacts
You can persist events that are associated with particular incidents, thereby enabling you to view the incident in the future, regardless of its age. You can also add a new journal entry in the JOURNAL tab for the persisted events for future reference. The event data will always be available for viewing and reconstruction as long as the event is persisted, enabling you to easily refer back to details, even if the original event has rolled over from the NetWitness database.
Once you persist an event, the data is copied from the NetWitness database into a long term storage cache within the data source. The persisted events are saved in the directory /var/netwitness/pin- <servicetype>, by default. You can manually change the event storage location from the default directory to any other directory, as per the requirement. For more information, see the Respond User Guide.
Log Collection
Trusted Authentication for NetWitness Export Connector
Trusted authentication allows you to authenticate using the existing certificates for aggregation while configuring NetWitness Export Connector. This eliminates the need to manually enter the credentials (username and password) and avoid storing passwords locally.
Support for Logstash Keystore from UI
Logstash keystore management allows you to securely store and maintain (add, edit, or delete) secret values key and password through NetWitness Platform UI. The key set is used during the Logstash pipeline configuration.
This eliminates the need to manually create or update credentials on the Log Decoder or Virtual Log Collector using Logstash Keystore CLI commands. For more information, see the Log Collection Guide.
Reports
View Creator Information
The Created By column has been added to the Reports List page. This column enables you to view and analyze the ownership information of all the reports that exist in the system, which includes new, copied, and imported reports. When a report is exported, the owner details are retained. However, when a report is copied, the owner of the report changes to the user who created the copy. For more information, see the Reporting User Guide.
Note: When you upgrade from a previous version to NetWitness Platform Release 11.6.1, the Created By column does not display the ownership information for the reports that exist prior to the upgrade.
The RSA NetWitness Platform 11.6.0.1 release notes provides information about the changes in NetWitness Platform 11.6.
GPG Key Changes
The GPG Signing for NetWitness has changed for releases beyond 11.6.0.0. In order to upgrade to 11.6.0.1 release, you must first upgrade to a version that is signed by the old GPG key but contains the new GPG key. For more information, see GPG Key Change in NetWitness Platform Beyond 11.6.0.0.
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform 11.6.0.1:
The new faceted search layout of the default Events view makes interacting with large amounts of data collected from the enterprise a more familiar experience and efficient workflow. By combining the functions of the Navigate and Event views, analysts can apply filters by interacting with any metadata generated by the platform which in turn creates the query and automatically executes a search to fetch the resulting events.
Organize Investigate Content (Column groups, Meta groups and Query Profiles)
All Investigate content is displayed in a folder structure to help analysts organize their views depending on use cases. The RSA Groups (RSA Live content and RSA OOTB groups), and Shared group folders are available to all analysts. All Private groups, folders and sub-folders are displayed only to the analysts who created them. You can create, edit, copy, and delete Shared and Private folders and sub-folders.
Deliver Investigate Content (Column groups, Meta groups and Query Profiles) using RSA Live
Investigate content can be deployed using RSA Live providing updates outside the NetWitness release cycle. Analysts now have the ability to utilize the latest Investigate content to focus their view into the data based on use cases. All the RSA generated content is now contained in a RSA specific folder.
Multiple values
When investigating a list of events an analyst can see that an event has multiple values for a meta key in that specific session. A hover over indicator shows a list of multiple values that can be further investigated without requiring to drill into the reconstruction of the event.
Direct Free-form query or text search
To immediately create a blank free-form filter, an advanced user can select the option “Click to start a free form query” from the Advanced Options panel. In the same manner an analyst can choose “Click to start a text search” to create a new text search. In both scenarios, the analysts can bypass the auto-completion input logic and save some time in generating a query format.
Query filter enhancements
When a query is added in the Events, any filter that is selected will have a red highlighted border, so the analyst knows which filter is selected. When you edit a filter, the border will be in blue color to indicate that the analyst needs to provide some input in case they move their focus away from the query input.
Custom Column group enhancements
Metadata such as custom.logdata that are defined in Legacy Events or defined in OOTB Summary List column group can be used to combine the raw logs as a customized column of additional metadata. List of recommended metas that contain data are displayed. An analyst can create custom column groups using the summary and raw log (custom.logdata) meta keys.
Column Group Meta Key Recommendations
While reviewing query results in the Events table with a selected column group, analysts have the option to view recommended columns that may have data for those events but are not part of the current column group. These suggested meta keys help analysts to have the best column groups applied so that no relevant data is missed for the events displayed.
Investigate Screen Layout Options
A new user preference allows analysts to choose between a Compact or Expanded format to determine how close the rows of data are to be displayed in the Event table on a single page. The following image is an example where Event Preference view is displayed with the Compact view selected.
Meta Panel Enhancements
The meta panel on the Events investigation page has been enhanced with a Hide Duplicate Entries radio button to limit the display of metadata only if they are a unique key value pair. A filter field is also introduced so analysts can search, and filter based on meta keys or values.
IndexNone Meta keys
As analysts create meta groups with multiple meta keys, the Open option is disabled for all non-indexed meta keys to avoid adverse effects on query performance.
Reconstruction Enhancements (view content and copy option)
The pagination of the Text tab has been enhanced to make it more obvious when there is further content available than can be displayed on a single page. Also, if required analysts can copy selected content to the clipboard using keyboard shortcut (in addition to menu option) for further investigation.
Search Indicator
When analysts do a free-text search a message is displayed on top of the Events page to make it clear that only indexed metadata is being searched. This message contains a link that helps in further search if the analysts requires to search more extensively beyond what is indexed. In case the maximum search limit has been reached, a message is displayed at the bottom to indicate there are no more results available.
Investigate Timeout Setting
The Extraction timeout setting helps an administrator to increase or decrease the time available to retrieve the required sessions or events or files from Investigate. This can be configured by navigating to Admin > System > Investigation > Common Settings.
A new and enhanced dotted chart is introduced in version 11.6. The dotted chart, provides the analyst with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly in case of an indicator. In version 11.6, the pie chart is replaced with a dotted chart to provide analysts with additional visibility to the entities activity over time. For more information, see NetWitness UEBA User Guide.
Incident Response
Respond Persist Data (BETA)
Analysts and Administrators can pin events that are associated with particular incidents, thereby enabling you to view the evidence related to an incident in the future. Once you pin an event, data is copied from the regular database into a long term storage cache within the data source. Event retention depends upon the available space in the directory (10 GB is offered by default). The roll over in the meta database does not impact the events that already saved in the pin directory. The BETA version comes with the limitation where you cannot download the pinned events, which will be enabled and notified in the subsequent releases.
For more information, see Respond Persist Data in the NetWitness Respond User Guide.
Endpoint Investigation
Support for YARA scans
YARA helps analysts with rule-based detection capabilities in identifying and classifying malware. You can easily create malware descriptions, called YARA rules, that are robust in detecting malware. YARA automatically scans downloaded files at regular intervals and increases the file's risk score if it matches any rule. Thus, helps analysts quickly respond to a threat. For more information, see NetWitness Endpoint User Guide. To learn how to enable and configure YARA, see NetWitness Endpoint Configuration Guide.
Centralized agent upgrade options using UI
Administrators can now upgrade and uninstall selected or all agents using the UI and thus helping you manage NetWitness agents with a lot of ease. For more information, see NetWitness Endpoint Agent Installation Guide.
Centralized agent uninstall options using UI
Administrators can uninstall selected agents or all the agents easily using the UI. Bulk uninstall can be performed without even selecting any hosts. This enhancement will save time and help to focus more on responding to threats. To qualify for bulk uninstall, the agents must be on version 11.5.1 or later. For more information, seeNetWitness Endpoint Agent Installation Guide.
Support for Saving Local Copies of Multiple Downloaded Files
Now analysts can perform detailed investigations and forensics quickly and easily by saving copies of downloaded system dump, process dump, MFT, etc.
Support to Download MFT From Any Windows Drive
Analysts can now download MFT for any drive and can also download it on the NTFS mount path. This can help analysts perform critical investigation, analysis, and forensics on files in addition to the system volume.
Expanded Lateral Movement Visibility
Enhanced Windows agent to report executable write events on the target machine when copied to network shares. Analysts can now have deeper visibility into lateral movement activities on Windows around files that are being copied to network shares.
Support for Forwarding Windows/File Logs to Custom Systems
Administrators can now collect the Windows and File logs on a non-VLC system by forwarding them to a custom system.
New rules added to detect Persistence tactic
New rules have been added to the Endpoint rules bundle to detect threats that follow the Persistence tactic. When such a threat is detected, these rules will trigger alerts and increase the risk score.
Broker, Concentrator, Decoder, and Log Decoder Services
Assembler Threading Modes
To enhance the throughput at which a Decoder can analyze data, the assembler is enhanced to perform further parallel processing. The process that reassembles captured packets into streams is known as the assembler. You can now customize the assembler operation using its two modes. These modes can be configured by setting the value of assembler.threading.enabled to on or off. The default value is off. The on mode enables higher throughput as each assembler instance operates on a dedicated processor.
The assembler modes work only when Multi Adapter Packet Capture is enabled. For more information on Multi Adapter Packet Capture and Assembler Modes, see the (Optional) Multiple Adapter Packet Capture topic in the Decoder and Log Decoder Configuration Guide.
High Speed Packet Capture
You can now analyze network data (packets) from higher speed networks and optimize your Network Decoder to capture network traffic up to 40 Gbps. In order to understand what capabilities are supported at different network speeds, the Decoder now operates in the following three modes:
Normal: For capture speeds less than 5 Gbps with large amounts of deep packet inspection while storing network sessions. This is the default mode.
10G: For capture speeds up to 10 Gbps with medium amounts of deep packet inspection while storing network sessions.
NDR: For capture speeds greater than 10 Gbps but less than 40 Gbps with small amounts of deep packet inspection while only storing metadata.
Decoder now detects and decompresses the Brotli payload in the HTTP/HTTPS session parsing. Brotli is a data format specification that compresses data streams with a specific combination of the general-purpose LZ77 lossless compression algorithm, Huffman coding, and 2nd order context modelling. Brotli encoding is supported by most web browsers, major web servers, and some CDNs.
To enable Brotli decompression, perform the following steps:
Decoder can identify applications using the OpenApp ID detectors generating new metadata (app.id). It helps analysts to identify applications in a session. OpenApp ID from Cisco is an application-layer network security plug-in for Snort (an open source network intrusion detection system). It is a set of open source Lua libraries (detectors) that identifies applications in the network traffic.
To enhance the throughput at which a Decoder can analyze data, the pipeline to create sessions is enhanced to use Receive side scaling (RSS). RSS enables the efficient distribution of network receive processing across multiple CPUs in multiprocessor systems. RSS ensures that the processing that is associated with a given connection stays on the assigned CPU. RSS is supported on DPDK devices only using ixgbe or i40e device drivers.
Simultaneous Ingestion of the Encrypted and Decrypted Traffic Streams to Decoder
Decoder with multi-adapter capture and multi-thread assembler features enabled, can receive encrypted and decrypted streams of the same traffic when on separate adapters. This supports the use case when both the encrypted and decrypted versions of the same traffic are traversing the same Decoder. The multi-thread assembler feature allows Decoder to assemble packets from its corresponding capture work thread. It keeps the packets from encrypted and decrypted sessions separate during assembly to avoid inaccuracies in session parsing and content extraction.
For more information, see the Decrypt Incoming Packets topic in the Decoder and Log Decoder Configuration Guide.
Trusted Authentication for Aggregation Hosts
When configuring aggregation connections, you can use trusted authentication to perform this task instead of using service account credentials. The trusted authentication reduces administrator overhead by eliminating the need to manage service account password changes.
Make a note that this authentication method change requires the device to be offline. Also, once you switch to Trusted Authentication, you cannot switch back to the login method using the user credentials.
Event Stream Analysis (ESA)
Support for Meta Entities
Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts can use them as regular keys to get to multiple, similar concepts. From 11.6 release, meta key entities are configured to be a part of the event schema and can enable the string [] meta keys entities. Analysts can create rules and configure alerts based on the meta key entities selected. You can also add meta entities to create rules. The meta entities retrieve data from the data sources to trigger alerts.
For more information, see NetWitness ESA Alerting User guide.
Import and Edit Position Tracking Information
When you deploy a data source, by default, ESA starts processing information from the latest available session. Position tracking information enables the administrator to visualize the progress of the sessions that ESA has processed and provides information on the session IDs and the time or date when the events were processed.
The edit function enables you to visualize the number of sessions that a particular ESA data source analyzes after you edit the position tracking, review the number of processed sessions, and plan your work. To edit position tracking information, see Editing Position Tracking Information.
The import function enables you to migrate the settings of position tracking for one or more data sources at the same time from an existing deployment. To import position tracking information, see Importing Position Tracking Information.
While working with data sources, you can use trusted authentication to perform tasks, instead of logging in with the admin credentials. You need not log in using your admin credentials, every time you want to access the data sources.
For more information, see Trusted Authentication in the NetWitness Getting Started Guide.
Support for Detect AI
Detect AI has been added as an alert source in the Respond view. It captures the alerts from the cloud based user behavior analytics to create incidents from alerts.
You can filter the alerts list to show the alerts of interest using filters such as, alert name, alert source, and specific time range.
You can remove redundant dashboards (dashboards that are not owned, not shared, and duplicate default dashboards) by enabling the dashboard cleaning job.
NetWitness Platform 11.6 introduces the ability to add any RESTful API data source to Context Hub.
REST API allows analysts to query third-party applications by providing a meta value as a query parameter and rendering results in the Context Hub Panel in real-time. The results can be rendered in JSON or HTML format depending on the preference and capabilities of the third-party application. An analyst can now gain additional context about IPs, users, hosts, or files faster during an investigation without requiring them to leave the NetWitness Platform.
Improvements to Context Highlighting
Some additional configurations are introduced to the Context Highlighting feature to make the capability more usable and efficient in specific environments. Administrators can now configure specific Context Hub sources (For example, specific lists, Respond, Endpoint, and so on) for context highlighting. If the context highlighting is disabled for a Context Hub source, analysts can view results from all sources while opening the Context Panel for a meta value, but the values are not highlighted in the Investigate > Navigate, Event, and Respond views. Administrators can also disable the context highlighting globally for all sources.
In 11.5, the NetWitness Output Codec for Logstash was introduced, making Logstash integrations possible with a customer-managed Logstash server. From 11.6 onwards, the Logstash server is packaged and supported along with the NetWitness Log Collector or Virtual Log Collector (VLC) service to provide easy access to Logstash. This is referred to as Managed Logstash and it eliminates the need for a separate Logstash server outside of the NetWitness Platform.
You can create Logstash pipelines (for example beats, export connector and so on) in the Event Sources tab within the Log Collector service. The custom category allows for a fully-custom Logstash pipeline configuration.
The following is an example of Logstash Event Source.
A new Data Export tab is added to the Decoder or Log Decoder configuration view. It lists the available Log Collector services in your environment. Once you select a Log Collector service, you can configure the Export Connector in the Event Sources tab.
Also, New stats for both legacy and New Health and Wellness are introduced to monitor the health and throughput for each Logstash pipeline. Logstash Input Plugin Overview dashboard is added to showcase the new stats.
JSON Mapping Usability Improvements - In the tree view of a JSON sample, the corresponding RAW node or Mapping entry is highlighted when either is selected if the match exists. The highlighting indicates whether a match is successful in the current sample; that is, the value should parse correctly, including the node path and any DataType or RegEx.
Custom Regex for JSON mappings - For fine-parsing JSON values (for example, ip:port), the user can create a custom RegEx pattern for each mapping within the UI. Multiple values (captures) can be extracted and assigned to separate meta keys.
Import or Export for custom UI Rules (Dynamic Rules or JSON mappings) - Custom Dynamic Rules and JSON mappings that are created in the UI can now be easily imported or exported right from the UI. This enables customers to develop parse rules in one environment (For example, Lab) and move them to another (For example, Production).
Note: Import or Export for custom UI rules does not export or import any "parser.XML" or "parser_custom.XML" that correspond to the Parse Rules.
Licensing
Introducing License Usage Dashboard
A new license dashboard is introduced in New Health & Wellness to manage licenses efficiently. This dashboard provides insights on the license usage of all the Throughput licenses in your deployment. Administrators can do the following on this dashboard:
Track daily license usage for individual hosts
Track daily usage of Throughput licenses for all the hosts in your deployment
NetWitness Platform versions 11.5.1 to 11.6, includes fixes to the metrics used in reporting for Network (Packet) Throughput usage. License metrics includes the overall network traffic analyzed and the raw network data stored after the analysis. Your Network Throughput License usage may increase, which may cause license violation banners in some situations. The Out-of-Compliance notifications for Network Throughput licenses has been adjusted to delay the display of the license violation banner by 45-days. For more information, see theLicensing Management Guide.
Platform
Support for Third Party Server Hardware
This allows you to use any third party server hardware to run NetWitness Platform. The kickstart wizard provides a list of available block devices, and prompts you to select the device to install the OS and NetWitness Platform application. For more information, see Installation Tasks topic in the Physical host installation guide.
