The following section describes the new enhancement for Upgrade:
Alma OS Migration
RedHat announced that CentOS Linux 7 will reach the end of life (EOL) on June 30, 2024. To address this change, NetWitness Platform is now integrated with the new version, AlmaLinux. When you upgrade to the NetWitness 12.4 version, you will be automatically migrated from CentOS 7.9 to AlmaLinux 8.9. The NetWitness Platform 12.4 upgrade process is easy and regular, like any other previous upgrades. You do not have to follow any specific procedure for upgrading to AlmaLinux OS. AlmaLinux provides several key benefits and new features:
The upgrade to AlmaLinux is an inherently automated process with zero manual intervention.
It comes with a pre-upgrade tool that helps administrators discover and mitigate issues before running the actual upgrade process.
Saves time and administrative efforts.
Retains control over installed applications.
Preserves most of the configuration information.
NetWitness Platform streamlines the upgrade process, saves time and resources, and maintains control over installed applications and configurations when migrating from CentOS 7.9 to AlmaLinux 8.9.
SASE Capability
The following section describes the new enhancement for SASE:
NetWitness SASE Integrations
NetWitness SASE Integration with Palo Alto Networks - Introduces NetWitness integration with Palo Alto Prisma SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Palo Alto SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response.
NetWitness SASE Integration with Symantec by Broadcom (Private Preview Mode) - Introduces NetWitness integration with Symantec by Broadcom SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Broadcom SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response.
Note: In 12.4 release, NetWitness SASE integration with Symantec by Broadcom is in Private Preview Mode.
Administrators can now opt for a Hybrid Cloud model for SASE. The SASE Hybrid Cloud Configuration is a data-driven design. The SASE hybrid cloud provides more efficient and secure communications between the NetWitness platform components. The NetWitness Admin Server contains a script nw-create-cloud-hybrid, which will deploy the NetWitness Overlay Network and the defined NetWitness Nodes in their respective regions in the Google Cloud Platform (GCP). The NetWitness Peer-to-Peer Network (nw-ppn) provides secure, mutually authenticated, PKI-based communication between NetWitness components.
The following section describes the new enhancements for the Investigate component:
Interactive Network Parser Creation
In the Investigate > Events view, users can convert the exact patterns selected or keywords found in the network traffic they review in text session reconstruction into a network parser. This streamlined process allows the user to generate meta to trigger an incident (e.g., a future detection) without understanding how to create the parser.
Users can also create a network parser using keywords from the (Configure) > Policies > Content Library > More > Search Pattern Rule view.
Download More Sessions than Displayed in Events Table
A new user preference, Maximum Session Export Limit, has been added to the Events Preferences panel in the Investigate > Events view. Analysts can use this setting to adjust the number of available sessions for exporting using the Download All menu options. This enhancement makes the number of exported sessions independent from the number of sessions displayed in the Events table.
Analysts can now use custom names when downloading event files from the Events panel view. Custom names make it easier to organize and manage downloaded event files, saving analysts time and effort.
The following sections describes the new enhancements for the Respond component:
MITRE ATT&CK® Integration with NetWitness
MITRE ATT&CK® is a curated knowledge base of adversary Techniques and Tactics. It provides an appropriate level of categorization for adversary action and specific ways of defending against it. Analysts can view the high-level list of specified tactics, techniques, and sub-techniques, along with their details, and learn how potential threats and vulnerabilities in their environment are associated with the MITRE ATT&CK framework.
NetWitness Live is integrated with MITRE ATT&CK framework to help analysts to view the MITRE ATT&CK Tactics and Techniques associated with the Application Rules and Event Stream Analysis Rules. The Service Details Right panel ( (Configure) > Policies > Content > Content Library > Application Rule or Event Stream Analysis Rule > click a row > Service Details Right panel) is enhanced to provide information about the MITRE ATT&CK Tactics and Techniques.
You can tag MITRE ATT&CK Tactics and Techniques while creating a custom Application Rule or Event Stream Analysis Rule.
You can also select the MITRE ATT&CK Tactics and Techniques while creating an incident from the Investigate > Events view.
Response Actions are the reactive operations performed on configured metas using a third-party tool or connector such as ThreatConnect after triaging an event. Response Actions, the new feature added in (CONFIGURE) > More allows you to perform the following actions:
Create and manage Response Actions for the supported metas available in Respond, Investigate, Hosts, and Users view.
Perform Quick Actions on the configured meta and post the meta with additional parameters to the connector for taking further actions.
The following sections describes the new enhancements for the Insight component:
Whitelist Insight Alerts in Respond View
Administrators and analysts can now whitelist unwanted and recurring Insight alerts generated in the Respond > Alerts view. This enhancement provides the ability to select specific values, such as IP Address and Asset Type, and define a Whitelist condition to prevent unwanted alerts from being generated for these values. Using this enhancement, analysts can streamline the alert management process by excluding specific IP addresses or asset types that are known to be reliable and secure. This optimization minimizes unnecessary alerts generated on the Respond > Alerts view, reducing the time and effort required to review and analyze alerts.
The following section describes the new enhancements for UEBA component:
Support for Cisco Adaptive Security Appliance (ASA) and Fortinet VPN Devices
NetWitness UEBA has added support for the Cisco ASA and Fortinet VPN devices. With this enhancement, UEBA can now process Cisco ASA and Fortinet VPN logs, which helps to gather and analyze user activity information.
For more information, see the UEBA Supported Sources by Schema section in the UEBA Configuration Guide.
UEBA Performance Improvements
The following performance improvements are made for UEBA in the 12.4.0.0 version:
Optimized the aggregation and accumulation models to generate and store models in parallel.
Optimized the hourly score aggregation task to aggregate and score in parallel.
For more information on the supported scale, see the Learning Period Per Scale for 12.4 topic in the UEBA Configuration Guide.
Endpoint
The following section describes the new enhancements for Endpoint component:
View Installed Applications
The Hosts details > System Info view has been enhanced to allow analysts to view the information about the various applications installed on a Windows machine.
The following enhancements are made for CCM in 12.4.0.0 version:
Enhancements for Proper Functioning and Deployment of Custom Parsers into Services through CCM
Introduced the capability to import individual XML (Log Device content type) to Content Library. You can upload either the base parsers or extended parsers as a standalone XML file. While importing XML files, you can optionally associate it with its corresponding base parser, effectively treating it as an extension parser. To import a standalone XML as an extended parser, select Import as Extended Custom Parser in the Import screen.
The Content Library now displays base parsers and extension parsers as distinct items, providing a clear and organized view for users. This separation ensures that users can easily identify and manage both types of parsers within the library. Furthermore, when an extension parser is added to a policy, the corresponding base parser is automatically included in the policy as well. This streamlined integration simplifies the process for users, eliminating the need to manually link base and extension parsers when creating or editing policies.
Enhancements during Removal of a Service from Group
While removing a service from the group, you can opt to either delete the content from service and then remove the service from the group or remove the service from the group without deleting the content.
CCM is enhanced to re-migrate content from a service even if it is already migrated and/or assigned to Groups and Policies.While migrating content from a service already associated to a policy, you can optionally update the associated policy with migrated content. To update the existing policy and group for service after remigrating the service, the options available in the Migrate Content from Service page are updated to Create/Update Policy and Group for Each Service and Skip Creating/Updating a Policy and Group.
The MORE navigation menu is added to the CCM UI to view Bundles, Search Patterns, and Integrations by default. As you select the content type from the MORE menu, that content type appears on the left of the MORE menu.
Concentrator, Decoder, Log Collector, and Archiver Services
The following enhancements are made for Concentrator, Decoder, Log Collector, and Archiver Services in 12.4.0.0 version:
Capability to Deprecate the Use of IP Address for Basic Authentication
Netwitness has deprecated the use of IP address for Windows Collection Basic Authentication. Now, you must use the FQDN in the Event Source Address and add an entry of the same FQDN in '/etc/hosts' while configuring Basic Authentication.
New Utility to Stream Meta From Decoders to 3rd Party Tools
Introduced a beta utility to stream meta from network decoders to other 3rd party tools, making it easy to integrate NetWitness Platform with other products. All or a subset of meta data can be streamed to limit the amount sent to the 3rd party tool depending on the use case.
NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 12.2.0.0 or later.
Single Sign-On (SSO) Authentication Independent of Active Directory (AD) Configuration in NetWitness
Starting from NetWitness Platform version 12.4, NetWitness offers SSO that is independent of AD configuration in NetWitness. It allows user authorization by using the list of user groups embedded in the SAML authentication token received from ADFS and verifying them against user groups already set up in NetWitness. This eliminates the need for users to configure or rely on Active Directory settings within NetWitness for user authentication. NetWitness now supports both Azure ADFS and Microsoft ADFS.
IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.4.0.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.4.
Product Version Life Cycle for NetWitness Platform
The following section describes the new enhancements for the Investigate component:
Generate Charts from Events View
Administrators and analysts can now generate Adhoc and Schedule charts from the Investigate > Events page. With this enhancement, administrators and analysts can create various types of charts based on Event Count, Session Size, Packet Count, and Meta Key. These charts offer a more in-depth understanding of events and make it easier for analysts to investigate efficiently. Additionally, analysts can share these visualizations with others in various formats like PDF and CSV files, facilitating seamless collaboration and communication.
Administrators and analysts can now create real-time charts based on data from the Investigate > Events page. This feature provides a dynamic way to visualize your data and gain valuable insights as the data is continuously updated based on the configured time interval. This feature enables administrators and analysts to create a variety of chart types based on Event Count, Session Size, Packet Count, and Meta Key. It provides an all-in-one solution for tracking trends for analysts. Additionally, analysts can add these real-time charts to their Default Dashboard, allowing them to track critical data seamlessly within the organization.
The Events small timeline view has been improved with the addition of a border, making it easier for analysts to differentiate between the small and large timelines. This enhancement eliminates any confusion when using the zoom feature on the timeline and provides a clear view of the presented data.
When viewing session reconstructions in the Events view, the left click function is disabled for the time and event time in the Collection Time column of the events table to prevent accidental alterations, resulting in a smoother and more efficient workflow.
Load Service Hierarchy Faster on Events View
The Investigate > Events page may take longer than expected to load if the list of services to load has Core hosts that are switched off adversely. In such scenarios, NetWitness Platform users can customize the hierarchy-call-time-out parameter in the Admin > Services > Investigate Server > Explore view. This customization will allow the Services to load quickly before the request is timed out. The default value is 5 seconds.
Note: The duration it takes for NetWitness Platform to load Services is the result of the total time it takes to communicate with all services present in a deployment. This load time may vary due to several factors, such as inaccessible services, stale connections, or incorrect host connection status in the cache due to a host being improperly switched off
The following sections describes the new enhancements for the Respond component:
Support for Custom Aggregation Rule Schema Configuration
A new custom_aggregation_rule_schema.json file is created in this release. This feature allows administrators to manage all the custom meta fields without modifying the Out-of-the-Box (OOTB) configuration. It enables administrators to add, edit, and delete alert fields to the requirements. It also ensures a seamless upgrade experience.
To simplify customization and avoid modifying the default configuration, administrators can use the custom_aggregation_rule_schema.json file for smoother management and the migration a seamless transition. Importing incident rules is also more convenient, and backward compatibility is maintained automatically.
Enhanced NetWitness Respond to list available services based on NetWitness orchestrated services. This can avoid confusion caused by outdated or nonexistent services and ensure that users only see the relevant services.
If a service is removed, it will be marked as decommissioned in the UI instead of immediately being removed from the source list. This approach prevents disruptions in source availability for ongoing activities while creating visibility into service's status.
The following section describes the new enhancements for the NetWitness Insight:
Detect New Assets in Insight (BETA)
NetWitness Insight introduces a new alert named New asset discovered in environment. This alert is generated on the Respond > Alerts page whenever a new asset Server type is detected in the environment for the first time or if an existing asset has not been observed by NetWitness Insight for the last 30 days. This alert is generated for assets identified as server by NetWitness Insight. This feature enhances visibility and provides analysts with an improved understanding of the assets present in the environment, enabling them to better protect them from any potential attacks.
This feature is currently available in BETA mode and is disabled by default. Please contact NetWitness Customer Support team to enable the feature.
Historical Service Trend Chart Improvements
The following improvements are made to Historical Service Trend chart in 12.3.1.0 version:
Added a new Service filter feature that allows you to filter services using a searchable drop-down menu. Analysts can now filter services by multiple values simultaneously, making it easier to compare services and discover insights.
Improved pagination functionality now allows analysts to navigate between the first and last pages seamlessly.
Services in the chart legend are sorted from highest to lowest enterprise traffic using the latest date data. When services have the same percentage value, they are sorted alphabetically.
Email Notification on Exceeding Daily License Usage
NetWitness Insight customers exceeding the daily license usage limit three or more times within the last 14 days will receive an email notification.
User and Entity Behavior Analytics
The following section describes the new enhancements for UEBA component:
Support for Citrix NetScaler and Palo Alto Networks VPN Devices
NetWitness UEBA has added support for the Citrix NetScaler and Palo Alto Networks VPN devices. With this enhancement, UEBA can now process Citrix NetScaler and Palo Alto Networks VPN logs, which helps you gather and analyze user activity information.
For more information, see the UEBA Supported Sources by Schema section in the UEBA Configuration Guide.
UEBA Performance Improvements
Optimized the database for inserting and querying data, resulting in faster query response times.
The modeling process for network data has been improved by excluding randomized JA3 entities, resulting in improvements in the overall performance.
Optimized the modeling process to generate and update multiple models in parallel.
Airflow retention DAGs processing times have been reduced due to faster cleanup of outdated data.
For more information on the supported scale, see the Learning Period Per Scale for 12.3 and 12.3.1 topic in the UEBA Configuration Guide.
Endpoint
The following section describes the new enhancements for Endpoint component:
Supported Operating System Enhancements
Administrators have the option to deploy Endpoint agents on the following versions of Linux and Mac Operating System:
The Source server Explore view ( Admin > Services > View > Explore) is enhanced with endpoint/recovery configuration option to help administrators configure Endpoint recovery in case of any disaster.
The following enhancements are made to Policy-based Centralized Content Management in 12.3.1.0 version:
Pagination is added in the Content Library, Groups Listing and Policy Listing pages which enables you to navigate through the list. By default, 50 rows are displayed per page. However, NetWitness allows you to modify the number of rows displayed per page.
Administrators can directly update any content, that are part of Policies, in the Content Library. The changes will be reflected in the Services once the Policy is republished.
The search experience for selected content during Policy creation is improved. A Search box is added under the Selected Content in the Define Policy screen. You can search the selected content by typing the initial content text in the Search box.
In the Filters panel of Policy Listing, Groups Listing and Services Listing pages, the respective parameters 'Policy Name', 'Group Name' and 'Service Name' is changed to 'Name'.
Introduced a new event category called syslog-length-prefix under the Syslog Collection in the Log Collector to provide support for syslog length prefixed logs during syslog collection.
For more information, see Configure Syslog Event Sources topic in the Log Collection Guide.
Log Integrations
NetWitness Platform supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform 11.7.0.0 or later.
Google Cloud Platform (Support for VPC Flow Logs, Google Kubernetes Engine (GKE) Logs, Cloud Storage Logs, and Audit Logs)
Administrators can now run the nw-precheck-cli command on the Hosts page to generate the system upgradability health report. The report helps administrators to troubleshoot any anomalies and minimize upgrade failures. The tool-tip message appears when you hover over the Update Host and Check for Update drop-down menu.
Customer Experience Improvement Program (CEIP)
NetWitness now displays a NetWitness Platform CEIP dialog to all users (with Manage Live Setting and config-server manage configuration permissions) who previously have not enabled the CEIP program and upgrading to a major or minor platform version. For example, in NetWitness Platform version 12.3.1.0, the major version is represented by 12 while the minor version is represented by 3.
For more information, see "Configure the Customer Experience Improvement Program" in the System Configuration Guide.
Security
To further improve security, all NetWitness services and scripts will utilize trusted certificate-based authentication or deploy admin password for the RabbitMQ account. Additionally, the guest user account password is set to random value to restrict full Administrator Access to only authorized users on the host.
User Interface
The following section describes the new enhancements for the NetWitness user interface:
NetWitness Product Name Change
NetWitness shortened the product name to "NetWitness Platform". This change aims to streamline and align our branding with our overall product strategy.
Warning: Before upgrading the UEBA host to 12.3.1.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.3.1.0.
Product Version Life Cycle for NetWitness Platform
The following enhancements are made for Policy-based Centralized Content Management in 12.3.0.0 version:
Addition of Services Tab in Content Panel
NetWitness has introduced the Services tab to view and manage the 12.3 and above services. The dedicated Services List page lists all Decoder and Log Decoder services available in the 12.3+ version. From this page, you can initiate migration, view the content of each service after migration, and conveniently enable or disable CCM for individual services.
To go to Services tab, click (CONFIGURE) > Policies > Content > Services.
Once you click the Services tab:
You can view the list of services. By default, 15 services are displayed per page. you can go to the next page by clicking . You can also directly go to the last page by clicking .
You can filter the services based on various parameters by clicking .
You can click a service to view the details of the service.
You can automatically migrate content from selected services to CCM Content Library. This feature simplifies the process and saves time by eliminating the need for manual content migration. To migrated content, select the service(s) and click Migrate Content.
In this UI, you can migrate Application Rules, Network Rules, LUA Parser, Live Feeds and Live Log Devices. You can continue to manage Custom Feeds and Log Parser Rules from Legacy Custom Feeds UI and Log Parser Rules UI.
During the migration process, you can create default policy and group for each service selected for migration. Once the migration process is complete, the policy and group will be listed under Policy Listing page and Group Listing page.
The policy and group which is created for the service will be in 'Unpublished' state and it can be published only after it is reviewed. In the Policy Listing page, the Publish button for such a policy will be disabled. The policy can be published only after reviewing it either from Policy Details page or Edit Policy Page.
While publishing a policy, the content deployed from the policy is merged with the content present in the service. This ensures that duplicate content is overwritten, and unique content present in the service is retained, avoiding unnecessary redundancy and data loss.
If the migration process is successful and the policy is created successfully for the selected service, you can view the details of the policy. To view the policy details, click policy name under the Policies column in Services List page.
If the migration process is successful, you can view the details of the migrated content. To view the migrated content details, click View Content hyperlink under the Action column in Services List page.
You can search the migrated content based on various parameters.
- For Application Rule and Network Rule, the search is based on Rule Name and Rule Value. - For Feeds, Log Device and LUA Parser, the search is based on the Name.
If the migration has failed due to some reason, then you can view the logs. To view the logs, click View Error Log hyperlink under the Action column in Services List page.
Even if only some content from a service is migrated to Content Library, NetWitness has also provided you an option to create policy and group for such a service. To create policy and group for such partially migrated service, click View Error Log -> View Migrated Content -> Create Policy and Group.
You can enable or disable CCM for individual Decoder Service. To enable or disable CCM, select the service and click Manage Service Content.
NetWitness has enhanced the Application and Network Rules to help administrators manage the rules efficiently by adding the following improvements:
Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key in the Application Rule tab. With this enhancement, administrators can now select a custom meta key from the drop-down, and a meta value corresponding to the rule name will be generated when the session metadata matches the rule.
Administrators can now select the Notify option to trigger alert generation and choose the Severity level while creating or modifying the Application Rules. The severity levels are Critical, High, Medium, and Low.
Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key alert in the Network Rule tab.
Introducing the new enhanced statistics feature Deployment Stats which provides users with comprehensive insights into the performance and status of their deployments.
The old legacy Services tab has been deprecated, making the CCM the primary location for accessing and managing statistics.
The statistics associated with engines, rules, and alerts have been moved to the new Centralized Content Management (CCM) pages as part of the ongoing migration.
Users can easily access and analyze deployment statistics, including engine, rule, and alert metrics, to monitor the effectiveness and efficiency of their configurations.
The ability to enable and disable rules at the runtime of the engine provides greater flexibility and control over rule execution.
Users can now view the timestamp indicating when the statistics were last fetched, ensuring the accuracy and relevance of the displayed information.
On-demand stats fetching allows users to retrieve the latest statistics anytime, keeping them updated with the system's performance.
In addition to the existing statistics, users can now view individual data source statistics for each engine, enabling a more granular analysis of data source performance.
Create and Edit ESA Rules from CCM (Redirection to ESA Rules Tab)
Introduced a new redirection feature, The ESA rule creation, and editing features have been seamlessly integrated into the existing CCM design, providing a consistent experience and optimizing usability.
Users can now create and edit ESA rules within the streamlined workflow making necessary modifications to rules minimizing the clicks redirecting to the ESA Rules Tab, ensuring a smoother experience.
Endpoint Rule Management
Users can now enable or disable endpoint rules per deployment, allowing them to tailor rule execution to specific deployment requirements.
Fast Deployment Support
Fast Deploy is supported, which allows users to expedite the deployment process for compatible configurations, saving time and effort.
Deployment Updates, Indicators and Notifications
Users can easily track updates made to deployments, with a clear indicator signaling the presence of updates.
Stay informed and effortlessly monitor the status and progress of your deployments.
Users will be notified if another user is currently editing a deployment, preventing conflicts and ensuring smooth collaboration.
Notifications and severity configurations for rules in a deployment can be easily viewed, enabling users to stay informed about rule behavior and potential security threats.
The following section describes the new enhancements for the Investigate component:
NetWitness enhancements in the Investigate > Events view provide increased flexibility and improved investigative workflow. These enhancements empower analysts to complete investigations and increase efficiency of administrators.
Select Query Results Panel Layout
The Query Builder allows you to select the Query Results panel layout before executing the query.
For example, if you select, Show: Meta and Events option from the dropdown menu, the query results are by default displayed in two separate panels, i.e., Meta and Events.
The enhanced Timeline displays activity for the specified service and time range as a bar chart. This allows analysts to detect significant spikes that could indicate anomalies. Using the visual representation, analysts can conduct a more detailed investigation of the events that occurred during that specific period.
With the enhanced timeline, analyst can now expand the timeline, zoom into the interested zone in the timeline, change the axis settings, or reset the query to the original requested form.
NetWitness introduces the new Advanced Query Bar under Investigate > Events panel to provide a seamless experience to the users while they write queries. Advanced Query Bar provides a search bar with the ability to accept a query construction in text form just like an Integrated Development Environment (IDE), instead of the pill-based entry of Guided Mode. Advanced Query Bar provides following benefits:
Syntax or error highlighting: The syntax of each query is validated and a red outline marks invalid filters.
Auto suggestions: Suggestions such as meta key, an alias for medium, an operator in a drop-down list to help in query construction.
Recent queries: Displays recent queries.
Create Future Alert using Events Query
During the investigation, administrators and analysts can now create an application rule for any suspicious activity from the Investigate > Events view. You can create application rules with a flexible query that covers a wide set of events and system information from your network, including suspected breach activities and misconfigured servers. Once the rule is applied to a matched policy with Decoder services, it generates alerts whenever a match occurs and helps analysts to triage, investigate, and respond to threats.
Generate Custom Reports from Investigate Events View
NetWitness Investigate Events view has been enhanced with integrated reporting capabilities enabling increased flexibility and streamlined workflow. Administrators and analysts can now convert their investigation queries into adhoc and schedule reports seamlessly from the Investigate > Events view. This eliminates the need to switch back to the reporting pages and reconfigure queries, saving time and effort.
The following are the key benefits of generating reports from the Events view:
Quickly configure and generate the reports.
Share generated reports directly with administrators or other analysts by configuring email IDs, facilitating efficient communication and collaboration.
Report generation now adopts preconfigured settings by default, reducing the need for manual configuration and accelerating the reporting process.
Generated reports can be used to monitor security incidents and malware activity.
Set up scheduled reports to run at regular intervals and trigger an email with events each time they run.
Search Meta Information Quickly from Events Meta Panel
Analysts can now search for meta keys and meta values quickly from the Events Meta panel using the newly added Filter option. This enhancement allows analysts to refine their search results by entering specific meta values or keys and the results are highlighted with blue indicator and helps analysts to investigate seamlessly rather than scrolling through a long list of metadata.
Support for VirusTotal Hashes Lookup from Events View
NetWitness now includes files and file hashes VirusTotal Lookup capabilities from the Investigate > Events view. With this enhancement, analysts can perform a VirusTotal Lookup on files with file hashes (MD5, SHA1, and SHA256) to get more information about the file, which automatically redirects them to VirusTotal's website. Once the hashes match VirusTotal's recognized types, they undergo a malware scan. The results are returned to determine if a file is malicious or not. This enhancement makes it easier for analysts to identify viruses, malware, and other malicious files with VirusTotal Lookup and helps them to perform investigation more effectively.
For more information, see Launch a VirusTotal Lookup for a File and Perform Lookups of Meta Values in Events topics in the NetWitness Investigate User Guide.
Introducing Meta Settings Panel
NetWitness introduces the new Meta Settings panel under the Investigate > Events > Events Meta view to allow analysts to configure the number of sessions required for the specific meta key value within the Events view. This enhancement provides analysts with the following configuration options:
Max Threshold Value: This option allows analysts to set the maximum number of sessions that are loaded for a meta key value in the Events panel. If you set a higher threshold, you will get more accurate counts, but it will take longer to load the data. The Max Threshold Value should be between 1 - 2147483647. The default value is 100,000.
Max Value Results: This option allows analysts to set the maximum number of values to load in the Events view when the Max Results option is selected in the Meta Key Menu for an open Meta Key. The Max Value Results should be between 100-100000. The default value is 1000.
Max Meta Value Characters: This option allows analysts to set the maximum number of characters in a meta value name displayed in the Events Meta panel. The Max Meta Value Characters should be between 60-512. The default value is 60.
These new configuration options give analysts more control over how metadata is displayed and loaded in the Events view. This helps analysts to perform the investigation more efficiently.
NetWitness now allows analysts to set the Render Threads value under the System > Investigation > Events tab > Render Threads Setting. This setting controls the number of concurrent meta key values that are loaded by the user in the Events Meta panel. By increasing the number of render threads, the meta values within the Events Meta panel are loaded concurrently. The Render Threads value should be between 1-8. The default value is 2.
The Query Console has been enhanced to help the analysts with query construction on the Investigate > Events view. Analysts can now quickly view the Query Examples, Current Query, or Recent Queries on the Query Console directly.
The following section describes the new enhancements for Context Hub component:
Additional Data for Context Lookup Lists Panel
Administrators can now configure additional data of interest from the lists on the Context Hub Lists page. These additional details from the lists are reflected in the Context Lookup Lists panel when you view the context for an event on the Events or Respond view. This helps analysts with better visibility for further analysis and investigation.
New Permission at the Users Level for Context Lookup
NetWitness introduces a new permission named contexthub-server.contextlookup.read for Context Lookup. This permission is enabled only for administrators, analysts, malware analysts, SOC managers, and Respond administrators. With this enhancement, administrators can now assign role permissions that prevent users from viewing context enrichment that is not relevant to them or performing the Add/Remove from List actions. Additionally, this can prevent unauthorized users from accessing sensitive information.
Administrators can now view the data for Responsive Preview under the Meta and Field Mapping and perform Field mapping operations for REST API data sources with or without authentication. This enhancement helps administrators to avoid reconfiguring the REST API data source and saves time.
NetWitness Insight is a SaaS solution available as an extension for a NetWitness Network, Detection & Response (NDR) customer. NetWitness Insight is an advanced analytics solution that leverages unsupervised machine learning to empower the response of the Security Operations Center (SOC) team. NetWitness Insight continuously examines network data collected by the Decoder to discover, profile, categorize, characterize, prioritize, and track all assets. NetWitness Insight identifies the assets in the enterprise to alert analysts of their presence. The discovered assets are automatically categorized into groups of similar servers and prioritized based on their network profiles. These assets are presented to analysts in a Springboard panel to guide them to focus on certain assets to protect their organization. Contextual information about the asset is available anywhere analysts interact with IP addresses in Respond and Investigate workflows. Incidents and alerts can be created based on asset changes.
Available in preview mode, this new integration with major SASE vendors provides further network visibility for NetWitness Network (NDR) customers. Previously limited to logs, these integrations deliver original network traffic to NetWitness, providing analysts with deep network visibility and detection for SASE remote communications. Please contact your account representative to get a preview.
Springboard
The following section describes the new enhancements for the Springboard component:
Improved Color Visualization for Springboard Panels
NetWitness Springboard now allows analysts to choose from a variety of color palettes when creating or editing panels using the new Visualization Color Theme option. This enhancement gives analysts more control over the appearance of their panels, making them more visually appealing and easier to understand. As a result, analysts can visualize the data better and perform analysis and investigations more efficiently.
NetWitness latest enhancements to reporting capabilities in Respond view provide users with increased flexibility and streamlined workflows. These improvements address the challenges you face during investigation and reporting. The following enhancements are made to the Respond component.
Respond Reporting Enhancements
With the new upgrades to Respond reporting, administrators and analysts can efficiently capture, analyze, and share their findings with management, resulting in enhanced reporting experience within NetWitness.
Integrated reporting capabilities into the events and respond views allow administrators and analysts to seamlessly tie their investigations to reports to capture and report their findings to the management.
Users can review incidents and alerts within the Respond view and generate comprehensive reports directly from the interface. Analysts and administrators can document their analysis and share detailed reports with stakeholders.
Reports generated from the Respond view now leverage the powerful filtering capabilities available within Respond, ensuring that the reports accurately reflect the specific incidents or alerts reviewed.
Introduced a simplified workflow driven by customizable templates, this feature eliminates the complexity of the current reporting workflow and reduces the input required from analysts and administrators.
Report creation now defaults to preconfigured settings, minimizing the need for manual configuration and expediting the reporting process.
Analysts can now email the generated reports directly to administrators or other analysts, facilitating efficient communication and collaboration.
Respond Server Support for Core Alerts and Insight Alerts
The Respond Server support for NetWitness Core Alerts and NetWitness Insight Alerts update improves your security by helping you detect and respond to incidents more effectively. This includes improvements that make managing and analyzing core and insight alerts within the NetWitness platform easier.
Core Normalisation alert support: We have added support for core normalization alerts, enabling the detection of suspicious network traffic patterns. This enhancement helps you proactively identify potential security threats and take swift action.
Improved Core Alerts visualization: Upgraded the visualizations for core alerts, providing a more detailed and comprehensive view. These enhanced visual representations make spotting patterns, trends, and anomalies easier, empowering you to make faster and more informed decisions.
OOTB Incident Aggregation Rule for Core Alerts and Insight Alerts:To simplify incident response, we have included an Out-of-the-Box (OOTB) incident aggregation rule specifically designed for core alerts and insight alerts. This rule automates grouping related core alerts and insight alerts into a single incident, streamlining your incident management process and saving valuable time.
The Respond > Alerts view is enhanced with the Whitelist Alert feature to help administrators and analysts whitelist the non-suspicious Endpoint alerts. You can select the entities such as File, User, and Host and define the Whitelist condition to avoid triggering of the unwanted alerts for the required entities.
The new Whitelists tab added in the Respond view enables you to view and manage the Endpoint Whitelists created after whitelisting the non-suspicious Endpoint alerts.
The following section describes the new enhancements for Endpoint component:
Files View Enhancements
The Files view is enhanced to help administrators and analysts block the new file hashes and manage the existing blocked file hashes. You can block up to a maximum of 50,000 file hashes using this feature.
The Hosts view is enhanced with the Remote Shell feature to help administrators and analysts access the remote agents and perform remediation actions during investigation. You can execute the commands only in the quiet mode.
Advanced Linux Agent - File Event Tracking Enhancement
Linux Agent - File Event Tracking is introduced to help analysts view the file related activities by an executable, such as writetoexecutable. Analysts can view and monitor file events to detect threats on Linux machines.
NetWitness Platform XDR supports collection of MicrosoftIIS logs. You can select MicrosoftIIS from the Log File Type drop-down list in (Admin) > Endpoint Sources > Policies > Define File Policy Settings to collect and monitor MicrosoftIIS file logs. For more information, see Appendices topic in the NetWitness Endpoint Configuration Guide.
User and Entity Behavior Analytics
The following section describes the new enhancements for UEBA component:
Enhanced Configuration Support for Multiple UEBA Servers
NetWitness introduces the ability to deploy multiple UEBA servers in your environment, providing increased flexibility and control. With this enhancement, administrators can distribute the UEBA server deployment across dedicated servers, such as one server for Logs and Endpoint data and another for Network (TLS) data. This data segregation ensures that each server can focus on its designated data type, resulting in faster and more streamlined processing. With the data segregation, analysts can now select the specific data type using the drop-down option provided for Multiple UEBA servers. This feature helps analysts to focus on the relevant users, network entities, and alerts associated with each UEBA server.
Analysts can now view contextual information about users on the NetWitness Users page. This enhancement enables analysts to make better decisions and take appropriate actions. A single place contains contextual information about users to help analysts identify and prioritize areas of investigation. The Context Highlights panel enables analysts to view contextual information for selected users, including total Respond alerts and incidents associated with them. Moreover, analysts can also switch to the Investigate view for a deeper look at users for focused analysis and investigation.
For more information, see the View Contextual Information for Users topic in the NetWitness UEBA Users Guide.
UEBA Performance Improvement
NetWitness UEBA (On-premises) has been enhanced to improve the performance of its data processing capabilities by updating the adaptor task and effectively allocating available free memory on UEBA services. This results in faster processing time and better performance for all UEBA tasks.
Concentrator, Decoder, and Log Decoder Services
Application Rule Enhancements
NetWitness has enhanced the Application Rules to help administrators manage the rules efficiently by adding the following improvements:
Under Session Options, the option Alert on is renamed to Flag session with rule name in meta key in the Application Rule tab. With this enhancement, administrators can now select a custom meta key from the drop-down, and a meta value corresponding to the rule name will be generated when the session metadata matches the rule.
Administrators can now select the Notify option to trigger alert generation and choose the Severity level while creating or modifying the Application Rules. The severity levels are Critical, High, Medium, and Low.
NetWitness Platform XDR supports the integration of the following event sources to collect and parse logs. Unless specified, these services are supported on NetWitness Platform XDR 11.7.0.0 or later.
As a launch partner for AWS AppFabric, NetWitness empowers customers to use this simplified, standardized method of securing new and existing AWS apps. For more information, see S3 Universal Connector.
The following section describes the new enhancements for Platform component:
Backup and Restore Improvements
The Passwordless remote copying feature allows administrators to avoid entering the password in the Command Line Interface (CLI) while exporting and importing the data using the NetWitness Recovery Tool (NRT) and the NetWitness Recovery Wrapper Tool.
NetWitness Platform XDR allows the non-root users to perform backup and recovery of data using the NetWitness Recovery tool (NRT) and the NetWitness Recovery Wrapper tool.
NetWitness Recovery Wrapper Tool is enhanced with the following options to allow administrators to backup group of the hosts:
Category Group: This group allows you to create a backup of all the hosts specific to a given category such as Log Hybrid, Log Collector, Standalone Broker in the environment.
Host Group: This group allows you to create a backup of all the hosts specific to a given group created on the /admin/appliances page. You can use the backup to restore any of the hosts in case of configuration issues or catastrophic failures.
Before upgrading the UEBA host to 12.3.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.3.0.0.
Product Version Life Cycle for NetWitness Platform
Note: If you have the Export Connector plugin in your deployment, you must do the following: • If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 12.2.0.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see the Post-Upgrade Tasks section in https://community.netwitness.com/t5/netwitness-platform-online/upgrade-instructions-for-12-2-0-1/ta-p/698615.
• If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 12.2.0.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported for NetWitness 12.2.0.1:
12.2.0.0 to 12.2.0.1
12.1.1.0 to 12.2.0.1
12.1.0.1 to 12.2.0.1
12.1.0.0 to 12.2.0.1
12.0.0.0 to 12.2.0.1
11.7.3.0 to 12.2.0.1
11.7.2.0 to 12.2.0.1
11.7.1.2 to 12.2.0.1
11.7.1.1 to 12.2.0.1
11.7.1.0 to 12.2.0.1
11.7.0.2 to 12.2.0.1
11.7.0.1 to 12.2.0.1
11.7.0.0 to 12.2.0.1
11.6.1.4 to 12.2.0.1
11.6.1.3 to 12.2.0.1
Warning: Before upgrading the UEBA host to 12.2.0.1, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.2.
The Product Documentation section has links to the documentation for this release.
Policy-based Centralized Content Management
The following enhancements are made for Policy-based Centralized Content Management in 12.2.0.0 version:
In order to enable the administrator to choose when to enable CCM, a single CCM toggle is introduced in the UI to enable or disable CCM for all 12.0 and later versions of Decoder Services. The toggle is available on the Content page and the toggle can be used to enable or disable CCM for all eligible Core Services at once. The CCM toggle has three states:
State1: None of the Decoder Services are managed by CCM
This is the default status. The default status is applicable only: - If customers are upgrading from 11.x to 12.2 version - If customers have turned off the feature in previous versions
State 2: All Decoder Services are managed by CCM
State 3: Some Decoder Services are managed by CCM
State1: None of the Decoder Services are managed by CCM
State 2: All Decoder Services are managed by CCM
State 3: Some Decoder Services are managed by CCM
The administrator can edit the rule value while editing or cloning the Application Rule or Network Rule.
During policy creation or modification, the administrator can create a new group and assign it to the policy if there are no unassigned groups available for the policy.
For a policy, the administrator can subscribe to multiple content at once. This feature is available from 12.1.0.0 version or later.
During policy creation, the administrator can add all content to the policy based on the resource type.
For a policy failed status, a caution icon message banner is displayed in the Policies view and Groups view, indicating that the policy status failed for multiple reasons. Administrator can now see the policy overview section in the UI to find the failure reason and the workaround.
Added + Add New Datasource option to add data sources in Create Deployment view and Edit Deployment view. Administrator can now add new data sources from the Create Deployment view, and Edit Deployment view when the required data source is unavailable.
The following enhancements are made for Respond component in 12.2.0.0 version:
Introduced new pagination settings for the Incidents list view and Alerts list view. Administrator can now see all the available incidents with this feature and do the pagination settings for the following:
Navigate through required page numbers.
Set the incidents per page as per the options available.
Administrators can now configure syslog alerts for new incidents added to the incidents queue. In addition, a new template field is added with Default Respond SMTP Template. Administrators can now select the pre-configured custom syslog notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.
Enhanced Email Notification Settings.
A new template field is added in the Email Notification Settings with Default Respond SMTP Template. Administrator can now select the pre-configured custom email notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.
The following section describes the new enhancements for Endpoint component:
Hosts View Enhancements
The Hosts view is enhanced to help analysts get an accurate number of Hosts and the list of Windows, Mac, and Linux machines on which the suspicious Autoruns are configured.
To optimize the view for analysts, a few columns in the Hosts > Autoruns view such as Global Risk Score, Local Risk Score, Reputation, File Status, Downloaded, File Creation Time, and Signature are removed.
The columns such as Registry Path, Filename, File Path, On Hosts, Type, and Launch Arguments are re-arranged in the following order:
Registry Path
On Hosts
Type
Launch Arguments
Filename
File Path
For more information, see the Hosts View - Autoruns Tab topic in the NetWitness Endpoint User Guide.
Advanced Linux Agent - Process Event Tracking Enhancement
Linux Agent - Process Event Tracking is introduced to help analysts view the createprocess activities. Analysts can view and monitor process events to detect threats on Linux machines.
Introduced a new index config threshold slice.memory.max. When the index slice memory usage exceeds the threshold, an index save will save the index to disk, keeping the index memory usage in control. With this new setting, administrators can freely enable indexing all unique meta values on the meta keys they choose.
HTTP2 parser now supports demultiplex interleaved streams and extracts the application payload for detections in other parsers looking at tokens in the payload. This also benefits analysts to reconstruct HTTP/2 sessions, download them as PCAPs, and extract data from the compressed payloads.
NetWitness Platform XDR supports the integration of the following parser services to collect logs. These services are supported on NetWitness Platform XDR 11.7.0.0 or later.
Zscaler ZIA
Zscaler ZPA
OPSWAT Meta Access Cloud
Symantec Endpoint Security Events
Symantec Endpoint Security Incidents
S3 Universal Connector support for access logs from Application Load Balancer (ALB).
Before upgrading the UEBA host to 12.2.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.2.0.0.
Product Version Life Cycle for NetWitness Platform
The following enhancements are made for Policy-based Centralized Content Management in 12.1.1.0 version.
Administrator can clone Application Rules and Network Rules with a unique rule name and same rule value.
IMPORTANT: - TheRule Nameis the unique title of the rule, which is used as a reference to the rule within the Content Library. - TheRule Valueis a string or text which is registered to a meta key when the rule is triggered with an "alert" output. It may be the same as the rule name, but it is not unique within the Content Library.
Single CCM toggle is introduced to enable or disable CCM for all 12.0+ Decoders and Log Decoders at once. The toggle button is available via backend of source-server.
In 12.1 and later versions, you can only manage the ESA deployments and Data Sources throughCentralized Content Management.
Go to (CONFIGURE) >Policies>Content>Event Stream Analysispage to manage the ESA deployments and Data Sources.
Refer the following screenshot.
A new unified deployment view(ESA DEPLOYMENTS)tab is created to manage deployments from a single view across all policies within CCM.
Navigation is made simple to edit policy wizard from theEdit deploymentview >View rules.
The edit deployment screen will save the current state and close. The user will be redirected to theedit policywizard on the new tab.
A new search option is created from the listed ESA rules in theView ESA rulesmodal in the edit and create deployment views.
Caution banners are created to convey the customer about the requirement of a deployment while creating ESA related policies.
After upgrading to 12.1 and later versions, you can only manage the ESA Rules in theESA Rulespage. Refer the following screenshot.
After upgrading to the 12.1.1.0 version, all the ESA deployments will be migrated to (CONFIGURE) >Policiespage. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.1.x.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.
You must upgrade the ESA hosts immediately after upgrading the Admin Server.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 12.1.0.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, seePost-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 12.1.0.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported forNetWitness12.1.0.1:
The following enhancements are made for Policy-based Centralized Content Management in 12.1.0.0 version.
Administrators can create and upload content to the Content Library easily by:
Importing log parsers as a zip file instead of converting to ".envision" format.
Cloning existing Application Rules and Network Rules.
Administrators can switch services between legacy Content Management UI and the new Centralized Content Management via Groups and Policies using the "toggle" feature. This can prevent content being mistakenly added or modified outside of a Policy, causing an out-of-sync issue.
Each service can be toggled to work either with individual "Service or Config" interface or with Content Policies.
Toggling on Content Policy for a service will restrict the legacy UI to "read only" mode.
Administrators can now force publish all the content of a policy in two ways:
Policy Listing>More Actions>Force Publish
Policy Details>Force Publish
Administrators can easily find content, policies or groups of interest by using the "Filtering" capability of the UI inContent Library,Policy Listingpage,Policy Detailspage, andGroup Listingpage.
Administrators can receive meta key and operator suggestions while creating application and network rule conditions. This eases the creation of error-free rules. Administrators can also opt for 'Advanced mode' to create complex queries.
Addressed an issue where the Content Policy UI was not usable without an active connection to Live.
Administrators can now create, modify and publish policies and manage custom content in the Content Library even without an internet connection.
An Internet connection is still required in order to synchronize Live content with the Content Library.
Administrators can now manage ESA contents from the(Configure)>Policiespage:
Manage ESA content and handle multiple deployments seamlessly using Policy.
One-click management of subscriptions and automatic updates for ESA content.
Toggle theSubscribebutton to enable automatic updates of ESA content.
Seamlessly view ESA Live content along with your own custom content.
Add and manage ESA Correlation servers as part of groups.
Manage all the data sources for the ESA Correlation servers from theSettings>Event Stream Analysis>Data Sourcespage seamlessly.
The Respond view is enhanced to help analysts export and store the Incidents with Alerts and Events in JSON format for offline investigation.
Incidents List View Enhancements
The newExportdrop-down is added to allow analysts export and download the data such as fields or attributes associated with Alerts and Events of the selected Incidents.
You can export data of a maximum of ten incidents at a time. Once the data download is in progress, you can select a different set of ten incidents and export their data simultaneously. You can repeat this action until the conditionmax-user-tasks, which is the maximum limit set for exporting the incidents data in theRespondservice underrsa.respond.incident.exportsis met.
The following section describes the new enhancements for the NetWitness user interface:
NetWitness User Interface Enhancements
The 12.1.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform XDR, which updates the identity of NetWitness as a trusted brand.
As part of the repositioning, we are renaming our product as NetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.
Endpoint Investigation
Initiate YARA Scans at the Endpoint Agent Level
Analysts can initiate YARA scans at the endpoint agent level by selecting one or multiple endpoint agents.
Enhanced Process Tree View for Endpoint Alerts on Respond
The Process Tree view on theRespond>Alerts>Endpoint Alerts>Alert detailspage is enhanced with the newFile Actionstab next toInvestigate Timeline. With this enhancement, analysts can quickly save a local copy of the selected file, download it to the server, or block it.
Policy based Centralized Content Management is a unified approach to find, deploy, and manage content through the entire life cycle based on policies that can be assigned to groups of devices. It is a single location to view, modify and manage the content deployed across all services in the environment.
Benefits of Policy based Centralized Content Management:
Add content from RSA Live or add your own custom content.
Add or remove content without repeating the process on each individual service.
Add a new service to an existing group to automatically deploy all necessary content.
Simply toggle theSubscribebutton to enable automatic updates of content.One-click management of subscriptions and automatic updates
Provide highly responsive and updated UI for browsing RSA Live content that can help you with the following:
View Live and custom content along with your content policies and click to add content
Seamlessly view Live content along with your own custom content.
Centrally import and deploy live and custom content.
The following section describes the new enhancements for the Springboard component:
Enhanced Springboard to Support New Built-in Panels
NetWitness Platform Springboard introduces five more out-of-the-box panels based on the events processed and presented on Springboard view. On the Springboard, Administrators and Analysts can now view the following panels of events data which helps in threat hunting and investigation:
MITRE ATT&CK tactics
MITRE ATT&CK techniques
Indicators of Compromise
Enablers of Compromise
Behaviors of Compromise
Administrators can customize these panels to display only the event-focused data for analysts to carry out further investigation.
Administrators and Analysts can now add their own custom private board to the NetWitness Platform Springboard and add panels with important system indicators, which helps in threat hunting and investigation. The custom private board is visible only for users who created it. The board allows users to organize and manage information in an easy manner.
During investigation, Administrators and Analysts can add a Springboard panel from theInvestigate>Eventsview. You can add any number of filters on the query search bar and convert them to Springboard panels for further detection and watch results. The newly added panels will be saved under a custom private board. The board will allow users to organize and manage information in an easy manner.
The Respond view is enhanced to track and capture all the events performed by the users on an incident. The toolbar actions are enhanced to allow users select only the valid priority, status, and assignee for an incident.
Incident Workflow Enhancements
The following changes have been made to theChange Statusdrop-down list in theRespond> Incidentsview:
Added the new Incident statusReopento help users open the closed incidents.
RemovedNewandAssignedstatuses but they are still displayed in the Status column in theRespond> Incidents>Incidents Listview.
Streamlined the incident status change workflow. All the invalid statuses are grayed out, allowing the users to select only the valid status for any incident.
The newHistoryPanel is added to display every action performed by the user on an incident. The various actions performed on an incident are as shown below:
The following section describes the new enhancements for the Investigation component:
Indicators for Searchable Meta
The meta key and meta value pairings now display a binocular icon while viewing a text reconstruction in the Event Meta panel, indicating the search option. This enhancement helps the analysts to visually see the indication rather than going through the list of all metadata to figure out which ones may be searched.
Unified Discovery and Interaction of Events Metadata
Hosts and Files Alerts Details View
Analysts have a unified way to interact with events metadata presented in the Alerts tab of Hosts and Files details view to perform actions or review contextual information. Analysts can use the right and left click options to view the unified panel data.
For more information on Hosts and Files, seeAnalyze Hosts Using the Risk ScoreandAnalyze Files Using the Risk Scoretopics inNetWitness Platform Endpoint User Guide.
Respond View
Analysts have a unified way to interact with events metadata presented in the Respond view to perform actions or review contextual information.
On the Respond Indicators panel, Nodal Graph, and Events List view, analysts can use the left and right click options to view the unified panel data.
Enhanced Querying on Events View to Exclude any Specific Meta
Analysts can now exclude particular meta values while querying using the NOT(metacontains 'meta value') option available in the investigate unified panel. The specified meta value is removed from the query results when you use NOT(metacontains 'meta value') withAppendorRefocusoption on a specific meta value. This enhancement helps the analysts to view only the required data results in an optimized manner and conduct further investigation efficiently.
Analysts can directly view encrypted data that has been decrypted by the decoder, thereby reducing time and effort in converting data into readable format. The analysts can enable using theDisplay Decrypted Payloadtoggle option in theEvents>Textview.
Select Custom Date and Time Range in the Events View
Analysts can set a custom range in theInvestigate>Eventsview to select a specific time, date, month, and year using the calendar view that is displayed on clicking theCustom Rangeoption. This enhancement helps the analysts to select date and time quickly and avoid manual intervention therefore avoiding human errors (typos).
The following section describes the new enhancements for the NetWitness user interface:
NetWitness User Interface Enhancements
The 12.0.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform, which updates the identity of NetWitness as a trusted brand.
As part of the repositioning, we are renaming our product asNetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.
Endpoint Investigation
The following section describes the new enhancements for the Endpoint component:
Detection of removable Storage Devices
NetWitness Endpoint Agents are enhanced with the capabilities to detect and report removable storage devices. The Endpoint agents will detect and report when a removable storage device is plugged in or removed. This enhancement provides analysts with extended threat detection capabilities. For more information, see theNetWitness Endpoint User Guide.
Block Multiple File Hashes Using an Imported File
Administrators can import a file with a list of known file hashes that are not present in the environment and block them as soon as they are detected. This enhancement will help analysts to block multiple hashes without manual intervention.
Support for Arm-based Windows Machines
Administrators can install Endpoint agents on Arm-based Windows machines. This enhancement provides analysts with threat detection capabilities on more types of devices.
Download MFT from Multiple Hosts in One Step
Analysts can now download MFT(Master File Table) from multiple hosts on the Hosts list view in one step. This enhancement helps analysts download MFT without opening the Host details view of each host. For more information, SeeDownload Master File Tabletopic onNetWitness Endpoint User Guide.
Customizable Maximum File Download Limits
The limit to the maximum number of file downloads on the Endpoint server is enhanced. On the explore page of an Endpoint server, Administrators can set the limit from 100 to 1000 files. For more information, seeDownload Files Using Full Path or WildcardonNetWitness Endpoint User Guide.
Redesigned Alert Details View for Endpoint Alerts in Respond
In the Respond view, the alert details view for Endpoint alerts shows end-to-end details about an alert. The details are presented in the form of a process tree along with a right panel that provides detailed information about the alert categorized into the following sections:
Summary: A short summary of the alert.
Event Details: Shows the directory, user, hash, signature, risk score, etc.
Process Details: Shows the tactics, techniques, times and details about the targets.
Network Connections: Shows any network connection established ten minutes before and till ten minutes after the alert triggered time.
Origin: Shows how the selected file in the process tree is originated.
Exists on Hosts: The host in which the selected file in the process tree exists.
Besides the above sections, theInvestigate Timelinetakes to the investigate view that has more detailed information.
The following section describes the new enhancements for the Concentrator, Decoder, and Log Decoder components:
Log Parsing Enhancements
The following log parsing enhancements are made in 12.0.0.0 version. These are new elements that you use in the creation of a log parser:
New Selector Parsing Element Added to Dynamically Map Captured Values to a Meta Key
This will allow the log parser to automatically choose from two or more optional meta keys to assign to a parsed value depending upon the value of another meta key. Consider the following sample log snippet:
In the above example, if the value of Direction is ”src”, then the preferred meta key to use for the value of Address would likely beip.src. Conversely, if the value for Direction is ”dest”, then the meta keyip.dstmight be preferred. This can now be achieved with the newSELECTORlog parsing element.
Support for Advanced Parsing Elements within CEF Parser and DataType
Support added to CEF parser for VARTYPE, SCANNED, DataType, and Selector parsing elements.
Allows the CEF parser to take advantage of the fine parsing capabilities found in other parsers.
Dynamic parsing support including PARSERULESCAN added to DataType parsing element.
Allows nesting of dynamic parsing elements (parse rules) from within an existing DataType.
Enhanced Network Decoder to Decrypt Incoming TLS 1.3 Packets
The enhanced network packet decryption capability helps inspect TLS 1.3 encrypted communications using ephemeral session keys. Administrators can configure Network Decoder to enable decryption of incoming TLS 1.3 network packets.
The Event Stream Analysis is enhanced to reduce the time consumed for new rules deployment.
Improved ESA Rules Deployment
The ESA Rule Deployment has been enhanced with a new option to deploy the rules faster. If you want to push rule-related changes, you can quickly deploy the new rules by clicking theFast Deployoption. For more information, seeAlerting with ESA Correlation Rules User Guide.
Reports
The following section describes the new enhancements for the Reports component:
Build Rule View Enhancements
TheBuild Ruleview is enhanced to help users view the following information in the report generated:
The average time taken to assign the incident.
The average time taken to complete the task.
The average time taken to close the incident.
The following changes have been made in theBuild Ruleview:
Two new options are added in theFromfield:
incidentStats: The following metas are supported forincidentStats:
created
mtta.time: Displays the average time taken to acknowledge the incidents in a single day.
mtta.count: Displays the number of incidents acknowledged in a single day.
mttd.count: Displays the number of incidents detected in a single day.
mttd.time: Displays the average time taken to detect the incidents in a single day.
mttr.time: Displays the average time taken to resolve the incidents in a single day.
mttr.count: Displays the number of incidents resolved in a single day.
These metas are displayed in the report generated. Refer the following figure.
incidentUserStats: The following metas are supported forincidentUserStats:
userName: Displays the assignee's or the user's ID for the associated user stats.
totalClosedCount: Displays the total number of Incidents closed by the assignee till date.
meanTimeToDetect: Displays the average time taken by the user to detect the incidents in the time range selected.
mttdCount: Displays the count of incidents contributing to the MTTD value computed.
incidentIds: Displays the list of incident IDs closed by the user during the time range selected.
These metas are displayed in the report generated. Refer the following figure.
New metas are added forincident. The newly added metas are as shown below:
assignee.id
tta(Time to Acknowledge): Displays the time taken to assign an Incident after creating it.
ttd(Time to Detect): Displays the time taken for completing the task after the Incident is assigned.
ttr(Time to Resolve): Displays the time taken for closing the task after the Incident is created.
These metas are populated on theTest Ruleview. Refer the following figure.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.3 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for 11.7.3 - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.3 patch upgrade. In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for 11.7.3
Endpoint Enhancements
The Hosts and Files view is enhanced to help Analysts view the actual risk score of the Blacklisted files. The risk score of the files increases once they are blacklisted.
File Name column is exported when you export the Files attributes to a CSV file.
The timeouts or delays in mongo.db due to the presence of huge bash history for a few agents are resolved.
Usability Enhancements
The Test Chart feature in Reports (Reports > Charts > Add new chart > Test Chart) is enhanced to load with different time ranges.
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform XDR 11.7.3.0:
11.7.2.0 to 11.7.3.0
11.7.1.2 to 11.7.3.0
11.7.1.1 to 11.7.3.0
11.7.1.0 to 11.7.3.0
11.7.0.2 to 11.7.3.0
11.7.0.1 to 11.7.3.0
11.7.0.0 to 11.7.3.0
11.6.1.4 to 11.7.3.0
11.6.1.3 to 11.7.3.0
11.6.1.2 to 11.7.3.0
11.6.1.1 to 11.7.3.0
11.6.1.0 to 11.7.3.0
11.6.0.0 to 11.7.3.0
11.5.3.3 to 11.7.3.0
11.5.3.2 to 11.7.3.0
For more information on upgrading to 11.7.3.0, see Upgrade Guide for NetWitness Platform XDR 11.7.3.0
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.2 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for 11.7.2 - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.2 patch upgrade. In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for 11.7.2
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform XDR 11.7.2.0:
The NetWitness 11.7.1.2 release notes provides information about the changes in NetWitness Platform 11.7.
Fixed Issues
For more information on Fixed Issues, see Fixed Issues.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies to CVE-2021-44228. For more information, see the Security Advisory for Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.1.2 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.1.2 patch upgrade.
Note: The traces of the old .jar files with the vulnerable versions of log4j in /tmp/jetty folder are found while upgrading from 11.5.x.x and 11.6.x.x versions to 11.7.x.x version. As a result, the scans reported the presence of older versions of log4j vulnerability. This issue has been addressed and the /tmp/jetty folder is cleaned up to remove the older versions of log4j vulnerability.
The NetWitness 11.7.1.1 release notes provides information about the changes in NetWitness Platform 11.7.
Fixed Issues
For more information on Fixed Issues, seeFixed Issues.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies toCVE-2021-44228. For more information, see theSecurity Advisoryfor Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.1.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.1.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.1.1:
NetWitness11.5.3.2 to 11.7.1.1
NetWitness11.5.3.3 to 11.7.1.1
NetWitness11.6.0.0 to 11.7.1.1
NetWitness11.6.0.1 to 11.7.1.1
NetWitness11.6.1.0 to 11.7.1.1
NetWitness11.6.1.1 to 11.7.1.1
NetWitness11.6.1.2 to 11.7.1.1
NetWitness11.6.1.3 to 11.7.1.1
NetWitness11.6.1.4 to 11.7.1.1
NetWitness11.7.0.0 to 11.7.1.1
NetWitness11.7.0.1 to 11.7.1.1
NetWitness11.7.0.2 to 11.7.1.1
NetWitness11.7.1.0 to 11.7.1.1
Enhancements
The following section lists the enhancements to specific capabilities. To locate the document referred to in this section, go to the NetWitness Platform 11.x - All Documents. Product Documentation has links to the documentation for this release.
Reports
View Creator Information
The Created By column has been added to the Reports List page. This column enables you to view and analyze the ownership information of all the reports that exist in the system, which includes new, copied, and imported reports. When a report is exported, the owner details are retained. However, when a report is copied, the owner of the report changes to the user who created the copy. For more information, see theReporting User Guide.
Log Collection
Administrators can now fetch the user information from the logs collected through MSExchange Management channel.
To view the user information:
Navigate toServer Manager>Diagnostics>Event Viewer>Applications and Services Logs>MSExchange Management.
In theMSExchange Managementview, select the log file.
Click theDetailstab. Select theXML View.
SelectEventData. The third row in the<EventData>section displays the required user information.
Note: Alternatively, you can select the Friendly View under the Details tab to view the user information in the EventData section.
Administrators can pre-stage the upgrade repository by downloading the required packages (.zip) without affecting the system. This minimizes the upgrade downtime and ensures the upgrade is completed within the planned time. The Pre-Stage Host option is available on the NetWitness UI and requires the NetWitness Server Host to be connected to Live Services. For more information, seeHosts and Services Maintenance Procedurestopic in theHosts and Services Getting Started Guide.
Note: You can use this feature only if you upgrade from 11.7.1.0 to a higher version.
Support for Additional Pre-Upgrade Check Utility
Additional health-check utility is introduced for Administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.
The pre-upgrade check verifies the following:
(Component Hosts) Node X Service Status- Verifies the status of services (Active or In Active) on all the Node X.
(Component Hosts) Node X Certificates Check- Checks the certificate expiry, missing, corrupted, and issuer mismatch in all categories of Node X.
CPU-Memory Info- Provides CPU and Memory details along with the real-time available memory.
(Admin Server) Node 0 File System Utilization- Verifies the disk partition utilization of/var/netwitness/mongo,/var/netwitnessandrooton Node 0.
(Component Hosts) Node X File System Utilization- Verifies the disk partition utilization of/var/netwitness/mongo,/var/netwitnessandrootfor ESA Primary, Endpoint Log Hybrid, and UEBA services on Node X.
Mongo File (ESAPrimary)- Checks the ESA Primary node in the system and verifies the permission mode of mongo file.
Orchestration Server Normal Mode- Checks if the orchestration service is running in normal or safe mode.
(Admin Server) Node 0 Init status- Checks if there are any issues that might fail init process.
(Admin Server) Node 0 closed ports- Checks if the service ports required for NetWitness services are open and listening on Node 0.
(Component Hosts) Node X closed ports- Checks if the service ports required for NetWitness services are open and listening on Node X.
Unified Discovery and Interaction of Investigate Metadata- Analysts have a unified way to interact with metadata presented in the Events view to perform actions or review contextual information.
Analysts can perform actions and view the context data for a selected meta in the same window or a separate window that will enable the display of data in an optimized manner, and easily carry out further investigation.
Free-form Query Preference- With the new preference, analysts can choose to split the free-form queries into multiple guided filters or a single free-form query. Analysts can switch the modes using the Free Form Split checkbox.
Light Theme Overhaul– The existing light theme primary and secondary colors on the UI has been enhanced to provide better contrast and shading for improved user experience.
Capabilities for Detecting Ransomware that Use the Registry
Endpoint agents can detect ransomware that uses the registry to perform actions such as forcing Windows machines to reboot in safe mode, encrypting files, and deleting volume shadow copies.
Endpoint Agent Support for macOS Monterey and Windows 11
Endpoint Agents are enhanced to support macOS Monterey (12.0.1) and Windows 11. To view the list of supported operation systems, seeIntroduction to Endpoint Agent Installationon theNetWitness Endpoint Agent Installation Guide.
Support for Offline or Standalone Scans on Air-gapped Windows Hosts
Administrators can execute offline or standalone scans on air-gapped Windows hosts to perform threat analysis on the Windows hosts disconnected from the network. Administrators can download the Offline Scan Configuration file from UI and execute it on multiple air-gapped hosts. Then, the Offline Scan File(scan results file) can be transferred to the UI and uploaded to the Endpoint server for processing. SeeStandalone Scan on Air-gapped Windows Hoststopic onNetWitness Endpoint User Guidefor more information.
Support for Full System Scan
Analysts can perform a full system scan on system drives and all fixed drives in addition to the quick scan of executable files in memory. For more information, see Scan Hosts topic onNetWitness Endpoint User Guide.
Redesigned Alerts Tab for Optimized Navigation
Analyst can use the redesigned alerts tab to conveniently access all alert information and the associated events for optimized navigation on Host details view. For more information, seeNetWitness Endpoint User Guide.
Concentrator, Decoder, and Log Decoder Services
Centralized Configuration Management Enhancements
The enhanced centralized configuration management allows administrators to:
Reconfigure 10G Network Decoders from the Policy UI. Administrators can quickly create 10G policies for each Decoder group based on the hardware profile.
Clone policy from an existing service to save policy transition time for existing users.
Restart only specific services within a service group that require changes. This minimizes potential downtime.
Enhanced Network Decoder to Support Load Balancing Deployments
When you shut down the Decoders, the network interfaces connected to the Decoders are automatically shut down. Then, the load balancers divert the traffic to other available Decoders. This enhancement will protect customers from data loss when they use load balancers to distribute traffic between several Decoders. For more information, seeConfigure the Decoder Capture Failover in Load Balance Deploymentstopic onDecoder and Log Decoder Configuration Guide.
Event Stream Analysis (ESA)
Enhanced Performance when Retaining Incident Network Data Artifacts
Respond analysts saving artifacts of an incident will notice improved feedback for the tasks running and swifter completion of those tasks.
Analyst can use the new Retention Usage tab to view the statistics of all configured services and the percentage used by the pinned cache directories.
With this information, the analyst can:
Determine if the disk is running out of space and if additional space needs to be added or the persistence needs to be suspended for the existing events in an incident.
Obtain insights on the space requirements for retention functions.
In Respond > Incidents tab, analyst can click the Retention Usage tab to fetch all the statistics of all the configured services and the percentage used by the pinned cache directories.
Administrators can configure to ignore the case sensitivity of values a feed uses as part of the feed wizard in the UI. This allows the administrator to avoid converting the feed into an XML format or perform additional steps during deployment. For more information, seeCreating a Custom Feedin theLive Services Management Guide.
NetWitness Topology Feature
The following enhancements help administrators and analysts to:
Obtain quick insights using the Search Option– The search option helps locate a specific service, without having to look at the entire hierarchical layout.
View ESA hosts: ESA service and the connected services can be viewed in the hierarchical layout.
Improved error messaging to include the source string and target format when an unrecognized string format exception is generated to help users determine the root cause.
Support for new internal RAID controller (PERC H750) on Series 6 Appliances
The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances are replaced with PERC H750. All S6 appliances will have the new ISO to support PERC H750. All future S6 appliances and RMA will have PERC H750. Before adding a new appliance with PERC H750 to your existing deployment (For example, 11.7.0.0 or 11.7.0.1), you must first upgrade the Admin Server and Standby Admin Server to version 11.7.0.2 or higher.
The NetWitness 11.7.0.2 release notes provides information about the hardware changes in NetWitness Platform 11.7.
Security Fixes
The Log4j vulnerability in the commonly used open source logging library has been addressed. For more information, see the 11.7.0.1 Release Notes.
Support for new internal RAID controller (PERC H750) on Series 6 Appliances
The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances is replaced with PERC H750. All S6 appliances from now on will have the new ISO to support PERC H750.
Note: By default, all future S6 appliances and RMA will have PERC H750, so you must upgrade the Admin Server and Standby Admin Server to 11.7.0.2, before adding a new appliance with PERC H750 to your existing 11.7.0.0 or 11.7.0.1 deployment.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.0.2:
The NetWitness 11.7.0.1 release notes provides information about the changes in NetWitness Platform 11.7.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies toCVE-2021-44228. For more information, see theSecurity Advisoryfor Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.0.1 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.0.1 patch upgrade.
In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see Post-Upgrade Tasks.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.0.1:
As analysts review events, the new compact and expanded metadata views provide an alternative workflow to only view the high-level details of the event and in use cases where no raw data is present.
Improved Broker Query Experience
Analyst queries at the top-level Broker now by default provide partial results when one of the sub-services loses connectivity or times out. In addition, a hierarchical view of what is attached to the Broker is available to analysts to exclude certain sub-services prior to query if necessary.
Email Reconstruction Improvement
Analyst can view the content of all the emails in a single session using the Expand All Emails option available on the Email view.
Direct Query Interaction with Meta Keys in Event Filter Panel
Analyst steps to create a query have been streamlined by clicking directly on the meta key name to generate a query with only the meta key. Alternatively, searches with combination of key value pairs are available inside the Event Filter panel without requiring direct interaction with the query bar.
Network Fragment Identification
Analysts can view the related sessions for an event for analysis and investigation by hovering over the icon for the event.
Saved Time Ranges
Analysts can take advantage of the last five recently used time ranges for future searches saving the investigation time. The saved time ranges are displayed under the Recent Time Ranges section.
For more information, see theInvestigation User Guide.
Endpoint Investigation
Granular Role Based Access Control for Endpoint Server
With the enhanced RBAC (Role-Based Access Control), administrators can grant or revoke access to specific Endpoint servers rather than all. And the addition of new permissions called endpoint-server.file.analyze and endpoint-server.tag.manage, adds flexibility in managing user privileges. For more information on managing permissions for an individual Endpoint server, seeNetWitness Endpoint Configuration Guide.
Few Privileges Removed Fromendpoint-server.agent.manageAnd Added toendpoint-server.file.analyze
Analyze File, Save Local Copy and Scan with OPSWAT privileges are removed fromendpoint-server.agent.manageand added to a new permission calledendpoint-server.file.analyze. For more information see theSystem Security and User Management Guide.
Manage Hosts Using Tags
Analysts can create Tags to manage the hosts. Tags are custom texts (can combine alphanumeric and special characters) that you can create and assign to hosts. You can create host groups based on tags, and on the Hosts view, you can filter hosts by tags using the filters pane. Administrators can create and assign tags while generating the agent packager, and these are added to the hosts by default when the Endpoint agent is installed. For more information on managing tags, seeNetWitness Endpoint User Guide.
Enhanced Windows Agent to Support Detecting the Persistence Techniques Targeting the Registry
The enhanced Windows agents detects persistence techniques that use the Windows registry. The registry monitor is more reliable now as it detects suspicious activity in an enhanced manner. For more information, see theNetWitness Endpoint User Guide.
Enhanced Suspicious Thread Detection
This enhancement to the suspicious thread detection helps detect and report suspicious threads more effectively using different methods. This enhancement enables analysts to have access to all the details and capabilities related to the suspicious threads as before. For more information, referNetWitness Endpoint User Guide.
Delete Blocked Files Through Elevated Command Prompt
You can delete the blocked files on the host using the delete command on the elevated command prompt on the host.
Concentrator, Decoder, and Log Decoder Services
Introduction of Centralized Configuration Management
The management of general NetWitness core services namely Concentrator, Decoder, and Log Decoder configurations can be administered centrally from a single policy-based interface and distributed to multiple services. With centralized configuration management, administrators can:
Create a group of the same service type based on similar hardware profiles or other criteria
Add configuration items to policies in order to customize settings. Any settings which are not in the policy will be left as default
Apply customized settings to any number of services in one step
Restart all services within a group to apply changes
View when an action is required, such as service restart, unpublished policies or out-of-compliance services indicated by the icon.
Revert changes to a policy or group quickly
For more information, seeHost and Services Getting Started Guide.
Enhanced Query Accuracy
An optional index configuration is available on a per meta key basis to extend the default key-value search into an N-gram layout. In addition to enabling query and reporting capabilities, this combination also provides complete and accurate search results, even if a maximum value threshold has been met.
For more information, see N-grams in theCore Database Tuning Guide.
Event Stream Analysis (ESA)
Enhancements for persisting Events and Incidents
Analysts can persist events encompassed in an incident, thus enabling to view the incident in the future, regardless of its age. Analysts can:
Pin or unpin multiple events at an incident and alert level
View details on when the events were persisted.
Check the status of the persisted events, whether it is Completed, Partial, or None.
Administrators can set up permissions for users to persist raw data associated with a particular incident.
For more information, see theRespond User Guide.
Platform
Backup and Restore Improvements
A new NetWitness Recovery Wrapper tool is introduced to centrally back up and restore individual or multiple hosts. This tool allows custom files to be incorporated in restorations and handles all supported deployment installations (Physical, Virtual, and Cloud).
With NetWitness Recovery Tool administrators can:
Back up (export) an individual, a specific, or all hosts at a time
Restore (import) an individual host at a time
Customize files or folders during backup and restore
Copy backup data to remote host location from NetWitness hosts and vice versa
For more information, see "Disaster Recovery (Back Up and Restore)" topic in theNetWitness Recovery Tool User Guidefor NetWitness.
Upgrades
Introduction of Pre-Upgrade Check Utility
A new health-check utility is introduced for administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.
The pre-upgrade check verifies the following:
Security Client File Check- Ensuressecurity-client-amqp.ymlfile is not present
Node-0 NW Service-id Status- Ensures all the service-ids are intact with the services in Node 0
Broker Service Trustpeer Symlink- Ensures Broker symlink file(/etc/netwitness/ng/broker/trustpeers/)is not broken
Node-0 NW Services Status- Checks the status of all the services in Node 0
Yum External Repo Check- Ensures external repos are not available
RPM DB Index Check- Checks if the RPM DB is corrupted
Salt Master Communication- Verifies the salt communication from Node 0 to all the Nodes
Node-0 Certificates Check- Checks if any certificates are missing, expired, or invalid
For more information, seeUpgrade Guide for NetWitness 11.7.
NetWitness Services
Introduction of NetWitness Service Topology Map
A view of the hierarchical layout of all NetWitness core services depicting the collection and aggregation of services provides administrators and analysts quick insights into their deployment and the services that are online or offline. This topology displays only the Broker, Concentrator, Log Decoder, Packet Decoder, Hybrids, and Log Collector services.
Note: Reporting Engine, Malware Analysis, UEBA, Endpoint Server, Cloud Link service, and Warehouse Connectors are not supported.
On the compact view, the Event Filter Panel and Event Meta Labels are optimized to display maximum information on a single page. With this view, analysts can easily perform the investigation. The label and icon size on the Event Filter Panel are optimized so that the meta keys and values are displayed on the same line.
Timeline Options
Analysts can now easily view the timeline for event by clicking on the icon. By default the timelines is enabled for all events.
For more information, see the Investigate User Guide.
User Entity Behavior Analytics
Alert Feedback Enhancement
Analysts have the option to mark the status of mutliple alerts as Not a Risk or None. None is used when the events are Not a Risk. Multiple alerts grouped by date can be selected to perform this action. When the status is updated, the alert contribution score will change automatically, for example, if an alert is marked as Not a Risk, the alert score is reduced. If the status is updated as None, the score increases. For more information, see the UEBA User Guide.
Endpoint Investigation
Support for OPSWAT Scans
Analysts can simultaneously perform threat detection with multiple anti-malware engines with OPSWAT (MetaDefender Core). Executable files(PE, Macro, Script, ELF) will automatically be sent to the OPSWAT server for scanning. Analysts will get alerts if a file is found Infected or Suspicious (critical for Infected and High severity for Suspicious files). The risk score will also increase for the file and the corresponding host, thus helping to respond to threats quickly. For more information on how to use OPSWAT within the NetWitness Platform, see the NetWitness Endpoint User Guide. And, for more information on how to configure OPSWAT on endpoint servers, see NetWitness Endpoint Configuration Guide.
Create groups with Machine OU as a filter
Analysts can use Machine Organizational Unit (Machine OU) as a filter while creating groups on the Admin > Endpoint Sources > Groups view. Using Machine OU to filter hosts can save much time and effort as it is more effective than using IPV4 or domain names in an environment with thousands of agents.
Extended Agent Support for Mac BigSur (version 11) on M1
NetWitness Endpoint agents now support Mac BigSur on both M1 and Intel. For more information, see NetWitness Endpoint Agent Installation Guide.
Automatic download of memory DLL files
Analysts can now investigate the memory DLL files in detail. All memory DLL files that are detected during a scan, are automatically downloaded to the server irrespective of the file size.
Added agent folder protection in the driver
Netwitness platform version 11.6.1 and higher, the files inside the agent folder are protected from delete, rename, or modification operations. This protection will prevent malware from locking files inside the agent folder to block sending the tracking data.
Event Stream Analysis (ESA)
Optionally Persist Incident Artifacts
You can persist events that are associated with particular incidents, thereby enabling you to view the incident in the future, regardless of its age. You can also add a new journal entry in the JOURNAL tab for the persisted events for future reference. The event data will always be available for viewing and reconstruction as long as the event is persisted, enabling you to easily refer back to details, even if the original event has rolled over from the NetWitness database.
Once you persist an event, the data is copied from the NetWitness database into a long term storage cache within the data source. The persisted events are saved in the directory /var/netwitness/pin- <servicetype>, by default. You can manually change the event storage location from the default directory to any other directory, as per the requirement. For more information, see the Respond User Guide.
Log Collection
Trusted Authentication for NetWitness Export Connector
Trusted authentication allows you to authenticate using the existing certificates for aggregation while configuring NetWitness Export Connector. This eliminates the need to manually enter the credentials (username and password) and avoid storing passwords locally.
Support for Logstash Keystore from UI
Logstash keystore management allows you to securely store and maintain (add, edit, or delete) secret values key and password through NetWitness Platform UI. The key set is used during the Logstash pipeline configuration.
This eliminates the need to manually create or update credentials on the Log Decoder or Virtual Log Collector using Logstash Keystore CLI commands. For more information, see the Log Collection Guide.
Reports
View Creator Information
The Created By column has been added to the Reports List page. This column enables you to view and analyze the ownership information of all the reports that exist in the system, which includes new, copied, and imported reports. When a report is exported, the owner details are retained. However, when a report is copied, the owner of the report changes to the user who created the copy. For more information, see the Reporting User Guide.
Note: When you upgrade from a previous version to NetWitness Platform Release 11.6.1, the Created By column does not display the ownership information for the reports that exist prior to the upgrade.
The RSA NetWitness Platform 11.6.0.1 release notes provides information about the changes in NetWitness Platform 11.6.
GPG Key Changes
The GPG Signing for NetWitness has changed for releases beyond 11.6.0.0. In order to upgrade to 11.6.0.1 release, you must first upgrade to a version that is signed by the old GPG key but contains the new GPG key. For more information, see GPG Key Change in NetWitness Platform Beyond 11.6.0.0.
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform 11.6.0.1:
The new faceted search layout of the default Events view makes interacting with large amounts of data collected from the enterprise a more familiar experience and efficient workflow. By combining the functions of the Navigate and Event views, analysts can apply filters by interacting with any metadata generated by the platform which in turn creates the query and automatically executes a search to fetch the resulting events.
Organize Investigate Content (Column groups, Meta groups and Query Profiles)
All Investigate content is displayed in a folder structure to help analysts organize their views depending on use cases. The RSA Groups (RSA Live content and RSA OOTB groups), and Shared group folders are available to all analysts. All Private groups, folders and sub-folders are displayed only to the analysts who created them. You can create, edit, copy, and delete Shared and Private folders and sub-folders.
Deliver Investigate Content (Column groups, Meta groups and Query Profiles) using RSA Live
Investigate content can be deployed using RSA Live providing updates outside the NetWitness release cycle. Analysts now have the ability to utilize the latest Investigate content to focus their view into the data based on use cases. All the RSA generated content is now contained in a RSA specific folder.
Multiple values
When investigating a list of events an analyst can see that an event has multiple values for a meta key in that specific session. A hover over indicator shows a list of multiple values that can be further investigated without requiring to drill into the reconstruction of the event.
Direct Free-form query or text search
To immediately create a blank free-form filter, an advanced user can select the option “Click to start a free form query” from the Advanced Options panel. In the same manner an analyst can choose “Click to start a text search” to create a new text search. In both scenarios, the analysts can bypass the auto-completion input logic and save some time in generating a query format.
Query filter enhancements
When a query is added in the Events, any filter that is selected will have a red highlighted border, so the analyst knows which filter is selected. When you edit a filter, the border will be in blue color to indicate that the analyst needs to provide some input in case they move their focus away from the query input.
Custom Column group enhancements
Metadata such as custom.logdata that are defined in Legacy Events or defined in OOTB Summary List column group can be used to combine the raw logs as a customized column of additional metadata. List of recommended metas that contain data are displayed. An analyst can create custom column groups using the summary and raw log (custom.logdata) meta keys.
Column Group Meta Key Recommendations
While reviewing query results in the Events table with a selected column group, analysts have the option to view recommended columns that may have data for those events but are not part of the current column group. These suggested meta keys help analysts to have the best column groups applied so that no relevant data is missed for the events displayed.
Investigate Screen Layout Options
A new user preference allows analysts to choose between a Compact or Expanded format to determine how close the rows of data are to be displayed in the Event table on a single page. The following image is an example where Event Preference view is displayed with the Compact view selected.
Meta Panel Enhancements
The meta panel on the Events investigation page has been enhanced with a Hide Duplicate Entries radio button to limit the display of metadata only if they are a unique key value pair. A filter field is also introduced so analysts can search, and filter based on meta keys or values.
IndexNone Meta keys
As analysts create meta groups with multiple meta keys, the Open option is disabled for all non-indexed meta keys to avoid adverse effects on query performance.
Reconstruction Enhancements (view content and copy option)
The pagination of the Text tab has been enhanced to make it more obvious when there is further content available than can be displayed on a single page. Also, if required analysts can copy selected content to the clipboard using keyboard shortcut (in addition to menu option) for further investigation.
Search Indicator
When analysts do a free-text search a message is displayed on top of the Events page to make it clear that only indexed metadata is being searched. This message contains a link that helps in further search if the analysts requires to search more extensively beyond what is indexed. In case the maximum search limit has been reached, a message is displayed at the bottom to indicate there are no more results available.
Investigate Timeout Setting
The Extraction timeout setting helps an administrator to increase or decrease the time available to retrieve the required sessions or events or files from Investigate. This can be configured by navigating to Admin > System > Investigation > Common Settings.
A new and enhanced dotted chart is introduced in version 11.6. The dotted chart, provides the analyst with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly in case of an indicator. In version 11.6, the pie chart is replaced with a dotted chart to provide analysts with additional visibility to the entities activity over time. For more information, see NetWitness UEBA User Guide.
Incident Response
Respond Persist Data (BETA)
Analysts and Administrators can pin events that are associated with particular incidents, thereby enabling you to view the evidence related to an incident in the future. Once you pin an event, data is copied from the regular database into a long term storage cache within the data source. Event retention depends upon the available space in the directory (10 GB is offered by default). The roll over in the meta database does not impact the events that already saved in the pin directory. The BETA version comes with the limitation where you cannot download the pinned events, which will be enabled and notified in the subsequent releases.
For more information, see Respond Persist Data in the NetWitness Respond User Guide.
Endpoint Investigation
Support for YARA scans
YARA helps analysts with rule-based detection capabilities in identifying and classifying malware. You can easily create malware descriptions, called YARA rules, that are robust in detecting malware. YARA automatically scans downloaded files at regular intervals and increases the file's risk score if it matches any rule. Thus, helps analysts quickly respond to a threat. For more information, see NetWitness Endpoint User Guide. To learn how to enable and configure YARA, see NetWitness Endpoint Configuration Guide.
Centralized agent upgrade options using UI
Administrators can now upgrade and uninstall selected or all agents using the UI and thus helping you manage NetWitness agents with a lot of ease. For more information, see NetWitness Endpoint Agent Installation Guide.
Centralized agent uninstall options using UI
Administrators can uninstall selected agents or all the agents easily using the UI. Bulk uninstall can be performed without even selecting any hosts. This enhancement will save time and help to focus more on responding to threats. To qualify for bulk uninstall, the agents must be on version 11.5.1 or later. For more information, seeNetWitness Endpoint Agent Installation Guide.
Support for Saving Local Copies of Multiple Downloaded Files
Now analysts can perform detailed investigations and forensics quickly and easily by saving copies of downloaded system dump, process dump, MFT, etc.
Support to Download MFT From Any Windows Drive
Analysts can now download MFT for any drive and can also download it on the NTFS mount path. This can help analysts perform critical investigation, analysis, and forensics on files in addition to the system volume.
Expanded Lateral Movement Visibility
Enhanced Windows agent to report executable write events on the target machine when copied to network shares. Analysts can now have deeper visibility into lateral movement activities on Windows around files that are being copied to network shares.
Support for Forwarding Windows/File Logs to Custom Systems
Administrators can now collect the Windows and File logs on a non-VLC system by forwarding them to a custom system.
New rules added to detect Persistence tactic
New rules have been added to the Endpoint rules bundle to detect threats that follow the Persistence tactic. When such a threat is detected, these rules will trigger alerts and increase the risk score.
Broker, Concentrator, Decoder, and Log Decoder Services
Assembler Threading Modes
To enhance the throughput at which a Decoder can analyze data, the assembler is enhanced to perform further parallel processing. The process that reassembles captured packets into streams is known as the assembler. You can now customize the assembler operation using its two modes. These modes can be configured by setting the value of assembler.threading.enabled to on or off. The default value is off. The on mode enables higher throughput as each assembler instance operates on a dedicated processor.
The assembler modes work only when Multi Adapter Packet Capture is enabled. For more information on Multi Adapter Packet Capture and Assembler Modes, see the (Optional) Multiple Adapter Packet Capture topic in the Decoder and Log Decoder Configuration Guide.
High Speed Packet Capture
You can now analyze network data (packets) from higher speed networks and optimize your Network Decoder to capture network traffic up to 40 Gbps. In order to understand what capabilities are supported at different network speeds, the Decoder now operates in the following three modes:
Normal: For capture speeds less than 5 Gbps with large amounts of deep packet inspection while storing network sessions. This is the default mode.
10G: For capture speeds up to 10 Gbps with medium amounts of deep packet inspection while storing network sessions.
NDR: For capture speeds greater than 10 Gbps but less than 40 Gbps with small amounts of deep packet inspection while only storing metadata.
Decoder now detects and decompresses the Brotli payload in the HTTP/HTTPS session parsing. Brotli is a data format specification that compresses data streams with a specific combination of the general-purpose LZ77 lossless compression algorithm, Huffman coding, and 2nd order context modelling. Brotli encoding is supported by most web browsers, major web servers, and some CDNs.
To enable Brotli decompression, perform the following steps:
Decoder can identify applications using the OpenApp ID detectors generating new metadata (app.id). It helps analysts to identify applications in a session. OpenApp ID from Cisco is an application-layer network security plug-in for Snort (an open source network intrusion detection system). It is a set of open source Lua libraries (detectors) that identifies applications in the network traffic.
To enhance the throughput at which a Decoder can analyze data, the pipeline to create sessions is enhanced to use Receive side scaling (RSS). RSS enables the efficient distribution of network receive processing across multiple CPUs in multiprocessor systems. RSS ensures that the processing that is associated with a given connection stays on the assigned CPU. RSS is supported on DPDK devices only using ixgbe or i40e device drivers.
Simultaneous Ingestion of the Encrypted and Decrypted Traffic Streams to Decoder
Decoder with multi-adapter capture and multi-thread assembler features enabled, can receive encrypted and decrypted streams of the same traffic when on separate adapters. This supports the use case when both the encrypted and decrypted versions of the same traffic are traversing the same Decoder. The multi-thread assembler feature allows Decoder to assemble packets from its corresponding capture work thread. It keeps the packets from encrypted and decrypted sessions separate during assembly to avoid inaccuracies in session parsing and content extraction.
For more information, see the Decrypt Incoming Packets topic in the Decoder and Log Decoder Configuration Guide.
Trusted Authentication for Aggregation Hosts
When configuring aggregation connections, you can use trusted authentication to perform this task instead of using service account credentials. The trusted authentication reduces administrator overhead by eliminating the need to manage service account password changes.
Make a note that this authentication method change requires the device to be offline. Also, once you switch to Trusted Authentication, you cannot switch back to the login method using the user credentials.
Event Stream Analysis (ESA)
Support for Meta Entities
Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts can use them as regular keys to get to multiple, similar concepts. From 11.6 release, meta key entities are configured to be a part of the event schema and can enable the string [] meta keys entities. Analysts can create rules and configure alerts based on the meta key entities selected. You can also add meta entities to create rules. The meta entities retrieve data from the data sources to trigger alerts.
For more information, see NetWitness ESA Alerting User guide.
Import and Edit Position Tracking Information
When you deploy a data source, by default, ESA starts processing information from the latest available session. Position tracking information enables the administrator to visualize the progress of the sessions that ESA has processed and provides information on the session IDs and the time or date when the events were processed.
The edit function enables you to visualize the number of sessions that a particular ESA data source analyzes after you edit the position tracking, review the number of processed sessions, and plan your work. To edit position tracking information, see Editing Position Tracking Information.
The import function enables you to migrate the settings of position tracking for one or more data sources at the same time from an existing deployment. To import position tracking information, see Importing Position Tracking Information.
While working with data sources, you can use trusted authentication to perform tasks, instead of logging in with the admin credentials. You need not log in using your admin credentials, every time you want to access the data sources.
For more information, see Trusted Authentication in the NetWitness Getting Started Guide.
Support for Detect AI
Detect AI has been added as an alert source in the Respond view. It captures the alerts from the cloud based user behavior analytics to create incidents from alerts.
You can filter the alerts list to show the alerts of interest using filters such as, alert name, alert source, and specific time range.
You can remove redundant dashboards (dashboards that are not owned, not shared, and duplicate default dashboards) by enabling the dashboard cleaning job.
NetWitness Platform 11.6 introduces the ability to add any RESTful API data source to Context Hub.
REST API allows analysts to query third-party applications by providing a meta value as a query parameter and rendering results in the Context Hub Panel in real-time. The results can be rendered in JSON or HTML format depending on the preference and capabilities of the third-party application. An analyst can now gain additional context about IPs, users, hosts, or files faster during an investigation without requiring them to leave the NetWitness Platform.
Improvements to Context Highlighting
Some additional configurations are introduced to the Context Highlighting feature to make the capability more usable and efficient in specific environments. Administrators can now configure specific Context Hub sources (For example, specific lists, Respond, Endpoint, and so on) for context highlighting. If the context highlighting is disabled for a Context Hub source, analysts can view results from all sources while opening the Context Panel for a meta value, but the values are not highlighted in the Investigate > Navigate, Event, and Respond views. Administrators can also disable the context highlighting globally for all sources.
In 11.5, the NetWitness Output Codec for Logstash was introduced, making Logstash integrations possible with a customer-managed Logstash server. From 11.6 onwards, the Logstash server is packaged and supported along with the NetWitness Log Collector or Virtual Log Collector (VLC) service to provide easy access to Logstash. This is referred to as Managed Logstash and it eliminates the need for a separate Logstash server outside of the NetWitness Platform.
You can create Logstash pipelines (for example beats, export connector and so on) in the Event Sources tab within the Log Collector service. The custom category allows for a fully-custom Logstash pipeline configuration.
The following is an example of Logstash Event Source.
A new Data Export tab is added to the Decoder or Log Decoder configuration view. It lists the available Log Collector services in your environment. Once you select a Log Collector service, you can configure the Export Connector in the Event Sources tab.
Also, New stats for both legacy and New Health and Wellness are introduced to monitor the health and throughput for each Logstash pipeline. Logstash Input Plugin Overview dashboard is added to showcase the new stats.
JSON Mapping Usability Improvements - In the tree view of a JSON sample, the corresponding RAW node or Mapping entry is highlighted when either is selected if the match exists. The highlighting indicates whether a match is successful in the current sample; that is, the value should parse correctly, including the node path and any DataType or RegEx.
Custom Regex for JSON mappings - For fine-parsing JSON values (for example, ip:port), the user can create a custom RegEx pattern for each mapping within the UI. Multiple values (captures) can be extracted and assigned to separate meta keys.
Import or Export for custom UI Rules (Dynamic Rules or JSON mappings) - Custom Dynamic Rules and JSON mappings that are created in the UI can now be easily imported or exported right from the UI. This enables customers to develop parse rules in one environment (For example, Lab) and move them to another (For example, Production).
Note: Import or Export for custom UI rules does not export or import any "parser.XML" or "parser_custom.XML" that correspond to the Parse Rules.
Licensing
Introducing License Usage Dashboard
A new license dashboard is introduced in New Health & Wellness to manage licenses efficiently. This dashboard provides insights on the license usage of all the Throughput licenses in your deployment. Administrators can do the following on this dashboard:
Track daily license usage for individual hosts
Track daily usage of Throughput licenses for all the hosts in your deployment
NetWitness Platform versions 11.5.1 to 11.6, includes fixes to the metrics used in reporting for Network (Packet) Throughput usage. License metrics includes the overall network traffic analyzed and the raw network data stored after the analysis. Your Network Throughput License usage may increase, which may cause license violation banners in some situations. The Out-of-Compliance notifications for Network Throughput licenses has been adjusted to delay the display of the license violation banner by 45-days. For more information, see theLicensing Management Guide.
Platform
Support for Third Party Server Hardware
This allows you to use any third party server hardware to run NetWitness Platform. The kickstart wizard provides a list of available block devices, and prompts you to select the device to install the OS and NetWitness Platform application. For more information, see Installation Tasks topic in the Physical host installation guide.