What's New in 12.1.0.0

The NetWitness 12.1.0.0 release provides new features and enhancements for every role in the Security Operations Center.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.1.0.0

  • NetWitness 11.6.0.0 to 12.1.0.0

  • NetWitness 11.6.0.1 to 12.1.0.0

  • NetWitness 11.6.1.0 to 12.1.0.0

  • NetWitness 11.6.1.1 to 12.1.0.0

  • NetWitness 11.6.1.2 to 12.1.0.0
  • NetWitness 11.6.1.3 to 12.1.0.0
  • NetWitness 11.6.1.4 to 12.1.0.0
  • NetWitness 11.7.0.0 to 12.1.0.0
  • NetWitness 11.7.0.1 to 12.1.0.0
  • NetWitness 11.7.0.2 to 12.1.0.0
  • NetWitness 11.7.1.0 to 12.1.0.0
  • NetWitness 11.7.1.1 to 12.1.0.0
  • NetWitness 11.7.1.2 to 12.1.0.0
  • NetWitness 12.0.0.0 to 12.1.0.0

For more information on upgrading to 12.1.0.0, see Upgrade Guide for NetWitness 12.1.0.0

Warning: Before upgrading the UEBA host to 12.1.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.1.0.0.

Security Fixes

For more information on Security Fixes, see https://community.netwitness.com/t5/netwitness-platform-advisories/ct-p/netwitness-advisories#security.

Product Version Life Cycle for NetWitness PlatformProduct Version Life Cycle for NetWitness Platform

See for Product Version Life Cycle for NetWitness Platform a list of versions that reach End of Primary Support (EOPS).

EnhancementsEnhancements

The following sections are a complete list and description of enhancements to specific capabilities:

To locate the documents that are referred to in this section, see https://community.netwitness.com/t5/netwitness-platform-online/netwitness-platform-all-documents/ta-p/676246.

The Product Documentation section has links to the documentation for this release.

Policy-based Centralized Content Management

The following enhancements are made for Policy-based Centralized Content Management in 12.1.0.0 version.

  • Administrators can create and upload content to the Content Library easily by:

    • Importing log parsers as a zip file instead of converting to ".envision" format.

    • Cloning existing Application Rules and Network Rules.

      netwitness_12.1_ccmclone.png

  • Administrators can switch services between legacy Content Management UI and the new Centralized Content Management via Groups and Policies using the "toggle" feature. This can prevent content being mistakenly added or modified outside of a Policy, causing an out-of-sync issue.

    • Each service can be toggled to work either with individual "Service or Config" interface or with Content Policies.

    • Toggling on Content Policy for a service will restrict the legacy UI to "read only" mode.

  • Administrators can now force publish all the content of a policy in two ways:

    • Policy Listing > More Actions > Force Publish

      netwitness_12.1_ccmforcepublish2.png

    • Policy Details > Force Publish

      netwitness_12.1_ccmforcepublish.png

  • Administrators can easily find content, policies or groups of interest by using the "Filtering" capability of the UI in Content Library, Policy Listing page, Policy Details page, and Group Listing page.

    netwitness_12.1_ccmfilter.png

    netwitness_12.1_ccmfilter2.png

    netwitness_12.1_ccmfilter3.png

  • Administrators can receive meta key and operator suggestions while creating application and network rule conditions. This eases the creation of error-free rules. Administrators can also opt for 'Advanced mode' to create complex queries.

  • Addressed an issue where the Content Policy UI was not usable without an active connection to Live.

    • Administrators can now create, modify and publish policies and manage custom content in the Content Library even without an internet connection.

    • An Internet connection is still required in order to synchronize Live content with the Content Library.

  • Administrators can now manage ESA contents from the netwitness_configure_icon_15x13.png (Configure) > Policies page:

    • Manage ESA content and handle multiple deployments seamlessly using Policy.

      netwitness_esadeployment_1727x755.png

    • One-click management of subscriptions and automatic updates for ESA content.

      • Toggle the Subscribe button to enable automatic updates of ESA content.

        netwitness_esa_sub_1705x794.png

    • Seamlessly view ESA Live content along with your own custom content.

    • Add and manage ESA Correlation servers as part of groups.

    • Manage all the data sources for the ESA Correlation servers from the Settings > Event Stream Analysis > Data Sources page seamlessly.

      netwitness_esa_datsource_1773x595.png

      For more information, see Policy-based Centralized Content Management topic in the Live Services Management Guide.

Respond

The Respond view is enhanced to help analysts export and store the Incidents with Alerts and Events in JSON format for offline investigation.

Incidents List View EnhancementsIncidents List View Enhancements

The new Export drop-down is added to allow analysts export and download the data such as fields or attributes associated with Alerts and Events of the selected Incidents.

netwitness_orgnl_alerts_norm_alerts.png

You can export data of a maximum of ten incidents at a time. Once the data download is in progress, you can select a different set of ten incidents and export their data simultaneously. You can repeat this action until the condition max-user-tasks, which is the maximum limit set for exporting the incidents data in the Respond service under rsa.respond.incident.exports is met.

For more information, see Escalate or Remediate the Incident topic in the NetWitness Respond User Guide.

User Interface

The following section describes the new enhancements for the NetWitness user interface:

NetWitness User Interface EnhancementsNetWitness User Interface Enhancements

  • The 12.1.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform XDR, which updates the identity of NetWitness as a trusted brand.

  • As part of the repositioning, we are renaming our product as NetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.

    netwitness_xdrplatform.png

    netwitness_reports_1484x691.png

Endpoint Investigation

Initiate YARA Scans at the Endpoint Agent Level

Analysts can initiate YARA scans at the endpoint agent level by selecting one or multiple endpoint agents.

For more information, see the NetWitness Endpoint User Guide.

Enhanced Process Tree View for Endpoint Alerts on Respond

The Process Tree view on the Respond > Alerts > Endpoint Alerts > Alert details page is enhanced with the new File Actions tab next to Investigate Timeline. With this enhancement, analysts can quickly save a local copy of the selected file, download it to the server, or block it.

netwitness_process_tree_view_file_actions.png

For more information, see the NetWitness Endpoint User Guide.

Concentrator, Decoder, and Log Decoder Services

Log Parsing:

  • Several new Format Types are added to DataType and VARTYPE elements for log parsing.

    • Format type duration can parse duration values in seconds using dateTime format specifiers.

    • Format type convert can perform several common conversion tasks as follows:

      • Format type convert Domain can normalize web domains which appear in "(3)www(7)example(3)com" formats to produce "www.example.com".

      • Format type convert Bytes can convert integer values between Bytes, KB, MB and GB.