The NetWitness 126.96.36.199 release provides new features and enhancements for every role in the Security Operations Center.
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies to CVE-2021-44228. For more information, see the Security Advisory for Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable.
NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following:
- If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 188.8.131.52 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for 184.108.40.206
- If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 220.127.116.11 patch upgrade.
In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for 18.104.22.168
The following upgrade paths are supported for NetWitness 22.214.171.124:
- NetWitness 126.96.36.199 to 188.8.131.52
- NetWitness 184.108.40.206 to 220.127.116.11
- NetWitness 18.104.22.168 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
- NetWitness 184.108.40.206 to 220.127.116.11
- NetWitness 18.104.22.168 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
- NetWitness 184.108.40.206 to 220.127.116.11
- NetWitness 18.104.22.168 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
For more information on upgrading to 184.108.40.206, see Upgrade Guide for RSA NetWitness Platform 220.127.116.11
The following sections are a complete list and description of enhancements to specific capabilities:
- Investigation - SIEM and Network Traffic Analysis
- Endpoint Investigation
- Concentrator, Decoder, and Log Decoder Services
- Event Stream Analysis (ESA)
- Configuration Updates
Pre-stage the upgrade repo to minimize downtime
Administrators can pre-stage the upgrade repository by downloading the required packages (.zip) without affecting the system. This minimizes the upgrade downtime and ensures the upgrade is completed within the planned time. The Pre-Stage Host option is available on the NetWitness UI and requires the NetWitness Server Host to be connected to Live Services. For more information, see Hosts and Services Maintenance Procedures topic in the Hosts and Services Getting Started Guide.
Note: You can use this feature only if you upgrade from 18.104.22.168 to a higher version.
Support for Additional Pre-Upgrade Check Utility
Additional health-check utility is introduced for Administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.
The pre-upgrade check verifies the following:
(Component Hosts) Node X Service Status - Verifies the status of services (Active or In Active) on all the Node X.
(Component Hosts) Node X Certificates Check - Checks the certificate expiry, missing, corrupted, and issuer mismatch in all categories of Node X.
CPU-Memory Info - Provides CPU and Memory details along with the real-time available memory.
(Admin Server) Node 0 File System Utilization - Verifies the disk partition utilization of /var/netwitness/mongo, /var/netwitness and root on Node 0.
(Component Hosts) Node X File System Utilization - Verifies the disk partition utilization of /var/netwitness/mongo, /var/netwitness and root for ESA Primary, Endpoint Log Hybrid, and UEBA services on Node X.
Mongo File (ESAPrimary) - Checks the ESA Primary node in the system and verifies the permission mode of mongo file.
Orchestration Server Normal Mode - Checks if the orchestration service is running in normal or safe mode.
(Admin Server) Node 0 Init status - Checks if there are any issues that might fail init process.
(Admin Server) Node 0 closed ports - Checks if the service ports required for NetWitness services are open and listening on Node 0.
(Component Hosts) Node X closed ports - Checks if the service ports required for NetWitness services are open and listening on Node X.
For more information, see Upgrade Guide for NetWitness 22.214.171.124.
Investigation - SIEM and Network Traffic AnalysisInvestigation - SIEM and Network Traffic Analysis
Unified Discovery and Interaction of Investigate Metadata - Analysts have a unified way to interact with metadata presented in the Events view to perform actions or review contextual information.
- Analysts can perform actions and view the context data for a selected meta in the same window or a separate window that will enable the display of data in an optimized manner, and easily carry out further investigation.
- In the Overview and Event Meta panel, analysts can use the right and left click options to view the unified panel or run a query on a selected meta.
Free-form Query Preference - With the new preference, analysts can choose to split the free-form queries into multiple guided filters or a single free-form query. Analysts can switch the modes using the Free Form Split checkbox.
Light Theme Overhaul – The existing light theme primary and secondary colors on the UI has been enhanced to provide better contrast and shading for improved user experience.
For more information, see the Investigate User Guide.
Endpoint InvestigationEndpoint Investigation
Capabilities for Detecting Ransomware that Use the Registry
Endpoint agents can detect ransomware that uses the registry to perform actions such as forcing Windows machines to reboot in safe mode, encrypting files, and deleting volume shadow copies.
Endpoint Agent Support for macOS Monterey and Windows 11
Endpoint Agents are enhanced to support macOS Monterey (12.0.1) and Windows 11. To view the list of supported operation systems, see Introduction to Endpoint Agent Installation on the NetWitness Endpoint Agent Installation Guide.
Support for Offline or Standalone Scans on Air-gapped Windows Hosts
Administrators can execute offline or standalone scans on air-gapped Windows hosts to perform threat analysis on the Windows hosts disconnected from the network. Administrators can download the Offline Scan Configuration file from UI and execute it on multiple air-gapped hosts. Then, the Offline Scan File(scan results file) can be transferred to the UI and uploaded to the Endpoint server for processing. See Standalone Scan on Air-gapped Windows Hosts topic on NetWitness Endpoint User Guide for more information.
Support for Full System Scan
Analysts can perform a full system scan on system drives and all fixed drives in addition to the quick scan of executable files in memory. For more information, see Scan Hosts topic on NetWitness Endpoint User Guide.
Redesigned Alerts Tab for Optimized Navigation
Analyst can use the redesigned alerts tab to conveniently access all alert information and the associated events for optimized navigation on Host details view. For more information, see NetWitness Endpoint User Guide.
Concentrator, Decoder, and Log Decoder ServicesConcentrator, Decoder, and Log Decoder Services
Centralized Configuration Management Enhancements
The enhanced centralized configuration management allows administrators to:
Reconfigure 10G Network Decoders from the Policy UI. Administrators can quickly create 10G policies for each Decoder group based on the hardware profile.
Clone policy from an existing service to save policy transition time for existing users.
Restart only specific services within a service group that require changes. This minimizes potential downtime.
For more information, see Host and Services Getting Started Guide.
Enhanced Network Decoder to Support Load Balancing Deployments
When you shut down the Decoders, the network interfaces connected to the Decoders are automatically shut down. Then, the load balancers divert the traffic to other available Decoders. This enhancement will protect customers from data loss when they use load balancers to distribute traffic between several Decoders. For more information, see Configure the Decoder Capture Failover in Load Balance Deployments topic on Decoder and Log Decoder Configuration Guide.
Event Stream Analysis (ESA)Event Stream Analysis (ESA)
Enhanced Performance when Retaining Incident Network Data Artifacts
Respond analysts saving artifacts of an incident will notice improved feedback for the tasks running and swifter completion of those tasks.
Analyst can use the new Retention Usage tab to view the statistics of all configured services and the percentage used by the pinned cache directories.
With this information, the analyst can:
- Determine if the disk is running out of space and if additional space needs to be added or the persistence needs to be suspended for the existing events in an incident.
Obtain insights on the space requirements for retention functions.
In Respond > Incidents tab, analyst can click the Retention Usage tab to fetch all the statistics of all the configured services and the percentage used by the pinned cache directories.
Configuration UpdatesConfiguration Updates
Feed Case Sensitivity
Administrators can configure to ignore the case sensitivity of values a feed uses as part of the feed wizard in the UI. This allows the administrator to avoid converting the feed into an XML format or perform additional steps during deployment. For more information, see Creating a Custom Feed in the Live Services Management Guide.
NetWitness Topology Feature
The following enhancements help administrators and analysts to:
Obtain quick insights using the Search Option – The search option helps locate a specific service, without having to look at the entire hierarchical layout.
View ESA hosts: ESA service and the connected services can be viewed in the hierarchical layout.
For more information, see the Hosts and Services Getting Started Guide.
Backup and Restore CLI Improvements
Administrators can take advantage of the following improvements:
Back up Mongo databases for Endpoint and ESA instances.
Include Broker index for NetWitness node in which Broker service is running.
Back up custom files and folders provided by user.
For more information, see the Recovery Tool User Guide.
Better Error Handling for Core Services Messages
Improved error messaging to include the source string and target format when an unrecognized string format exception is generated to help users determine the root cause.
Support for new internal RAID controller (PERC H750) on Series 6 Appliances
The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances are replaced with PERC H750. All S6 appliances will have the new ISO to support PERC H750. All future S6 appliances and RMA will have PERC H750. Before adding a new appliance with PERC H750 to your existing deployment (For example, 126.96.36.199 or 188.8.131.52), you must first upgrade the Admin Server and Standby Admin Server to version 184.108.40.206 or higher.