What's New 

The NetWitness release provides new features and enhancements for every role in the Security Operations Center.

Security Fixes

The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies to CVE-2021-44228. For more information, see the Security Advisory for Log4j.

Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable.
- CVE-2021-44228
- CVE-2021-44832
- CVE-2021-4104
- CVE-2021-45105
- CVE-2021-45046
NetWitness will continuously monitor this issue for new developments and provide periodic updates.

Note: If you have the Export Connector plugin in your deployment, you must do the following:
- If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for
- If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the patch upgrade.

In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for

Upgrade Paths

The following upgrade paths are supported for NetWitness

  • NetWitness to
  • NetWitness to
  • NetWitness to
  • NetWitness to
  • NetWitness to
  • NetWitness to
  • NetWitness to
  • NetWitness to
  • NetWitness to
  • NetWitness to

For more information on upgrading to, see Upgrade Guide for RSA NetWitness Platform


The following sections are a complete list and description of enhancements to specific capabilities:

To locate the documents referred to in this section, go to the NetWitness Platform 11.x - All Documents. Product Documentation has links to the documentation for this release.


Pre-stage the upgrade repo to minimize downtime

Administrators can pre-stage the upgrade repository by downloading the required packages (.zip) without affecting the system. This minimizes the upgrade downtime and ensures the upgrade is completed within the planned time. The Pre-Stage Host option is available on the NetWitness UI and requires the NetWitness Server Host to be connected to Live Services. For more information, see Hosts and Services Maintenance Procedures topic in the Hosts and Services Getting Started Guide.

Note: You can use this feature only if you upgrade from to a higher version.

Support for Additional Pre-Upgrade Check Utility

Additional health-check utility is introduced for Administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.

The pre-upgrade check verifies the following:

  • (Component Hosts) Node X Service Status - Verifies the status of services (Active or In Active) on all the Node X.

  • (Component Hosts) Node X Certificates Check - Checks the certificate expiry, missing, corrupted, and issuer mismatch in all categories of Node X.

  • CPU-Memory Info - Provides CPU and Memory details along with the real-time available memory.

  • (Admin Server) Node 0 File System Utilization - Verifies the disk partition utilization of /var/netwitness/mongo, /var/netwitness and root on Node 0.

  • (Component Hosts) Node X File System Utilization - Verifies the disk partition utilization of /var/netwitness/mongo, /var/netwitness and root for ESA Primary, Endpoint Log Hybrid, and UEBA services on Node X.

  • Mongo File (ESAPrimary) - Checks the ESA Primary node in the system and verifies the permission mode of mongo file.

  • Orchestration Server Normal Mode - Checks if the orchestration service is running in normal or safe mode.

  • (Admin Server) Node 0 Init status - Checks if there are any issues that might fail init process.

  • (Admin Server) Node 0 closed ports - Checks if the service ports required for NetWitness services are open and listening on Node 0.

  • (Component Hosts) Node X closed ports - Checks if the service ports required for NetWitness services are open and listening on Node X.

    For more information, see Upgrade Guide for NetWitness

Investigation - SIEM and Network Traffic Analysis

Investigation Enhancements

Unified Discovery and Interaction of Investigate Metadata - Analysts have a unified way to interact with metadata presented in the Events view to perform actions or review contextual information.

    • Analysts can perform actions and view the context data for a selected meta in the same window or a separate window that will enable the display of data in an optimized manner, and easily carry out further investigation.


For more information, see the Use Columns and Column Groups in the Events List topic in Investigate User Guide.

  • In the Overview and Event Meta panel, analysts can use the right and left click options to view the unified panel or run a query on a selected meta.


For more information, see the Use Columns and Column Groups in the Events List topic in Investigate User Guide.


Free-form Query Preference - With the new preference, analysts can choose to split the free-form queries into multiple guided filters or a single free-form query. Analysts can switch the modes using the Free Form Split checkbox.


Light Theme Overhaul – The existing light theme primary and secondary colors on the UI has been enhanced to provide better contrast and shading for improved user experience.

For more information, see the Investigate User Guide.

Endpoint Investigation

Capabilities for Detecting Ransomware that Use the Registry

Endpoint agents can detect ransomware that uses the registry to perform actions such as forcing Windows machines to reboot in safe mode, encrypting files, and deleting volume shadow copies.

Endpoint Agent Support for macOS Monterey and Windows 11

Endpoint Agents are enhanced to support macOS Monterey (12.0.1) and Windows 11. To view the list of supported operation systems, see Introduction to Endpoint Agent Installation on the NetWitness Endpoint Agent Installation Guide.

Support for Offline or Standalone Scans on Air-gapped Windows Hosts

Administrators can execute offline or standalone scans on air-gapped Windows hosts to perform threat analysis on the Windows hosts disconnected from the network. Administrators can download the Offline Scan Configuration file from UI and execute it on multiple air-gapped hosts. Then, the Offline Scan File(scan results file) can be transferred to the UI and uploaded to the Endpoint server for processing. See Standalone Scan on Air-gapped Windows Hosts topic on NetWitness Endpoint User Guide for more information.


Support for Full System Scan

Analysts can perform a full system scan on system drives and all fixed drives in addition to the quick scan of executable files in memory. For more information, see Scan Hosts topic on NetWitness Endpoint User Guide.


Redesigned Alerts Tab for Optimized Navigation

Analyst can use the redesigned alerts tab to conveniently access all alert information and the associated events for optimized navigation on Host details view. For more information, see NetWitness Endpoint User Guide.


Concentrator, Decoder, and Log Decoder Services

Centralized Configuration Management Enhancements

The enhanced centralized configuration management allows administrators to:

  • Reconfigure 10G Network Decoders from the Policy UI. Administrators can quickly create 10G policies for each Decoder group based on the hardware profile.

  • Clone policy from an existing service to save policy transition time for existing users.

  • Restart only specific services within a service group that require changes. This minimizes potential downtime.

For more information, see Host and Services Getting Started Guide.

Enhanced Network Decoder to Support Load Balancing Deployments

When you shut down the Decoders, the network interfaces connected to the Decoders are automatically shut down. Then, the load balancers divert the traffic to other available Decoders. This enhancement will protect customers from data loss when they use load balancers to distribute traffic between several Decoders. For more information, see Configure the Decoder Capture Failover in Load Balance Deployments topic on Decoder and Log Decoder Configuration Guide.

Event Stream Analysis (ESA)

Enhanced Performance when Retaining Incident Network Data Artifacts

Respond analysts saving artifacts of an incident will notice improved feedback for the tasks running and swifter completion of those tasks.

Analyst can use the new Retention Usage tab to view the statistics of all configured services and the percentage used by the pinned cache directories.

With this information, the analyst can:

  • Determine if the disk is running out of space and if additional space needs to be added or the persistence needs to be suspended for the existing events in an incident.
  • Obtain insights on the space requirements for retention functions.

In Respond > Incidents tab, analyst can click the Retention Usage tab to fetch all the statistics of all the configured services and the percentage used by the pinned cache directories.



For more information, see Escalate or Remediate the Incident topic the Respond User Guide.

Configuration Updates

Feed Case Sensitivity

Administrators can configure to ignore the case sensitivity of values a feed uses as part of the feed wizard in the UI. This allows the administrator to avoid converting the feed into an XML format or perform additional steps during deployment. For more information, see Creating a Custom Feed in the Live Services Management Guide.

NetWitness Topology Feature

The following enhancements help administrators and analysts to:

  • Obtain quick insights using the Search Option – The search option helps locate a specific service, without having to look at the entire hierarchical layout.

  • View ESA hosts: ESA service and the connected services can be viewed in the hierarchical layout.


For more information, see the Hosts and Services Getting Started Guide.


Backup and Restore CLI Improvements

Administrators can take advantage of the following improvements:

  • Back up Mongo databases for Endpoint and ESA instances.

  • Include Broker index for NetWitness node in which Broker service is running.

  • Back up custom files and folders provided by user.

For more information, see the Recovery Tool User Guide.

Better Error Handling for Core Services Messages

Improved error messaging to include the source string and target format when an unrecognized string format exception is generated to help users determine the root cause.

Support for new internal RAID controller (PERC H750) on Series 6 Appliances

The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances are replaced with PERC H750. All S6 appliances will have the new ISO to support PERC H750. All future S6 appliances and RMA will have PERC H750. Before adding a new appliance with PERC H750 to your existing deployment (For example, or, you must first upgrade the Admin Server and Standby Admin Server to version or higher.