NetWitness Community

NetWitness is pleased to announce the general availability of NetWitness Platform 12.3. This release contains features to enhance visibility into remote workers and cloud infrastructures with SASE integration, network asset discovery and ranking through NetWitness Insight, multiple new log integrations, enhanced threat detection and response capabilities, and continued security updates.

NetWitness Platform 12.3 includes the following notable enhancements.

Visibility:

• SASE Integrations – Available in preview mode, this new integration with major SASE vendors provides further network visibility for NetWitness Network (NDR) customers. Previously limited to logs, these integrations deliver original network traffic to NetWitness, providing analysts with deep visibility and detection for SASE remote communications. Please contact your account representative to get a preview.
• Splunk Integrations – Bidirectional workflow allows data flow between NetWitness and Splunk for additional context and increased efficiency. 
• Zscaler ZIA/ZPA logs Integrations – Collect and parse Zscaler ZIA/ZPA logs to gain visibility into remote user and network activity across a Zscaler SASE infrastructure.
• AWS AppFabric Integration - NetWitness has always led the way in extending visibility to new technology and solutions.  As a launch partner for AWS AppFabric, NetWitness empowers customers to use this simplified, standardized method of securing new and existing AWS apps.
• FluentD Integration – Enhances security by consuming and monitoring additional, previously inaccessible log types with Logstash FluentD plugin.
• Log Integrations – NetWitness supports Azure Kubernetes, Symantec Data Center and Jamf Protect integrations for security, system and audit logs ingestion to gain increased visibility across cloud workloads and endpoints.
• IIS File Collection – Simplify endpoint log collection and increase visibility into Windows IIS logs.

Detection:

• Netwitness Insight – Passive network asset discovery that automatically finds, prioritizes, and detects enterprise assets along with changes to them over time. Directs analysts’ attention to risks that matter most with complete visibility into the assets to be defended, with those assets ranked to enable quick decisions on the priority and criticality of an investigation.
• Endpoint Remote Shell to Windows Agents – Analysts gain granular access to endpoint agents to take faster remediation actions.
• Advanced Endpoint Linux agent – Analyst now has increased visibility into Linux process event activities as well as file event collections to detect threats on Linux machines.
• Block Known File Hashes – Improved analyst workflow and response action by allowing bulk import of file hashes for endpoint agents to block.
• Alert Generation from Core – Adds support for direct alert generation from core using application rules for improved efficiency.

Analysis:

• Investigation Interactive Timeline – Accelerates time for analysts to create a query by using an interactive visual timeline.
• Investigation Advanced Query Input – Allows analysts to drill deeper with guided advanced query functionality and improves overall investigation capabilities.
• Alerting and Reporting  – Ability to turn investigating queries into actionable alerts and reports with streamlined workflows.
• Meta Settings Panel – New Meta Settings Panel allows further control of the number of sessions analysts would like to investigate.
• Alert Whitelisting – Analysts and Administrators can whitelist non-suspicious endpoint alerts and reduce future alert-exhaustion.

Administration:

• Policy Based Centralized Content Management – Centralized Content Management (CCM) simplifies and saves time by adding support for automatic migration of content from core services and association with Policy that can be applied to Group of devices. CCM provides the ability to enable and disable CCM for individual services. In addition, CCM provides the ability to manage ESA rules and deployments with options for fast deployment.
• Service Topology Export – Admins can not only view detailed network relationship maps between different aggregating services, they also will be able to export the relationship in JSON for reporting and integration.
• Storage Compression using Zstandard - Enhances storage compression for better storage retention.
• Support for Multiple UEBA Servers – Administrators can deploy multiple UEBA servers in their environment for load balancing and increased control.

Security:

• Security updates – Addresses latest security vulnerabilities reported against various libraries used by the product.

To learn more about new features and enhancements in NetWitness Platform 12.3. release, watch the following video:

https://www.youtube.com/watch?v=h6GsYn4ckmw&t=13s

Please refer to NetWitness Platform 12.3 Release Notes  for cipher changes and other update instructions.

For additional documentation, downloads, and more, visit the NetWitness Platform page on RSA Link.