NetWitness is pleased to announce the general availability of NetWitness Platform 12.4.1 This release contains features to enhance further visibility, threat detection, response capabilities, and critical security patches for vulnerabilities reported.

NetWitness Platform 12.4.1 includes the following notable enhancements.

Decoder

Improved Packet Decoder Parsing with Maximum Parse Limit Per Protocol      

NetWitness Platform optimizes the Packet Decoders for the most effective detection and investigation, balancing high performance with depth of visibility.

Administrators can now change the scanning depth limit depending on the detected protocol. Additionally, different parse.bytes.max for each protocol can be set to focus on parsing and generating metadata for more valuable sessions.

Improved Packet Decoder Parsing with Maximum Parse Limit Step Function    

NetWitness Platform allows parsers to constantly step through a session as tokens are found on a protocol basis to optimize generating meta in appropriately valuable sessions.  The Step Scan enables the scan engine to continue scanning from the position of the last token found for the specified number of bytes. This process repeats each time a token is found and continues until the scan reaches the end of the stream or there are no more tokens. Administrators can optimize specific parsing traffic further into a session to get better visibility for protocols more prone to extensive sessions with potential threats.

Introduction of Meta Keys to Track Bytes Scanned per Session

NetWitness Platform has introduced two new meta keys to track the number of bytes scanned per session. These meta keys are scanned.client and scanned.server, which keeps track of the scanned bytes for the client and server streams. Administrators can review the progress of a session scan and compare it to the set parse limit and session size. This setting is disabled by default, but it can be turned on by ensuring that the parser ScannerAnalytics is enabled. These meta are indexed as UInt64 types with level IndexKeys, so all regular queries relating to integers are applicable.

User and Entity Behavior Analytics (UEBA)

Deprecation of JA3 Entity from UEBA

NetWitness no longer supports JA3 as an entity for UEBA, starting from version 12.4.1. This change is implemented because JA3 is identified as an unreliable client identification method. The effectiveness of JA3 fingerprinting in determining the true identity of clients is no longer accurate due to the adoption of client TLS extension randomization. With randomization, a single client can have numerous JA3 fingerprints instead of just one. This makes it difficult for UEBA to accurately distinguish between normal and malicious activity.

Event Stream Analysis (ESA) 

Event Stream Analysis (ESA) Disaster Recovery Failover 

• The NetWitness Platform enables administrators to perform smooth failovers with minimal processes and tools involved in the entire design, making it easier for the clients to minimize downtime during service interruptions. Administrators can set up an ESA Primary Standby node in the event of a disaster or unplanned outage of the original active ESA Primary node. Recovery involves switching from the active ESA Primary node to the ESA Primary Standby node by taking Mongo and configuration backups of the active ESA Primary system and restoring them to the ESA Primary Standby with the required configurations to ensure uninterrupted access to ESA correlation and context hub services. The new ESA Primary Standby node should be configured with its unique IP and host details, ensuring a seamless setup process that is not hindered by prior configurations.

Insight

Improved Network Assets Identification and Classification

This release introduces improvements to the NetWitness Analytics network asset identification process to ensure accurate classification and reduce misconfigurations.

• If users are running Port Scanners in their environment, it is important to remember that these Port Scanners can generate significant traffic. Such traffic could impact the NetWitness Analytics and result in misclassification of servers as clients, affecting enterprise network exposure, peer network exposure rankings, asset category, and detection accuracy for each asset. To prevent network asset misclassification, contact NetWitness Customer Support and provide them with the list of Port Scanner IPs. Your information will be used by NetWitness Analytics to improve asset identification and classification.
• If users do not follow the RFC 1918 standard and use a different standard to define their internal IP addresses, NetWitness Analytics may not recognize them correctly. As a result, some internal assets may be classified as external assets or vice versa. To avoid this issue, contact NetWitness Customer Support and provide them with your internal IP ranges. Your information will be used by NetWitness Analytics to improve asset identification and classification.

Log Integrations

The NetWitness Platform supports the integration of the following event sources to collect and parse logs:

• Crowdstrike Falcon
• Cisco FMC
• Nozomi Networks

Security Updates 

Addresses the latest security vulnerabilities reported against various libraries the NetWitness Platform uses, including CVE-2023-46604 and CVE-2023-50868.

NetWitness Cloud 

To learn more about new SaaS features and cloud hybrid enhancements in NetWitness Cloud releases, go to: 

• For UEBA Cloud, see https://docs.netwitness.com/netwitnessueba/release_information/whats_new/
• For Insight, see https://docs.netwitness.com/netwitnessinsight/release-information/insight_whatsnew

Please refer to NetWitness Platform 12.4.1 Release Notes for detailed information about new features, enhancements, Known Issues, and Build Numbers.

For additional documentation, downloads, and more, visit the NetWitness Platform page on NetWitness Community.

For more information about online help, Community Forum, and Advisories, visit https://community.netwitness.com.