NetWitness Community

NetWitness is pleased to announce the general availability of NetWitness Platform 12.4
This release contains features to further enhance visibility, threat detection, response capabilities, and critical security patches for vulnerabilities reported.

NetWitness Platform 12.4 includes the following notable enhancements.

Upgrade

• Alma OS Migration - RedHat announced that CentOS Linux 7 will reach the end of life (EOL) on June 30, 2024. To address this change, NetWitness Platform is now integrated with the new version, AlmaLinux. When you upgrade to the NetWitness 12.4 version, you will be automatically migrated from CentOS 7.9 to AlmaLinux 8.9. The NetWitness Platform 12.4 upgrade process is easy and regular, like any other previous upgrades. You do not have to follow any specific procedure for upgrading to AlmaLinux OS. One key benefit of upgrading to AlmaLinux 8.9 is that it is an inherently automated process with zero manual intervention. 
  AlmaLinux provides several key benefits and new features. It comes with a pre-upgrade tool that helps administrators discover and mitigate issues before running the upgrade process, saves time and effort, retains control over installed applications, and preserves most configuration information. NetWitness Platform streamlines the upgrade process, saves time and resources, and maintains control over their installed applications and configurations when migrating from CentOS 7.9 to AlmaLinux 8.9.

Investigate 

• Interactive Network Parser Creation - While in Investigate > Events, users can turn exact patterns selected or keywords found in the network traffic they review in text session reconstruction into a network parser. This streamlined process allows the user to generate meta to trigger an incident (e.g., a future detection) without understanding how to create the parser. Users can also create a network parser using keywords from the Search Pattern Rule view.
• Option to Download Files with Custom Names - Analysts can now use user-specific names when downloading event files from the Events panel view. Custom names make organizing and managing downloaded event files easier, saving analysts time and effort.
• Download More Sessions than Displayed - Maximum Session Export Limit, a new user preference, is integrated with the Events Preferences panel in the Investigate > Events view. Analysts can use this setting to adjust the number of available sessions for exporting using the Download All option. This enhancement makes the number of exported sessions independent from the number of sessions displayed in the Events table.

Respond

• MITRE ATT&CK® Integration with NetWitness - Introduces more robust integrations with the MITRE ATT&CK framework to guide analysts in making informed decisions. Analysts can view the high-level list of specified tactics, techniques, and sub-techniques, along with their details, and learn how potential threats and vulnerabilities in your environment are associated with the MITRE ATT&CK framework. Analysts can create custom Application Rules and Event Stream Analysis Rules by tagging MITRE ATT&CK Tactics and Techniques. Additionally, you can select MITRE ATT&CK Tactics and Techniques when creating an incident from the Investigate > Events view. This integration allows you to easily reference the ATT&CK framework while investigating and analyzing incidents.

Response Actions

• Response Actions - Response Action, a new feature in this release, is built to support remediation natively or allow analysts to take informed actions on critical events. Response Actions will enable you to integrate third-party tools with the NetWitness Platform.  Response Actions are reactive operations performed using a third-party tool on a configured meta after triaging an event. You can find the Response Actions management window in (CONFIGURE) > More > Response Actions).

Insight

• Whitelist Insight Alerts in Respond View - Administrators and analysts can now whitelist unwanted and recurring Insight alerts generated in the Respond > Alerts view. This enhancement provides the ability to select specific values, such as IP Address and Asset Type, and define a Whitelist condition to prevent unwanted alerts from being generated for these values. 

User and Entity Behavior Analytics (UEBA)

• Support for Cisco Adaptive Security Appliance (ASA) and Fortinet VPN Devices - NetWitness UEBA introduces support for the Cisco ASA and Fortinet VPN devices. With this enhancement, NetWitness UEBA can now process Cisco ASA and Fortinet VPN logs, which helps you closely gather and analyze user activity details.
• UEBA Performance Improvements
  • Optimized the aggregation and accumulation models to generate and store models in parallel.
  • Optimized the hourly score aggregation tasks to aggregate and score in parallel.

Endpoint Enhancements

• Installed Applications - The Hosts details > System Info view has been enhanced to allow analysts to view the information about the various applications installed on a Windows machine.
• Standalone scan for Linux Agents - Administrators can execute offline or standalone scans on Linux hosts to perform threat analysis on the Air-gapped Linux machines.

Concentrator, Decoder, Log Collector, and Archiver Services

• New Utility to Stream Meta From Decoders to 3^rd Party Tools - Introduced a beta utility to stream meta from network decoders to other 3^rd party tools, making it easy to integrate NetWitness Platform with other products. All or a subset of metadata can be streamed to limit the amount sent to the 3^rd party tool depending on the use case.
• Capability to Deprecate the Use of IP Address for Basic Authentication - Netwitness has deprecated the use of IP address for Windows Collection Basic Authentication. Now, you must use the FQDN in the Event Source Address and add an entry of the same FQDN in '/etc/hosts' while configuring Basic Authentication.

Log Integrations

Supports the integration of the Palo Alto Prisma Access, VMware vSphere, DeepInspect, GCP Windows VM Logs (via GCP Plugin) event sources to collect and parse logs.

Single Sign-On (SSO) Authentication Independent of Active Directory (AD) Configuration in NetWitness

Starting from NetWitness Platform version 12.4, NetWitness offers SSO that is independent of AD configuration in NetWitness. It allows user authorization by using the list of user groups embedded in the SAML authentication token received from ADFS and verifying them against user groups already set up in NetWitness. This eliminates the need for users to configure or rely on Active Directory settings within NetWitness for user authentication. NetWitness now supports both Azure ADFS and Microsoft ADFS.

Policy-based Centralized Content Management (CCM)

• Introduced the capability to import individual XML (Log Device content type) to Content Library. Users can upload either the base parser or its custom extension as an individual XML file. While importing XML files, users can optionally associate it with the corresponding base parser as an extension parser. Base parsers and extension parsers are displayed as separate items in the content library. Also, adding an extension parser to the policy automatically adds the corresponding base parser to the policy.
• CCM is enhanced to re-migrate content from a service even if it is already migrated and/or assigned to Groups and Policies. While migrating content from a service already associated with a policy, the user can optionally update the associated policy to update the policy with migrated content.
• Enhanced the Policy Details page by introducing a new field Type in the Parsers tab.
• Renamed the LUA Parser tab to the Parser tab under Content Library, Policy List page, Policy Details page, Service Details page, and Policy Wizard.
• While removing a service from the group, users can opt to either delete the content of the service and remove the service or remove the service from the group.
• CCM UI is enhanced by adding the MORE navigation menu to view different tabs.

Please refer to NetWitness Platform 12.4 Release Notes for detailed information about new features, enhancements, Known Issues, and Build Numbers.

For additional documentation, downloads, and more, visit the NetWitness Platform page on RSA Link.

For more information about online help, Community Forum, and Advisories, visit https://community.netwitness.com.