NetWitness Community

NetWitness is pleased to announce the general availability of NetWitness Platform 12.5.0. This release contains features to enhance further visibility, threat detection, response capabilities, and critical security patches for vulnerabilities reported.

NetWitness Platform 12.5 includes the following notable enhancements.

Dashboard

• New Home Pages: NetWitness introduces a new Home page menu that consists of Admin, Analyst, and Manager views. Each home page is comprised of multiple widgets. Administrators, Analysts, and SOC Managers can access the respective widgets that display certain data in graphical form. The data can be associated with Endpoints, Users, Assets, Content, Incidents, Alerts, MITRE ATT&CK, Retention, and many more.

Investigate

• Web Reconstruction from Events View: Analysts can safely reconstruct the web view of the target event from the Events > Web Reconstruction view if a user has visited web pages related to a particular event. NetWitness can reconstruct the same web page by using the data available in packets, displaying the web page, and relating it to the images and CSS styles as accurately as possible. This web reconstruction process enables analysts to gain valuable insights into the web activity performed, facilitating effective analysis and investigation.
• Improved Reconstruction of Events in Web View: A new user preference, Enhance Reconstruction for Web View, has been added to the Events Preferences panel in the Investigate > Events view. This preference is enabled by default for all users. This option improves the reconstruction of websites that reconstruct an event by using CSS, images, and links to format the view effectively, thus allowing analysts to better understand the context and details of the events they are reconstructing. This enhancement allows analysts to conduct a more informed and accurate analysis and take appropriate actions.
• Web View Reconstruction Settings from System View: NetWitness introduces the new Web View Reconstruction Settings from the (Admin) > System > Investigation view. This setting from the Events tab allows administrators to enhance the reconstruction of web views by scanning and reconstructing related events with the same supporting files. When reconstructing a web view spanning multiple events, the system can improve the target event's reconstruction by including related events that contain relevant images and CSS files. Only HTTP service-type events with the same source address as the target event and a timestamp within a specified time range before and after the target event will be scanned. Administrators can also configure the maximum number of related events to scan, providing greater flexibility and precision in web view reconstruction.
• Create Custom Events Widget from Query: During the investigation, administrators and analysts can now create an Event widget from the Investigate > Events view. Users can add any number of filters to the query search bar and convert these searches into Event widgets for improved detection and monitoring. The newly created widget will be saved for quick access under the Home page library. Users can then add the Event widget to the Dashboard Layout view (Admin, Analyst, or Manager) under the Home page and customize its configuration to suit their needs. This feature enhances the monitoring and analysis of events, allowing users to track and watch relevant and important events in real-time.
• Sort Meta Key Results by Packet Count: Analysts can now sort the results of each meta key by the number of packets in the session on the Investigate > Events page. You can sort the results by Value or Total and in ascending or descending order. By sorting the meta key results by packet count, you can easily find the most or least frequent meta values that occurred in the user environment and can be used for further investigation or analysis.

Respond

• Alerts View Enhancement: The Export option in Respond > Alerts > Select an alert > More Actions allows you to export and download the original and normalized alerts along with the events in JSON format. NetWitness Platform allows you to export up to 1000 alerts at a time for offline investigation.
• OOTB Response Actions: Introduction of Out of the Box (OOTB) actions as part of the Response Actions Service. The OOTB actions "Contain Host" and "Lift Containment on Host" are enabled for CrowdStrike and CrowdStrike integrated through NetWitness Orchestrator. This enhancement allows analysts to manually execute response actions after reviewing an incident or automatically as part of a triggered incident. The Response Actions with CrowdStrike are available directly or through NetWitness Orchestrator.
• Whitelist Enhancement: The Whitelist feature has been enhanced to include alerts for Event Stream Analysis and NetWitness Core services. You can now whitelist unwanted and recurring non-suspicious alerts for these services. This allows you to select specific entities and set whitelist conditions to prevent unwanted alerts for those entities.

Insight

• New Assets View for Network Assets Detection and Monitoring: NetWitness introduces a new Assets view within the Hosts > Assets menu. This view provides a centralized location where you can view all the assets detected within your environment along with their associated details, such as the asset IP, asset type, asset category, enterprise network exposure, peer network exposure, peer activity exposure, first seen, and last seen. You can use filters to narrow down the assets by different criteria. This view helps analysts to easily identify and prioritize assets behaving abnormally or unfamiliar assets, enabling them to take immediate action to mitigate any potential security risks.
• New Insight Alerts for Network Assets: NetWitness Insight introduces two new alerts to help you monitor and respond to changes in your network assets. These alerts are available in the Respond > Alerts view and are based on the asset type and the exported services of each asset.           
  • Asset type change over time: This alert is generated when there is a change in an asset's type (for example, client to server) after the same type was observed for 7 consecutive days.
  • Asset exported services change over time: This alert is generated if there is a change in the number of services exported by an asset after the same service was observed for 7 consecutive days, even if the asset category remains unchanged.

           These alerts help analysts to identify and investigate any potential anomalies or threats in their environment.

User and Entity Behavior Analytics (UEBA)

• UEBA Anomaly Detection using Day of the Week: NetWitness UEBA enhances its anomaly detection capabilities by introducing the Day of the Week feature. This feature enables the detection of non-standard access patterns that may indicate a compromised account or an insider threat. When a monitored user or a network entity activity on a particular day of the week differs from its usual baseline, UEBA flags it as an anomaly, generates a Non-Standard Access or Non-Standard Activity alert, and notifies the analysts for further investigation and verification. For further information on the monitored activities tracked for Non-Standard Access and Non-Standard Activity, please see the topic Alert Types in the NetWitness UEBA User Guide.
• MITRE ATT&CK Mapping for UEBA: NetWitness now integrates MITRE ATT&CK framework mapping for UEBA alerts and incidents. This mapping helps analysts understand the attacker's potential tactics, techniques, and sub-techniques behind detected activities by correlating them with known behaviors. When investigating UEBA alerts and incidents, analysts can see a list of mapped tactics and techniques from the Respond view, along with a dedicated ATT&CK Explorer panel that provides further context and related information, which eliminates the need to visit MITRE's website for ATT&CK information. This enhancement provides valuable insights into threat severity and nature, enabling faster and more informed response decisions.
• Added JA4 Support in UEBA for Improved Client Identification and Threat Detection: NetWitness has added support for the JA4 fingerprint and is the default for UEBA from the 12.5 version or later. This change is implemented because JA4 is identified as the most reliable and improved client identification method. JA4 leverages TLS Client Hello packets to identify application-specific traffic patterns and create unique fingerprints for each application. This reduces the total number of unique fingerprints for modern browsers. As a result, a single client will have only one JA4 fingerprint instead of multiple ones, making it easier to track and monitor. This improvement in UEBA with JA4 helps to identify the fingerprints of malicious applications and enables analysts to proactively identify and mitigate threats hidden within encrypted traffic.
• Enhanced UEBA for Detection of Kerberos and Explicit Logon Activity: NetWitness UEBA has enhanced its detection coverage capabilities for logon activity, added additional indicators, and modeled behaviors for Kerberos and Explicit Logons. This improved detection allows analysts to investigate and monitor risky behaviors across all users in their environment and gain valuable insights into user authentication attempts, helping them easily identify logon activity and potential threats more effectively.

SASE Capability

• NetWitness SASE Integration with Netskope (Private Preview Mode): Introduces NetWitness integration with Netskope SASE to provide complete network and logs visibility. With this custom technical integration, NetWitness users gain insight into behavior and communication among devices and services in remote and distributed networks across on-premises, hybrid, and cloud deployments. The NetWitness-Netskope SASE integration enables customers to leverage SASE flexibility and its inherent security advantages while retaining complete visibility for threat detection and response. In 12.5 release, NetWitness SASE integration with Netskope is in Private Preview Mode. For more information, see Netskope SASE Configuration Guide for 12.5.

Endpoint

• Exclusion of Specific Files and Folders from Agent Full System Scans: You can configure the NetWitness Platform to exclude specific files and folders from NetWitness Endpoint Agent full system scans. When you exclude files or folders, the NetWitness Endpoint Agent ignores them when it scans for security risks. If you exclude files and folders with large sizes, you might find that Endpoint Agent scan time is reduced. Excluding a file or folder from the NetWitness Endpoint Agent scans reduces the protection level of hosts on your network. It should be used only if you have a specific need and are confident the items are not infected. You can exclude files and folders only from a Full System Scan.
• Optimizing Performance: Load Balancing Capabilities in Endpoint Servers: The newly introduced load balancing feature enables administrators to distribute agents' loads equally across the endpoint servers in the environment. When organizations become larger, the need to add new agents for deployments increases, and distributing agents across Endpoint Servers becomes difficult. Administrators must download a different Packager for each endpoint server and use policies to distribute the load based on conditions. Using the load balancing feature, customers only need to download one agent packager and push it to all the endpoint agents. Based on the defined load and parameters, the agents will be equally distributed across Endpoint Servers.
• Ability to Monitor Endpoint Agents' Last-seen Details: NetWitness Platform enables administrators and analysts to regularly create reports detailing the number of endpoint agents that haven't reported for a specified number of days, ensuring compliance and governance in the organization. Understanding when the endpoint agent was last active provides insights into the overall performance of the endpoint devices. Monitoring the endpoint agents’ last-seen status is crucial for ensuring security, compliance, operational efficiency, and effective resource management within an organization.
• Supported Operating System Enhancements: Administrators have the option to deploy Endpoint agents on the following version of the Windows Operating System: Windows 11 (up to version 23H2)

CCM

Support for Native Parsers

• View Parser Metadata Configuration: The Policy Details > Parser view has been enhanced to view the Parser Metadata Configuration on the right-hand side panel displaying all the Meta for selected Parser.

•  Enable or Disable Parser Meta: The Policy Details > Parser view has been enhanced to enable or disable specific parser meta giving you the capability to decide whether to use native parsers or not. You can enable all meta, disable all meta, make all meta as transient, enable individual meta, disable individual meta, make individual meta as transient.

•  View Native Parsers Enabled for Services and Attached to Policy: You can easily view the Native Parsers enabled for services and attached to a policy as they are automatically displayed on the Policy Details page.

•  Distinguish between Native Parsers and LUA Parsers while Creating a Policy: A distinguishable identifier is created for native parser in the Create Policy or Edit Policy page to help you distinguish between native parser and LUA parser while creating a policy.
•  Filter Native Parsers: You can filter the native parsers in the Create Policy, Edit Policy and Policy Details page enabling you to easily select or view the native parsers required for the policy. This will streamline the process and enable you to easily add or remove native parsers during policy creation or modification.

Concentrator, Decoder, Log Collector, and Archiver Services

• Introducing JA4 TLS Fingerprinting: JA4 identifies application-specific traffic patterns by analyzing the TLS handshake negotiations (Client Hello), thus enhancing the UEBA threat detection capabilities.
• Logstash Event Sources: Introduced NetWitness JDBC Logstash Input plugin support to collect logs from MSSQL, IBMDB2, and Oracle databases.
• Extended Metadata: An optional configuration to increase the length of values that can be stored in the meta database to provide better accuracy when it comes to certain use cases requiring matches of long strings. Extended Meta provides a way to selectively configure certain meta keys to support values greater than 256 bytes. With this feature, meta values previously truncated by the 256 bytes limit can now be extended up to 4,096 bytes in length. It is important to note that this feature can significantly impact performance metrics such as database retention, query speeds, and aggregation.
• Application Rule Tracking: Counts how often an application rule is matched as well as the ability to reset the counter for troubleshooting purposes.

Log Integrations

The NetWitness Platform supports the integration of the following event sources to collect and parse logs:

• Amazon AWS CloudWatch
• Okta Workforce Identity Cloud

Context Hub

• Improved Threat Intelligence with STIX 2.x Integration: NetWitness has enhanced its threat detection and security monitoring capabilities by integrating support for STIX 2.x feeds, including versions 2.0 and 2.1. Administrators can now utilize STIX 2.x (JSON format) to configure File, REST, and TAXII Server as data source indicators for Context Hub. This enhancement allows you to create custom feeds using STIX 2.x data sources. The NetWitness platform analyzes data in the background to extract valuable threat intelligence and identify malicious patterns, providing enriched context through Context Lookup on the Investigate and Respond pages and helping analysts to conduct investigations more effectively. This enhancement simplifies the utilization of structured threat intelligence by eliminating many previous constraints, allowing for more descriptive and effective reporting of sightings. This integration involves the conversion of structured threat intelligence from STIX format into a format that the SIEM system can easily understand and use, thus enhancing its effectiveness in protecting against threats.

Security Updates

Addresses the latest security vulnerabilities reported against various libraries the NetWitness Platform uses, including one critical (CVE-2016-1000027), 35 major, 103 Moderate, and 16 minor vulnerabilities.

Please refer to NetWitness Platform 12.5.0. Release Notes for detailed information about new features, enhancements, Known Issues, and Build Numbers.

For additional documentation, downloads, and more, visit the NetWitness Platform page on RSA Link.

For more information about online help, Community Forum, and Advisories, visit https://community.netwitness.com.