NetWitness Community

NetWitness is pleased to announce the general availability of NetWitness Platform XDR 12.2. This release contains features to further enhance threat detection, response capabilities and continued security updates.

NetWitness Platform XDR 12.2 includes the following notable enhancements.

Detection:

• Policy Based Centralized Content Management – Centralized Content Management (CCM) for Core can be enabled or disabled from the UI, allowing administrators to choose between the new CCM and old individual service configuration method of managing content. CCM provides users flexibility to update application and network rules while cloning or editing rules and creating groups from the policy creation view. CCM comes with added caution icons and banners to guide the users with information and error messages. CCM is an opt-in feature for all customers upgrading to NetWitness Platform XDR 12.2 from older releases and do not have CCM enabled. This feature is not applicable to ESA.

• Endpoint host / file usability improvements – Analysts get an accurate number of hosts and list of Windows, Mac, and Linux machines with suspicious autoruns configured. Hosts view columns have been optimized to bring the best value for analysts.

• Log Collection Support via Logstash: Managed Logstash supports type specs to collect logs from Kubernetes cluster, NetFlow v10 (IPFIX), and event sources that communicate over HTTP protocol using “HTTP Receiver”.

• HTTP/2 Streams Support:  Introduces the capability to generate metadata from compressed HTTP/2 streams to improve analyst investigations and threat detection.

• Endpoint Linux agent - Process event monitoring –Analyst can view Linux process event activities to detect threats on Linux machines.

Response:

• Respond Notification – In addition to SMTP notifications, users can configure Syslog alerts for Incidents and customize their own notification templates.

• UI improvements – Respond now has added pagination support that allows analysts to view more than 1000 Incidents and Alerts and manage the page size for better visibility.

Administration:

• Core Database Tuning – New Index configuration threshold has been introduced to keep the index memory usage in control.

• Endpoint Agent Supported OS: Administrator has the option to deploy endpoint agents on macOS Ventura (13) and Windows 11 (up to version 22H2).

• Endpoint supports new REST APIs: New APIs provide host tag management and resetting of risk score.

Integrations:

NetWitness Platform XDR supports the integration of the following integrations to enhance detections visibility across multiple tools and applications. These integrations are supported on NetWitness Platform XDR 11.7.0.0 or later.

• Zscaler ZIA/ZPA
• OPSWAT Meta Access Cloud
• Symantec Endpoint Security Events
• Symantec Endpoint Security Incidents
• S3 Universal Connector supports access logs from Application Load Balancer (ALB).

Security:

• Security updates – Addresses latest security vulnerabilities reported against various libraries used by the product.

Please refer to NetWitness Platform 12.2 Release Notes  for cipher changes and other update instructions.

For additional documentation, downloads, and more, visit the NetWitness Platform page on RSA Link.