NetWitness Community

Summary:

RSA is excited to announce the general availability of RSA NetWitness Platform (RNWP) v11.5, which delivers powerful new analyst features for network detection and response (NDR), a smoother investigative workflow, expanded machine learning models, enhanced network and log capture options, and improved administration.

Highlights for the Analyst

A Streamlined Starting Point for Platform-Wide Detections, Alerts, and Incidents. Introducing Analyst Springboards - A new unified landing space that presents platform-wide detections and leads in a single view. Analysts can simultaneously view prioritized alerts and incidents, risky hosts, risky users, and risky files, which helps speed hunting and investigation!

Additional Network Visibility & Context with Endpoint Agents. Network data is now enriched with additional information gained from RNWP Endpoint agents, including host name, username, and process information. This allows analysts to quickly assess context of a network threat, and begin to understand its origin and path through the network.

Integration of Navigate & Event Views. A single, faceted view now gives analysts an integrated workflow in the Events view in which they can drill into metadata in one panel and see the subset of sequential events in the adjacent panel, combining streamlined investigations and threat hunting that was formerly available using the Navigate view and the Events view. BETA

Improvements in the Visual Layout of Investigate. Multiple improvements have been made in the Investigate Meta Group, Column Group, and Profile functionality to optimize the sequence and number of attributes per event to better identify patterns and provide analysts with a clearer investigation workflow.

Expanded Network & Logs Machine Learning (UEBA) Models. Additional UEBA indicators are available to analyze VPN Logs and Azure Active Directory Logs for risky behavior across all users in the environment automatically for the Analyst.

Improved STIX Support with Better Threat Context. RNWP now enriches Structured Threat Intelligence Expression (STIX) data with more context and displays enrichment for analysts in the Investigate and Respond views, speeding detection and response from threat intelligence integration. Information retrieved from a STIX data source now has the context for each indicator displayed, including adversary and attack details directly from the Context Hub.

Expanded Log Collection Capabilities via Native JSON Integration. User Configurable log integration with Cloud APIs (across AWS, Azure, GCP, and other SaaS vendors) through native JSON support. Analysts can easily configure JSON mappings to meta keys using a new interface, and analysts can view JSON logs in their original format.

Highlights for the Admin

Optimize Storage Retention with Selective Network Collection Capabilities. RNWP now provides administrators the ability to apply centrally managed network capture policies across their Network Decoders. This maximizes Decoder resources and storage space to help better predict costs and management of multiple Decoders.

A New Health and Wellness Experience. New Health and Wellness functionality provides improved dashboards, monitors, and visualizations that reduce the complexity of RNWP monitoring by providing visibility into the complete deployment.

A Better Platform Management Experience. Administrators can now change an IP address, netmask, or gateway for any host within their environment with minimal interruption of operations. A standby (secondary) NW Server can now have a different IP address from the primary NW Server and successfully fail-over to the secondary NW Server.

Correlation Rule Enhancements for Event Stream Analysis (ESA). Several improvements to ESA rule building have been added to help Administrators manage and maintain the system, including Memory Thresholds, rule-builder logic testing, and advanced EPL rule processing that updates Context Hub lists.

Customer Ideas that were Implemented in this Release:
This release includes the following customer voted ideas:

• Microsoft Edge Support: https://community.rsa.com/ideas/2621
• Improved Dashboards: https://community.rsa.com/ideas/3188
• Improved Login Banner: https://community.rsa.com/ideas/3594
• Public / Private Meta Groups: https://community.rsa.com/ideas/2669

Have a great idea for Improving the RSA NetWitness Platform? Check out the RSA Ideas for the RSA NetWitness Platform portal and either submit your idea for improving the RSA NetWitness Platform or vote up previously submitted ideas!

For More Information on the Release and Upgrade Instructions:

• Review the RSA NetWitness® Platform 11.5 Update Instructions and Release Notes available on RSA Link (RSA NetWitness Platform 11.5 ) before you update.

For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.