RSA is pleased to announce the general availability of RSA NetWitness Platform (RNWP) v11.6.1. This release introduces workflow efficiencies for both analysts and administrators. These enhancements help streamline log management and increase the effectiveness of analysts when investigating threats
Optionally Choose to Retain Incident Network Data Artifacts:
In Respond analysts have the option to selectively choose which network data artifacts they want to keep as evidence for any incident instead of risking the rollout of those attributes as storage space decreases on the Decoder.
Endpoint OPSWAT Scans:
The system automatically scans executable files using multiple anti-malware engines. Infected or suspicious files will raise the risk scores of the hosts on which those files are found, helping analysts prioritize their work.
Automatic Download of Endpoint Memory DLL Files:
Analysts can configure endpoint sources to automatically download all memory DLL files to the server, regardless of their size. This ensures those files are copied to the server and available to the analyst on demand.
Filter Endpoint Assets by Machine Organizational Unit (OU):
Endpoint groups can now be created based on Organization Unit (OU), in addition to OS, IP and Host Name grouping capabilities available previously. This provides another way to analyze endpoints which may be more useful, especially in environments with thousands of agents.
UEBA Alert Feedback:
Analysts can set the status of a UEBA alert as either None (default) or Not a Risk. If marked Not a Risk, that alert is effectively ignored, and the alert score is influenced accordingly. This can be done on one or many alerts at the same time, helping the analyst more quickly triage and prioritize generated alerts.
Investigate Compact View Layout Updates:
There are further adjustments to the Investigate Events layout to take better advantage of the screen real-estate when analysts are using smaller screens.
Optional Timeline Toggle:
The Investigate Events timeline has a toggle to enable/disable the display of the timeline to provide analysts the ability to choose when they want to see that overview of the event data.
Report Creator Visibility:
Newly created reports will indicate which user originally created the report, displaying this information in the report list. This information will help analysts quickly identify the report they are looking for.
Support for Mac BigSur on M1 and Intel:
Endpoint agents now support Mac BigSur on both the M1 and Intel hardware platforms.
Trusted Authentication for NetWitness Export Connector:
Authentication for the NetWitness Export Connector can now be configured to use certificates, eliminating the need manually enter usernames and passwords and avoids storing passwords locally.
NetWitness UI Support for Logstash Keystore:
Logstash keystore management is now possible through the NetWitness Platform UI, eliminating the need to create or updated credentials on the Log Decoder or Virtual Log Collector manually through CLI commands.
Have a great idea for Improving the RSA NetWitness Platform? Check out the RSA Ideas for the RSA NetWitness Platform portal and either submit your idea for improving the RSA NetWitness Platform or vote up previously submitted ideas!
For More Information on the Release and Upgrade Instructions:
Please contact your local RSA Sales Representative or RSA Customer Support if there are any questions or concerns with the upgrade. Full details and instructions for upgrading are provided in the 11.6.1 Upgrade Guide.
For additional documentation, downloads, and more, visit and subscribe to the RSA NetWitness Platform page on RSA Link.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.