Summary

RSA is excited to announce the general availability of RSA NetWitness Platform (RNWP) v11.6.   This new release delivers great new analyst usability features for network, endpoint, and log data sources, an enhanced investigative workflow, expanded network and log capture options, and improved administration. 

Analyst Highlights

Faceted Search - The new faceted search layout of the default Events view makes interacting with large amounts of data collected from the enterprise a more familiar experience and efficient workflow. 

Improved Investigate Content Delivery & Organization - All Investigate content (Column groups, Meta groups and Query Profiles) are distributable using RSA Live and displayed in a folder structure to help analysts organize and use the content important for their use cases. 

Direct Free-form query or text search – To create a blank free-form filter, an advanced analyst can select the option “Click to start a free form query” from the Advanced Options panel. In the same manner an analyst can choose “Click to start a text search” to create a new text search. 

Respond Incident Data Persistence BETA - Analysts and Administrators can pin events that are associated with certain incidents, thereby enabling you to view the incident along with all relevant evidence in the future, regardless of its age. 

ESA Support for Meta Entities - Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts can use them as regular keys to get to multiple, similar concepts. 

UEBA Visualization Enhancement - new and enhanced dotted chart is introduced to provide analysts with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly. 

Detect AI has been added as an alert source in the Respond view.  It captures the alerts from the cloud-based user behavior analytics to create incidents from alerts. 

Column Group Meta Key Recommendations – While reviewing query results in the Events table with a selected column group, analysts have the option to view recommended columns that may have data for those events but are not part of the current column group. These suggested meta keys help analysts to have the best column groups applied so that no relevant data is missed for the events displayed. 

Reconstruction UI Enhancements – The pagination of the Text tab has been enhanced to make it more obvious when there is further content available than can be displayed on a single page. Analysts can copy selected content to the clipboard using keyboard shortcut (in addition to menu option) for further investigation. 

Endpoint Highlights

Centralized Agent Management - Admins can now upgrade and uninstall selected or all agents using the UI, thus helping you to easily manage NetWitness Endpoint agents. 

Yara Scan Support - YARA helps analysts with rule-based detection capabilities in identifying and classifying malware. 

Additional detections - Analysts will now be alerted when additional sub techniques around the Persistence tactic are detected 

Expanded Lateral Movement Visibility - Enhanced Windows agent to report executable write events on the target machine when copied to network shares. Analysts can now have deeper visibility into lateral movement activities on Windows around files that are being copied to network shares. 

Expanded investigation capabilities – Analysts can now download & investigate MFT from any Windows drives.

Core Service and Administration Highlights 

High Speed Packet Capture - You can now analyze network data (packets) from higher speed networks and optimize your Network Decoder to capture network traffic up to 40Gb/sec. A new configuration mode is available, as use cases supported above 10Gb/sec have limitations and don't support full packet capture.  

Support for Brotli Decompression and Snort OpenApp ID to provide further detection and classification of network traffic. 

Log Collection Support for Managed Logstash - Logstash server is packaged and supported along with the NetWitness Log Collector or Virtual Log Collector (VLC) service to provide easy access to Logstash. 

JSON Mapping Usability Improvements 

Trusted Authentication for Aggregation Hosts – Event Stream Analytics and Core Services can now authenticate via trusted tokens which removes the need for service account/password authentication. 

Easy Update of Position Tracking – Event Stream Analytics' core services configuration tab has been enhanced to provide the capability for Administrators to edit or import the position tracking of core services where this could be leveraged on cases like when sessions must be reprocessed, skipped from processing, testing of new rules, importing services from one deployment to another and so on.

Have a great idea for Improving the RSA NetWitness Platform? Check out the RSA Ideas for the RSA NetWitness Platform portal and either submit your idea for improving the RSA NetWitness Platform or vote up previously submitted ideas!

For More Information on the Release and Upgrade Instructions:

• Review the RSA NetWitness® Platform 11.6 Update Instructions and Release Notes available on RSA Link (RSA NetWitness Platform 11.6 ) before you update.

For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.