This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ChrisThomas
ChrisThomas Frequent Contributor
Frequent Contributor
since ‎2012-03-13
‎2022-01-14

User Statistics

  • 62 Posts
  • 8 Solutions
  • 45 Likes given
  • 70 Likes received
Welcome Back!
Welcome
Standing Ovation
Stamps of Approval
View all badges
  • NetWitness Community
  • About ChrisThomas

User Activity

  • Posts
  • Replies

Analysing EVTX files in NetWitness through Winlogbeats

by ChrisThomas 2021-02-01 general.in NetWitness Community Blog
2021-02-01
In Incident Response we often get called in to customer engagements after an incident has occurred (yeah, I know, that is why it is called Response). Unfortunately, not all organisations we work with have centralised log collection … or if they do, t...

ASD & NSA's Guide to Detect and Prevent Web Shell Malware – Endpoint Visibility

by ChrisThomas 2020-05-22 general.in NetWitness Community Blog
2020-05-22
To round out our series explaining how to use the indicators from ASD & NSA's report for detecting web shells (Detect and prevent web shell malware | Cyber.gov.au ) with NetWitness, let's take a look at the endpoint focused indicators. If you missed ...

ASD & NSA's Guide to Detect and Prevent Web Shell Malware – Network Visibility

by ChrisThomas 2020-05-06 general.in NetWitness Community Blog
2020-05-06
Following on from my last post that focused on analysing web server logs https://community.rsa.com/community/products/netwitness/blog/2020/04/30/detecting-webshells-with-web-server-logs , this time we are going to look at the network based indicators...

ASD & NSA's Guide to Detect and Prevent Web Shell Malware - Web Server Logs

by ChrisThomas 2020-04-30 general.in NetWitness Community Blog • latest reply by ChrisThomas 2020-05-04
2020-04-30
IntroductionThe Australian Signals Directorate (ASD) & US National Security Agency (NSA) have jointly released a useful guide for detecting and preventing web shell malware. If you haven't seen it yet, you can find it here:Detect and prevent web shel...

Using RSA NetWitness to Detect C&C: Covenant

by ChrisThomas 2019-12-20 general.in NetWitness Community Blog
2019-12-20
IntroductionHaving recently moved into the IR team – where I now have to actually do stuff as opposed to just talking about stuff in technical sales – I have found that the best way to get up to speed with detecting attacker behaviours is to run the ...
View more

Re: ASD & NSA's Guide to Detect and Prevent Web Shell Malware - Web Server Logs

by ChrisThomas 2020-05-04 general.in NetWitness Community Blog
2020-05-04
Hi JonWe'll get in to some methods for detecting web shells using data from NetWitness Network soon!In the meantime, the default setting for the http_lua network parser is to register the components of the URI (hostname, directory, filename, extrensi...

Re: Investigating an alert, need help with additional meta

by ChrisThomas 2019-08-22 general.in NetWitness Discussions
2019-08-22
The joy of Logs!So maybe we need info from another source. If you have DNS logs with the request and response (or even better NW Network capture of DNS queries) from the Proxy we could tie the ip.dst (in NW Network, the response to the DNS query woul...

Re: Investigating an alert, need help with additional meta

by ChrisThomas 2019-08-22 general.in NetWitness Discussions
2019-08-22
Using a feed to tag sessions with extra meta for context is a great idea overall, but I don't think it answers your initial question of how to link the event from the firewall with the corresponding event from the proxy server. Using the feed mechani...

Re: v11 - Replace Self-Signed Certificate

by ChrisThomas 2019-03-20 general.in NetWitness Discussions • latest reply by MichaelGallegos 2019-03-20
2019-03-20
There is documentation at the end of the Security Configuration guide available here (in Appendix A): Security Configuration Guide for Version 11.2 From the field – it does work: We have created a self-signed certificate and a key using the below, op...

Re: Respond Server Querry

by ChrisThomas 2018-08-19 general.in NetWitness Discussions
2018-08-19
Take a look at Joshua Randall's post from a couple of weeks ago: https://community.rsa.com/community/products/netwitness/blog/2018/08/07/improving-alerts-related-links-in-respond
View more
Likes from
User Count
CarmenC
New Contributor CarmenC New Contributor
1
Anonymous
6
RuiAtaide
Respected Contributor RuiAtaide Respected Contributor
5
RafaelSampaio
Contributor RafaelSampaio Contributor
1
AlanLaurencelle
Occasional Contributor AlanLaurencelle Occasional Contributor
5
View all
Likes given to
User Count
LeeKirkpatrick
Valued Contributor LeeKirkpatrick Valued Contributor
8
MichaelGallegos
Frequent Contributor MichaelGallegos Frequent Contributor
1
RuiAtaide
Respected Contributor RuiAtaide Respected Contributor
2
EricPartington
Employee EricPartington
7
ChristopherAhea
ChristopherAhea Beginner
6
View all
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.