The RSA Professional Services Team has created many procedures and
scripts to aide in administration of the NetWitness Platform. These were
designed to make some aspects of system maintenance and operation easier
to perform, especially for large depl...
Change Note:The attached script for changing passwords across all
Netwitness hosts, has been updated due to changes in salt version in
11.4.SynopsisNormally resetting the root password is a simple task if
you’re logged in already with root privileges...
Updated for Version 11.7+ (backward compatible) Scenario - Need to
remotely backup your NetWitness hosts to a central location, to satisfy
Disaster Recovery Requirements, perform a Tech Refreshes, or to be
prepared for RMA replacement of a device. So...
Scenario - Due to a slow or unstable WAN link between host(s) and the NW
Admin Server (node-zero) host, installs and/or upgrades are failing to
complete successfully.Solution – External RepoCreate an external
netwitness repo that is closer to the hos...
Are you wanting to look backwards in time, or from now forward?If
wanting to do query for past data, you will need to create a reporting
engine rule to "select"
ip.src,ip.dst,country.dst,city.dst,domain.dst,action where country.dst =
is the traffic a scan with only ACK flags set? A lot of external scanner
use ACK scans (no SYN), since all NW has to go on is ONE packet, which
has an ACK which is normally a response packet, the IP src/dst gets
reversed. Not a lot you can do about i...
Even with that query, some may still be reversed, if the response was
only a syn-ack packet. other factors come into play if you use a proxy
for outbound traffic, as timeouts on sessions (if netwitness and your
proxy have different timeouts) can caus...
I understand, but you nee to quantify that data after the carve. so with
country.dst='ukraine' you will want to look at "tcpflags" meta and see
if there is a large imbalance between the "ack" count and the "syn"
count, if there are way more "ack" ins...