The NetWitness Endpoint meta schema, while fully accessible, has
remained a mostly opaque and little understood topic. Exactly what
metadata gets created, where from, and how to modify/customize the
schema is not something that we have provided any e...
By default, NetWitness Endpoint 11.x creates a self-signed Certificate
Authority during its initial installation, and uses this CA to generate
certificates for the endpoint agent and the local reverse proxy that
handles all incoming agent communicati...
By default, NetWitness Endpoint 11.x creates a self-signed Certificate
Authority during its initial installation, and uses this CA to generate
certificates for the endpoint agent and the local reverse proxy that
handles all incoming agent communicati...
If you've ever done any work testing against an API (or even just for
fun), then you've likely come across a number of tools that aim to make
this work (or fun) easier. Postman is one of these tools, and one of its
features is a method to import and ...
22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this
process and I have posted the template.xml and
NweAgentPolicyDetails_x64.exe files from his blog here. 08APR2020 -
UPDATE: adding a couple notes and example typespecs after some
additi...
@BohdanR I don't know if there's a way to use both a CH List and a
context at the same time, but you can use local time zone offsets in
your contexts like so.... CREATE SCHEMA BeginNonWorkingHours(); CREATE
SCHEMA EndNonWorkingHours(); CREATE CONTEXT...
@Hitachi_L3 You assign permissions to Roles and External Group Mappings,
not to individual users. Users with those roles will receive the
assigned permissions.
@Hitachi_L3 It's only possible to add external AD security groups, not
individual user accounts. But you can certainly assign multiple roles to
the external group - simply need to keep adding them to the group within
the Admin/Security --> External G...
If the logs that do not have the sig.id parsed are all being handled by
msg.id "Snort_AlertLog" then you'd only need to add/modify that. But if
those events are being handled by other msg.ids then you'd likely
want/need to modify those others, as wel...
