Recently made the jump to version 12.2 and centralized content
management. Most content can be transferred over, but one thing that
isn't straightforward is custom feeds. How do we create new custom feeds
in the content library? There is no wizard dr...
Hi, I want to build an ESA alert that will trigger on any single event
where multiple instances of the error meta-key are present in the event
metadata. As an example, feed.name = "investigation"analysis.file =
"common document formats"error = "ACCES...
The following EPL syntax never alerts in NetWitness Packets despite
passing tests in the EPSER Tech website. I am also able to confirm that
valid domains fitting the alert criteria are seen by our NetWitness
Packets system. Additionally, replacing th...
I'd be fine doing that, but enabling the decoders to be managed under
CCM removed all the options to manage custom feeds. It looks as though
I'm left with no options to reconfigure or create custom feeds.
For those that might run into this issue. If you don't have the
cert.checksum metakey then use the cert.thumbprint metakey. This page
corroborates that usage as well.
https://community.netwitness.com/t5/netwitness-platform-online/decrypt-incoming-pac...
Any idea why the cert.checksum metakey wouldn't exist? Running a much
higher version of NetWitness (11.7.0.1) and thought the metakeys were
more standardized. Does this need to be added manually?
Hi JeffersonRodrig NetWitness in general can't decrypt anything without
having encryption keys imported. There is no inline decryption. The only
protocol where decryption works is for very basic TLS that isn't using
ephemeral key exchange (i.e. sessi...
Not sure if the reporting engine supports ESA notification based on
generated reports, but at a minimum you could create a feed and ESA
alert for matches of traffic being currently processed.
