One of the major new features found in RSA NetWitness Platform version 11.1 is RSA NetWitness Endpoint Insights. RSA NetWitness Endpoint Insights is a free endpoint agent that provides a subset of the full RSA NetWitness Endpoint 4.4 functionality as well as the ability to perform Windows log collection. Details of how to configure RSA NetWitness Endpoint Insights can be found here: https://community.rsa.com/docs/DOC-86450
Additionally, as of RSA NetWitness Platform version 11.0, those with both RSA NetWitness Log & full RSA NetWitness Endpoint components have the option to start bringing the two worlds together under a unified interface. This integration strengthens in version 11.1, and will continue to do so through version 11.2 and beyond. Details of this integration can be found here:Endpoint Integ: RSA Endpoint Integration
I created the content below to compliment the endpoint scan data (RSA NW Endpoint and RSA NW Endpoint Insights) as well as tracking data (RSA NW Endpoint + meta integration into 11.X). As you leverage this content, please let me know if you have any questions, and please post improvements and iterations as well.
Note: If using the RSA NW Endpoint Insights agent (vs the full RSA NW Endpoint 4.4 agent) full process tracking data is not available. The process-centric content below will still work, but keep in mind that the process data reported is only a snapshot in time based on endpoint scan schedules and will not capture any process events in between scans.
Autoruns - Outliers Report & Dashboard
Autoruns & Scheduled Tasks launching from or arguments containing AppData\Local\Temp
Autoruns & Scheduled Tasks launching from root of \ProgramData
Autoruns & Scheduled Tasks invoking Command Shell (cmd.exe or powershell.exe)
Autoruns & Scheduled Tasks invoking wscript.exe or cscript.exe