RSA, a Dell Technologies business, is pleased to announce the release of RSA NetWitness Orchestrator 4.5.
RSA NetWitness Orchestrator is a comprehensive security operations and automation technology that combines orchestration, incident management, and interactive investigation. The RSA NetWitness Orchestrator engine automates security product tasks and weaves in the human analyst tasks and workflows. In addition, RSA NetWitness Orchestrator also enables security teams to reduce Mean-Time-To-Respond (MTTR), create playbook-driven automated response actions, and leverage machine-learning powered insights for quicker resolution and greater efficiency.
Highlights of the capabilities available in the new RSA NetWitness Orchestrator 4.5 include:
• Communication Tasks. Communication tasks enable sending surveys to both NWO users and external users in order to collect data for an incident. The collected data can be used for incident analysis, and also as input for subsequent playbook tasks.
• Pre-Processing Rules. The pre-processing rules feature provides a UI-based workflow for performing certain actions on incidents as they are ingested into NWO. Using the rules, you can select incoming events on which to perform actions, for example, link the incoming incident to an existing incident, or under configured conditions, drop the incoming incident altogether.
• NWO Plugin for PyCharm. Use the NWO plugin for PyCharm to design and author scripts and integrations for NWO directly from PyCharm. The plugin adds a sidebar with Automation and Integration Settings, just like the Settings sidebar in the NWO script editor. When writing code, the plugin provides auto-complete of NWO and Python functions. • Development and Production Environments. Added several content types to context exports. Widgets, Reports, Dashboards, Lists, and Incident Types.
• Quick Access Incidents List. Mark active incidents as a favorite (the star icon) to quickly identify and access them. The maximum number of investigations in the Favorites list is 100.
• Filter the Active Incidents list. Filter by Favorites, Incidents I Own, or Incidents That I Participated In. Open an investigation without assigning an owner by specifying the investigation.add.creating.user key.
• Incidents and Indicators. Added the taskReopen command, which enables reopening a task by specifying the task ID. Added the Go To button to Incidents list view and summary view, so you can quickly navigate to a specific incident's summary page. Track the first seen and last seen entry for an indicator from the Indicators page and from the Incident quick view. When adding an indicator to a whitelist, specify that the indicator only be whitelisted for a specific indicator type.
Automation. Added the SSDeepReputation automation, which enables you to use an ssdeep hash (fuzzy hash) to identify connections between files seen in different investigations. File connections are identified by automatically detecting the ssdeep of each file (uploaded or attached) to any incident in NWO. The ssdeep hash is then compared to every incident file seen in the previous 24 hours. If a relatively similar file is identified, NWO assigns the malicious score of the original file to the newer file.
Playbooks. When you select an automation for a playbook task, the automation's description inherits and auto-populates the task description, which you can edit. You can now select to run a playbook task without using a worker. Tasks that do not have a parent task are not visible in the work plan. Demisto Performance. This version introduces several under-the-hood enhancements that improve Demisto performance.
• General Improvements. You can now edit comments for file entries in the War Room. The Contains filter now works on strings (in addition to lists). Made several visual and usability improvements to the Automation Library. Made several visual and usability improvements to War Room entries. You can now filter the Widgets library.
For additional information or for assistance integrating RSA NetWitness Orchestrator into your existing Security Operations Center or deployment please contact your local RSA Solution Principal and/or your local RSA Sales Team.