RSA is pleased to announce the general availability of RSA NetWitness Orchestrator v6.1. This release provides users improved case management capabilities, introduces more powerful interoperation between Threat Intelligence and Cases, and enhances Threat Intelligence with new Feed Report Cards. Link Intelligence and Cases
Intelligence and Case Links: We have added several new features for linking Cases in Workflow with your source-of-truth, memorialized threat intelligence. Users can now directly link Cases and Artifacts to Indicators and Groups. For example, when investigating a case involving a particular Malware family, the Case can be linked directly to the Threat or Adversary involved.
Potential Associations: Allowing an analyst to set new relationships between the data is a great way to provide context. But what if the analyst doesn’t know the relationship exists? That’s where Potential Associations come in. Even if an active link hasn’t been provided or established, NetWitness Orchestrator will suggest relationships that might exist. For example, suppose an analyst is working a phishing investigation as part of a case and comes across a malicious attachment. If the file hash for that attachment has been historically related to a particular adversary, the user will be immediately notified that a potential link exists between the case they’re working on and that adversary.
Feed Explorer & Feed Report Cards
Feed Explorer: With a news article, understanding the validity and bias of the source is just as critical as the content of the article itself. Intelligence is the same way: when viewing an indicator, you might ask of the feed reporting it:
How often does this feed report a false positive?
How timely is this feed compared to other feeds?
Does this feed provide a wide breadth of information (e.g. is it only interested in phishing domains, or does it cover other topics)?
Do indicators in this feed tend to be more critical / malicious then others?
NetWitness Orchestrator now offers answers to these and more questions in the form of our new Feed Explorer.
Feed Report Cards: In addition to the Feed Explorer, we also wanted to make sure that users could get this context throughout the platform. You can access a miniature version of the Feed Report Card when directly viewing an Indicator as part of the CAL Insights portion of the Details Page.
New Management API
We have added tons of new API features designed to help some of our more technical users with various backend tasks. These new endpoints include a host of new metrics that improve the transparency of application health for automated management purposes, including:
Playbook usage and execution metrics
Overall system health metrics
Organization Administrators can now download Service logs.
Users can now sign up for error notifications via email when a Service app fails to execute. These notifications also include relevant diagnostic logs.
The Browse screen now provides a much more helpful error when a user enters an invalid TQL query.
Updated Threat Type Attribute Validation rule to include “Threat Actor” in the list of options.
Added new entries and removed old entries from Indicator Exclusion Lists.
We have implemented performance improvements for users who set Playbooks to run in TRACE logging mode.
Under the Hood
Whois lookups in ThreatConnect are now provided by WhoisXML API.
ThreatConnect now supports secure inbound SMTP connections via TLS.
ThreatConnect has many logging and storage capabilities that have the potential to introduce disk space issues. In order to manage these issues, we have introduced a disk space monitoring service.
Playbooks running as HIGH priority now have an underlying priority value of 7. This allows Playbooks designed to monitor system diagnostics at a higher level of priority.
We have streamlined our patch process with a new, lightweight patch installer.
ElasticSearch has been upgraded to v7.7.0.
All SAML authentication now uses Keycloak instead of Picketlink.
Users can now configure Workflow to exclude certain Artifacts when automatically relating Cases. This should significantly reduce false positive associations from being made (e.g. you don’t want to relate cases on 127.0.0.1).
We have significantly expanded the amount of context provided to an analyst when viewing Case Artifacts. Users can now see which Task added the Artifact, CAL details, derived indicators, and much more. This means that a SOC Analyst investigating a Case is armed with the threat intelligence they need to make more informed decisions without leaving the page.
The Artifact list on a Case can now be sorted by ThreatAssess, allowing the most critical items to bubble up to the top of the list.