Note: If you have the Export Connector plugin in your deployment, you must do the following: • If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 12.2.0.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see the Post-Upgrade Tasks section in https://community.netwitness.com/t5/netwitness-platform-online/upgrade-instructions-for-12-2-0-1/ta-p/698615.
• If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 12.2.0.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported for NetWitness 12.2.0.1:
12.2.0.0 to 12.2.0.1
12.1.1.0 to 12.2.0.1
12.1.0.1 to 12.2.0.1
12.1.0.0 to 12.2.0.1
12.0.0.0 to 12.2.0.1
11.7.3.0 to 12.2.0.1
11.7.2.0 to 12.2.0.1
11.7.1.2 to 12.2.0.1
11.7.1.1 to 12.2.0.1
11.7.1.0 to 12.2.0.1
11.7.0.2 to 12.2.0.1
11.7.0.1 to 12.2.0.1
11.7.0.0 to 12.2.0.1
11.6.1.4 to 12.2.0.1
11.6.1.3 to 12.2.0.1
Warning: Before upgrading the UEBA host to 12.2.0.1, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.2.
The Product Documentation section has links to the documentation for this release.
Policy-based Centralized Content Management
The following enhancements are made for Policy-based Centralized Content Management in 12.2.0.0 version:
In order to enable the administrator to choose when to enable CCM, a single CCM toggle is introduced in the UI to enable or disable CCM for all 12.0 and later versions of Decoder Services. The toggle is available on the Content page and the toggle can be used to enable or disable CCM for all eligible Core Services at once. The CCM toggle has three states:
State1: None of the Decoder Services are managed by CCM
This is the default status. The default status is applicable only: - If customers are upgrading from 11.x to 12.2 version - If customers have turned off the feature in previous versions
State 2: All Decoder Services are managed by CCM
State 3: Some Decoder Services are managed by CCM
State1: None of the Decoder Services are managed by CCM
State 2: All Decoder Services are managed by CCM
State 3: Some Decoder Services are managed by CCM
The administrator can edit the rule value while editing or cloning the Application Rule or Network Rule.
During policy creation or modification, the administrator can create a new group and assign it to the policy if there are no unassigned groups available for the policy.
For a policy, the administrator can subscribe to multiple content at once. This feature is available from 12.1.0.0 version or later.
During policy creation, the administrator can add all content to the policy based on the resource type.
For a policy failed status, a caution icon message banner is displayed in the Policies view and Groups view, indicating that the policy status failed for multiple reasons. Administrator can now see the policy overview section in the UI to find the failure reason and the workaround.
Added + Add New Datasource option to add data sources in Create Deployment view and Edit Deployment view. Administrator can now add new data sources from the Create Deployment view, and Edit Deployment view when the required data source is unavailable.
The following enhancements are made for Respond component in 12.2.0.0 version:
Introduced new pagination settings for the Incidents list view and Alerts list view. Administrator can now see all the available incidents with this feature and do the pagination settings for the following:
Navigate through required page numbers.
Set the incidents per page as per the options available.
Administrators can now configure syslog alerts for new incidents added to the incidents queue. In addition, a new template field is added with Default Respond SMTP Template. Administrators can now select the pre-configured custom syslog notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.
Enhanced Email Notification Settings.
A new template field is added in the Email Notification Settings with Default Respond SMTP Template. Administrator can now select the pre-configured custom email notification template to configure the respond OOTB template available under global notification settings or write a custom respond template.
The following section describes the new enhancements for Endpoint component:
Hosts View Enhancements
The Hosts view is enhanced to help analysts get an accurate number of Hosts and the list of Windows, Mac, and Linux machines on which the suspicious Autoruns are configured.
To optimize the view for analysts, a few columns in the Hosts > Autoruns view such as Global Risk Score, Local Risk Score, Reputation, File Status, Downloaded, File Creation Time, and Signature are removed.
The columns such as Registry Path, Filename, File Path, On Hosts, Type, and Launch Arguments are re-arranged in the following order:
Registry Path
On Hosts
Type
Launch Arguments
Filename
File Path
For more information, see the Hosts View - Autoruns Tab topic in the NetWitness Endpoint User Guide.
Advanced Linux Agent - Process Event Tracking Enhancement
Linux Agent - Process Event Tracking is introduced to help analysts view the createprocess activities. Analysts can view and monitor process events to detect threats on Linux machines.
Introduced a new index config threshold slice.memory.max. When the index slice memory usage exceeds the threshold, an index save will save the index to disk, keeping the index memory usage in control. With this new setting, administrators can freely enable indexing all unique meta values on the meta keys they choose.
HTTP2 parser now supports demultiplex interleaved streams and extracts the application payload for detections in other parsers looking at tokens in the payload. This also benefits analysts to reconstruct HTTP/2 sessions, download them as PCAPs, and extract data from the compressed payloads.
NetWitness Platform XDR supports the integration of the following parser services to collect logs. These services are supported on NetWitness Platform XDR 11.7.0.0 or later.
Zscaler ZIA
Zscaler ZPA
OPSWAT Meta Access Cloud
Symantec Endpoint Security Events
Symantec Endpoint Security Incidents
S3 Universal Connector support for access logs from Application Load Balancer (ALB).
Before upgrading the UEBA host to 12.2.0.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see NetWitness UEBA Configuration Guide for 12.2.0.0.
Product Version Life Cycle for NetWitness Platform
The following enhancements are made for Policy-based Centralized Content Management in 12.1.1.0 version.
Administrator can clone Application Rules and Network Rules with a unique rule name and same rule value.
IMPORTANT: - TheRule Nameis the unique title of the rule, which is used as a reference to the rule within the Content Library. - TheRule Valueis a string or text which is registered to a meta key when the rule is triggered with an "alert" output. It may be the same as the rule name, but it is not unique within the Content Library.
Single CCM toggle is introduced to enable or disable CCM for all 12.0+ Decoders and Log Decoders at once. The toggle button is available via backend of source-server.
In 12.1 and later versions, you can only manage the ESA deployments and Data Sources throughCentralized Content Management.
Go to (CONFIGURE) >Policies>Content>Event Stream Analysispage to manage the ESA deployments and Data Sources.
Refer the following screenshot.
A new unified deployment view(ESA DEPLOYMENTS)tab is created to manage deployments from a single view across all policies within CCM.
Navigation is made simple to edit policy wizard from theEdit deploymentview >View rules.
The edit deployment screen will save the current state and close. The user will be redirected to theedit policywizard on the new tab.
A new search option is created from the listed ESA rules in theView ESA rulesmodal in the edit and create deployment views.
Caution banners are created to convey the customer about the requirement of a deployment while creating ESA related policies.
After upgrading to 12.1 and later versions, you can only manage the ESA Rules in theESA Rulespage. Refer the following screenshot.
After upgrading to the 12.1.1.0 version, all the ESA deployments will be migrated to (CONFIGURE) >Policiespage. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.1.x.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.
You must upgrade the ESA hosts immediately after upgrading the Admin Server.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 12.1.0.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, seePost-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 12.1.0.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported forNetWitness12.1.0.1:
The following enhancements are made for Policy-based Centralized Content Management in 12.1.0.0 version.
Administrators can create and upload content to the Content Library easily by:
Importing log parsers as a zip file instead of converting to ".envision" format.
Cloning existing Application Rules and Network Rules.
Administrators can switch services between legacy Content Management UI and the new Centralized Content Management via Groups and Policies using the "toggle" feature. This can prevent content being mistakenly added or modified outside of a Policy, causing an out-of-sync issue.
Each service can be toggled to work either with individual "Service or Config" interface or with Content Policies.
Toggling on Content Policy for a service will restrict the legacy UI to "read only" mode.
Administrators can now force publish all the content of a policy in two ways:
Policy Listing>More Actions>Force Publish
Policy Details>Force Publish
Administrators can easily find content, policies or groups of interest by using the "Filtering" capability of the UI inContent Library,Policy Listingpage,Policy Detailspage, andGroup Listingpage.
Administrators can receive meta key and operator suggestions while creating application and network rule conditions. This eases the creation of error-free rules. Administrators can also opt for 'Advanced mode' to create complex queries.
Addressed an issue where the Content Policy UI was not usable without an active connection to Live.
Administrators can now create, modify and publish policies and manage custom content in the Content Library even without an internet connection.
An Internet connection is still required in order to synchronize Live content with the Content Library.
Administrators can now manage ESA contents from the(Configure)>Policiespage:
Manage ESA content and handle multiple deployments seamlessly using Policy.
One-click management of subscriptions and automatic updates for ESA content.
Toggle theSubscribebutton to enable automatic updates of ESA content.
Seamlessly view ESA Live content along with your own custom content.
Add and manage ESA Correlation servers as part of groups.
Manage all the data sources for the ESA Correlation servers from theSettings>Event Stream Analysis>Data Sourcespage seamlessly.
The Respond view is enhanced to help analysts export and store the Incidents with Alerts and Events in JSON format for offline investigation.
Incidents List View Enhancements
The newExportdrop-down is added to allow analysts export and download the data such as fields or attributes associated with Alerts and Events of the selected Incidents.
You can export data of a maximum of ten incidents at a time. Once the data download is in progress, you can select a different set of ten incidents and export their data simultaneously. You can repeat this action until the conditionmax-user-tasks, which is the maximum limit set for exporting the incidents data in theRespondservice underrsa.respond.incident.exportsis met.
The following section describes the new enhancements for the NetWitness user interface:
NetWitness User Interface Enhancements
The 12.1.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform XDR, which updates the identity of NetWitness as a trusted brand.
As part of the repositioning, we are renaming our product as NetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.
Endpoint Investigation
Initiate YARA Scans at the Endpoint Agent Level
Analysts can initiate YARA scans at the endpoint agent level by selecting one or multiple endpoint agents.
Enhanced Process Tree View for Endpoint Alerts on Respond
The Process Tree view on theRespond>Alerts>Endpoint Alerts>Alert detailspage is enhanced with the newFile Actionstab next toInvestigate Timeline. With this enhancement, analysts can quickly save a local copy of the selected file, download it to the server, or block it.
Policy based Centralized Content Management is a unified approach to find, deploy, and manage content through the entire life cycle based on policies that can be assigned to groups of devices. It is a single location to view, modify and manage the content deployed across all services in the environment.
Benefits of Policy based Centralized Content Management:
Add content from RSA Live or add your own custom content.
Add or remove content without repeating the process on each individual service.
Add a new service to an existing group to automatically deploy all necessary content.
Simply toggle theSubscribebutton to enable automatic updates of content.One-click management of subscriptions and automatic updates
Provide highly responsive and updated UI for browsing RSA Live content that can help you with the following:
View Live and custom content along with your content policies and click to add content
Seamlessly view Live content along with your own custom content.
Centrally import and deploy live and custom content.
The following section describes the new enhancements for the Springboard component:
Enhanced Springboard to Support New Built-in Panels
NetWitness Platform Springboard introduces five more out-of-the-box panels based on the events processed and presented on Springboard view. On the Springboard, Administrators and Analysts can now view the following panels of events data which helps in threat hunting and investigation:
MITRE ATT&CK tactics
MITRE ATT&CK techniques
Indicators of Compromise
Enablers of Compromise
Behaviors of Compromise
Administrators can customize these panels to display only the event-focused data for analysts to carry out further investigation.
Administrators and Analysts can now add their own custom private board to the NetWitness Platform Springboard and add panels with important system indicators, which helps in threat hunting and investigation. The custom private board is visible only for users who created it. The board allows users to organize and manage information in an easy manner.
During investigation, Administrators and Analysts can add a Springboard panel from theInvestigate>Eventsview. You can add any number of filters on the query search bar and convert them to Springboard panels for further detection and watch results. The newly added panels will be saved under a custom private board. The board will allow users to organize and manage information in an easy manner.
The Respond view is enhanced to track and capture all the events performed by the users on an incident. The toolbar actions are enhanced to allow users select only the valid priority, status, and assignee for an incident.
Incident Workflow Enhancements
The following changes have been made to theChange Statusdrop-down list in theRespond> Incidentsview:
Added the new Incident statusReopento help users open the closed incidents.
RemovedNewandAssignedstatuses but they are still displayed in the Status column in theRespond> Incidents>Incidents Listview.
Streamlined the incident status change workflow. All the invalid statuses are grayed out, allowing the users to select only the valid status for any incident.
The newHistoryPanel is added to display every action performed by the user on an incident. The various actions performed on an incident are as shown below:
The following section describes the new enhancements for the Investigation component:
Indicators for Searchable Meta
The meta key and meta value pairings now display a binocular icon while viewing a text reconstruction in the Event Meta panel, indicating the search option. This enhancement helps the analysts to visually see the indication rather than going through the list of all metadata to figure out which ones may be searched.
Unified Discovery and Interaction of Events Metadata
Hosts and Files Alerts Details View
Analysts have a unified way to interact with events metadata presented in the Alerts tab of Hosts and Files details view to perform actions or review contextual information. Analysts can use the right and left click options to view the unified panel data.
For more information on Hosts and Files, seeAnalyze Hosts Using the Risk ScoreandAnalyze Files Using the Risk Scoretopics inNetWitness Platform Endpoint User Guide.
Respond View
Analysts have a unified way to interact with events metadata presented in the Respond view to perform actions or review contextual information.
On the Respond Indicators panel, Nodal Graph, and Events List view, analysts can use the left and right click options to view the unified panel data.
Enhanced Querying on Events View to Exclude any Specific Meta
Analysts can now exclude particular meta values while querying using the NOT(metacontains 'meta value') option available in the investigate unified panel. The specified meta value is removed from the query results when you use NOT(metacontains 'meta value') withAppendorRefocusoption on a specific meta value. This enhancement helps the analysts to view only the required data results in an optimized manner and conduct further investigation efficiently.
Analysts can directly view encrypted data that has been decrypted by the decoder, thereby reducing time and effort in converting data into readable format. The analysts can enable using theDisplay Decrypted Payloadtoggle option in theEvents>Textview.
Select Custom Date and Time Range in the Events View
Analysts can set a custom range in theInvestigate>Eventsview to select a specific time, date, month, and year using the calendar view that is displayed on clicking theCustom Rangeoption. This enhancement helps the analysts to select date and time quickly and avoid manual intervention therefore avoiding human errors (typos).
The following section describes the new enhancements for the NetWitness user interface:
NetWitness User Interface Enhancements
The 12.0.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform, which updates the identity of NetWitness as a trusted brand.
As part of the repositioning, we are renaming our product asNetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.
Endpoint Investigation
The following section describes the new enhancements for the Endpoint component:
Detection of removable Storage Devices
NetWitness Endpoint Agents are enhanced with the capabilities to detect and report removable storage devices. The Endpoint agents will detect and report when a removable storage device is plugged in or removed. This enhancement provides analysts with extended threat detection capabilities. For more information, see theNetWitness Endpoint User Guide.
Block Multiple File Hashes Using an Imported File
Administrators can import a file with a list of known file hashes that are not present in the environment and block them as soon as they are detected. This enhancement will help analysts to block multiple hashes without manual intervention.
Support for Arm-based Windows Machines
Administrators can install Endpoint agents on Arm-based Windows machines. This enhancement provides analysts with threat detection capabilities on more types of devices.
Download MFT from Multiple Hosts in One Step
Analysts can now download MFT(Master File Table) from multiple hosts on the Hosts list view in one step. This enhancement helps analysts download MFT without opening the Host details view of each host. For more information, SeeDownload Master File Tabletopic onNetWitness Endpoint User Guide.
Customizable Maximum File Download Limits
The limit to the maximum number of file downloads on the Endpoint server is enhanced. On the explore page of an Endpoint server, Administrators can set the limit from 100 to 1000 files. For more information, seeDownload Files Using Full Path or WildcardonNetWitness Endpoint User Guide.
Redesigned Alert Details View for Endpoint Alerts in Respond
In the Respond view, the alert details view for Endpoint alerts shows end-to-end details about an alert. The details are presented in the form of a process tree along with a right panel that provides detailed information about the alert categorized into the following sections:
Summary: A short summary of the alert.
Event Details: Shows the directory, user, hash, signature, risk score, etc.
Process Details: Shows the tactics, techniques, times and details about the targets.
Network Connections: Shows any network connection established ten minutes before and till ten minutes after the alert triggered time.
Origin: Shows how the selected file in the process tree is originated.
Exists on Hosts: The host in which the selected file in the process tree exists.
Besides the above sections, theInvestigate Timelinetakes to the investigate view that has more detailed information.
The following section describes the new enhancements for the Concentrator, Decoder, and Log Decoder components:
Log Parsing Enhancements
The following log parsing enhancements are made in 12.0.0.0 version. These are new elements that you use in the creation of a log parser:
New Selector Parsing Element Added to Dynamically Map Captured Values to a Meta Key
This will allow the log parser to automatically choose from two or more optional meta keys to assign to a parsed value depending upon the value of another meta key. Consider the following sample log snippet:
In the above example, if the value of Direction is ”src”, then the preferred meta key to use for the value of Address would likely beip.src. Conversely, if the value for Direction is ”dest”, then the meta keyip.dstmight be preferred. This can now be achieved with the newSELECTORlog parsing element.
Support for Advanced Parsing Elements within CEF Parser and DataType
Support added to CEF parser for VARTYPE, SCANNED, DataType, and Selector parsing elements.
Allows the CEF parser to take advantage of the fine parsing capabilities found in other parsers.
Dynamic parsing support including PARSERULESCAN added to DataType parsing element.
Allows nesting of dynamic parsing elements (parse rules) from within an existing DataType.
Enhanced Network Decoder to Decrypt Incoming TLS 1.3 Packets
The enhanced network packet decryption capability helps inspect TLS 1.3 encrypted communications using ephemeral session keys. Administrators can configure Network Decoder to enable decryption of incoming TLS 1.3 network packets.
The Event Stream Analysis is enhanced to reduce the time consumed for new rules deployment.
Improved ESA Rules Deployment
The ESA Rule Deployment has been enhanced with a new option to deploy the rules faster. If you want to push rule-related changes, you can quickly deploy the new rules by clicking theFast Deployoption. For more information, seeAlerting with ESA Correlation Rules User Guide.
Reports
The following section describes the new enhancements for the Reports component:
Build Rule View Enhancements
TheBuild Ruleview is enhanced to help users view the following information in the report generated:
The average time taken to assign the incident.
The average time taken to complete the task.
The average time taken to close the incident.
The following changes have been made in theBuild Ruleview:
Two new options are added in theFromfield:
incidentStats: The following metas are supported forincidentStats:
created
mtta.time: Displays the average time taken to acknowledge the incidents in a single day.
mtta.count: Displays the number of incidents acknowledged in a single day.
mttd.count: Displays the number of incidents detected in a single day.
mttd.time: Displays the average time taken to detect the incidents in a single day.
mttr.time: Displays the average time taken to resolve the incidents in a single day.
mttr.count: Displays the number of incidents resolved in a single day.
These metas are displayed in the report generated. Refer the following figure.
incidentUserStats: The following metas are supported forincidentUserStats:
userName: Displays the assignee's or the user's ID for the associated user stats.
totalClosedCount: Displays the total number of Incidents closed by the assignee till date.
meanTimeToDetect: Displays the average time taken by the user to detect the incidents in the time range selected.
mttdCount: Displays the count of incidents contributing to the MTTD value computed.
incidentIds: Displays the list of incident IDs closed by the user during the time range selected.
These metas are displayed in the report generated. Refer the following figure.
New metas are added forincident. The newly added metas are as shown below:
assignee.id
tta(Time to Acknowledge): Displays the time taken to assign an Incident after creating it.
ttd(Time to Detect): Displays the time taken for completing the task after the Incident is assigned.
ttr(Time to Resolve): Displays the time taken for closing the task after the Incident is created.
These metas are populated on theTest Ruleview. Refer the following figure.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.3 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for 11.7.3 - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.3 patch upgrade. In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for 11.7.3
Endpoint Enhancements
The Hosts and Files view is enhanced to help Analysts view the actual risk score of the Blacklisted files. The risk score of the files increases once they are blacklisted.
File Name column is exported when you export the Files attributes to a CSV file.
The timeouts or delays in mongo.db due to the presence of huge bash history for a few agents are resolved.
Usability Enhancements
The Test Chart feature in Reports (Reports > Charts > Add new chart > Test Chart) is enhanced to load with different time ranges.
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform XDR 11.7.3.0:
11.7.2.0 to 11.7.3.0
11.7.1.2 to 11.7.3.0
11.7.1.1 to 11.7.3.0
11.7.1.0 to 11.7.3.0
11.7.0.2 to 11.7.3.0
11.7.0.1 to 11.7.3.0
11.7.0.0 to 11.7.3.0
11.6.1.4 to 11.7.3.0
11.6.1.3 to 11.7.3.0
11.6.1.2 to 11.7.3.0
11.6.1.1 to 11.7.3.0
11.6.1.0 to 11.7.3.0
11.6.0.0 to 11.7.3.0
11.5.3.3 to 11.7.3.0
11.5.3.2 to 11.7.3.0
For more information on upgrading to 11.7.3.0, see Upgrade Guide for NetWitness Platform XDR 11.7.3.0
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.2 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks on the Upgrade Guide for 11.7.2 - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.2 patch upgrade. In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see see Post-Upgrade Tasks on the Upgrade Guide for 11.7.2
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform XDR 11.7.2.0:
The NetWitness 11.7.1.2 release notes provides information about the changes in NetWitness Platform 11.7.
Fixed Issues
For more information on Fixed Issues, see Fixed Issues.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies to CVE-2021-44228. For more information, see the Security Advisory for Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.1.2 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.1.2 patch upgrade.
Note: The traces of the old .jar files with the vulnerable versions of log4j in /tmp/jetty folder are found while upgrading from 11.5.x.x and 11.6.x.x versions to 11.7.x.x version. As a result, the scans reported the presence of older versions of log4j vulnerability. This issue has been addressed and the /tmp/jetty folder is cleaned up to remove the older versions of log4j vulnerability.
The NetWitness 11.7.1.1 release notes provides information about the changes in NetWitness Platform 11.7.
Fixed Issues
For more information on Fixed Issues, seeFixed Issues.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies toCVE-2021-44228. For more information, see theSecurity Advisoryfor Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.1.1 patch upgrade. In this case, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files and install the updated plugins, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.1.1 patch upgrade.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.1.1:
NetWitness11.5.3.2 to 11.7.1.1
NetWitness11.5.3.3 to 11.7.1.1
NetWitness11.6.0.0 to 11.7.1.1
NetWitness11.6.0.1 to 11.7.1.1
NetWitness11.6.1.0 to 11.7.1.1
NetWitness11.6.1.1 to 11.7.1.1
NetWitness11.6.1.2 to 11.7.1.1
NetWitness11.6.1.3 to 11.7.1.1
NetWitness11.6.1.4 to 11.7.1.1
NetWitness11.7.0.0 to 11.7.1.1
NetWitness11.7.0.1 to 11.7.1.1
NetWitness11.7.0.2 to 11.7.1.1
NetWitness11.7.1.0 to 11.7.1.1
Enhancements
The following section lists the enhancements to specific capabilities. To locate the document referred to in this section, go to the NetWitness Platform 11.x - All Documents. Product Documentation has links to the documentation for this release.
Reports
View Creator Information
The Created By column has been added to the Reports List page. This column enables you to view and analyze the ownership information of all the reports that exist in the system, which includes new, copied, and imported reports. When a report is exported, the owner details are retained. However, when a report is copied, the owner of the report changes to the user who created the copy. For more information, see theReporting User Guide.
Log Collection
Administrators can now fetch the user information from the logs collected through MSExchange Management channel.
To view the user information:
Navigate toServer Manager>Diagnostics>Event Viewer>Applications and Services Logs>MSExchange Management.
In theMSExchange Managementview, select the log file.
Click theDetailstab. Select theXML View.
SelectEventData. The third row in the<EventData>section displays the required user information.
Note: Alternatively, you can select the Friendly View under the Details tab to view the user information in the EventData section.
Administrators can pre-stage the upgrade repository by downloading the required packages (.zip) without affecting the system. This minimizes the upgrade downtime and ensures the upgrade is completed within the planned time. The Pre-Stage Host option is available on the NetWitness UI and requires the NetWitness Server Host to be connected to Live Services. For more information, seeHosts and Services Maintenance Procedurestopic in theHosts and Services Getting Started Guide.
Note: You can use this feature only if you upgrade from 11.7.1.0 to a higher version.
Support for Additional Pre-Upgrade Check Utility
Additional health-check utility is introduced for Administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.
The pre-upgrade check verifies the following:
(Component Hosts) Node X Service Status- Verifies the status of services (Active or In Active) on all the Node X.
(Component Hosts) Node X Certificates Check- Checks the certificate expiry, missing, corrupted, and issuer mismatch in all categories of Node X.
CPU-Memory Info- Provides CPU and Memory details along with the real-time available memory.
(Admin Server) Node 0 File System Utilization- Verifies the disk partition utilization of/var/netwitness/mongo,/var/netwitnessandrooton Node 0.
(Component Hosts) Node X File System Utilization- Verifies the disk partition utilization of/var/netwitness/mongo,/var/netwitnessandrootfor ESA Primary, Endpoint Log Hybrid, and UEBA services on Node X.
Mongo File (ESAPrimary)- Checks the ESA Primary node in the system and verifies the permission mode of mongo file.
Orchestration Server Normal Mode- Checks if the orchestration service is running in normal or safe mode.
(Admin Server) Node 0 Init status- Checks if there are any issues that might fail init process.
(Admin Server) Node 0 closed ports- Checks if the service ports required for NetWitness services are open and listening on Node 0.
(Component Hosts) Node X closed ports- Checks if the service ports required for NetWitness services are open and listening on Node X.
Unified Discovery and Interaction of Investigate Metadata- Analysts have a unified way to interact with metadata presented in the Events view to perform actions or review contextual information.
Analysts can perform actions and view the context data for a selected meta in the same window or a separate window that will enable the display of data in an optimized manner, and easily carry out further investigation.
Free-form Query Preference- With the new preference, analysts can choose to split the free-form queries into multiple guided filters or a single free-form query. Analysts can switch the modes using the Free Form Split checkbox.
Light Theme Overhaul– The existing light theme primary and secondary colors on the UI has been enhanced to provide better contrast and shading for improved user experience.
Capabilities for Detecting Ransomware that Use the Registry
Endpoint agents can detect ransomware that uses the registry to perform actions such as forcing Windows machines to reboot in safe mode, encrypting files, and deleting volume shadow copies.
Endpoint Agent Support for macOS Monterey and Windows 11
Endpoint Agents are enhanced to support macOS Monterey (12.0.1) and Windows 11. To view the list of supported operation systems, seeIntroduction to Endpoint Agent Installationon theNetWitness Endpoint Agent Installation Guide.
Support for Offline or Standalone Scans on Air-gapped Windows Hosts
Administrators can execute offline or standalone scans on air-gapped Windows hosts to perform threat analysis on the Windows hosts disconnected from the network. Administrators can download the Offline Scan Configuration file from UI and execute it on multiple air-gapped hosts. Then, the Offline Scan File(scan results file) can be transferred to the UI and uploaded to the Endpoint server for processing. SeeStandalone Scan on Air-gapped Windows Hoststopic onNetWitness Endpoint User Guidefor more information.
Support for Full System Scan
Analysts can perform a full system scan on system drives and all fixed drives in addition to the quick scan of executable files in memory. For more information, see Scan Hosts topic onNetWitness Endpoint User Guide.
Redesigned Alerts Tab for Optimized Navigation
Analyst can use the redesigned alerts tab to conveniently access all alert information and the associated events for optimized navigation on Host details view. For more information, seeNetWitness Endpoint User Guide.
Concentrator, Decoder, and Log Decoder Services
Centralized Configuration Management Enhancements
The enhanced centralized configuration management allows administrators to:
Reconfigure 10G Network Decoders from the Policy UI. Administrators can quickly create 10G policies for each Decoder group based on the hardware profile.
Clone policy from an existing service to save policy transition time for existing users.
Restart only specific services within a service group that require changes. This minimizes potential downtime.
Enhanced Network Decoder to Support Load Balancing Deployments
When you shut down the Decoders, the network interfaces connected to the Decoders are automatically shut down. Then, the load balancers divert the traffic to other available Decoders. This enhancement will protect customers from data loss when they use load balancers to distribute traffic between several Decoders. For more information, seeConfigure the Decoder Capture Failover in Load Balance Deploymentstopic onDecoder and Log Decoder Configuration Guide.
Event Stream Analysis (ESA)
Enhanced Performance when Retaining Incident Network Data Artifacts
Respond analysts saving artifacts of an incident will notice improved feedback for the tasks running and swifter completion of those tasks.
Analyst can use the new Retention Usage tab to view the statistics of all configured services and the percentage used by the pinned cache directories.
With this information, the analyst can:
Determine if the disk is running out of space and if additional space needs to be added or the persistence needs to be suspended for the existing events in an incident.
Obtain insights on the space requirements for retention functions.
In Respond > Incidents tab, analyst can click the Retention Usage tab to fetch all the statistics of all the configured services and the percentage used by the pinned cache directories.
Administrators can configure to ignore the case sensitivity of values a feed uses as part of the feed wizard in the UI. This allows the administrator to avoid converting the feed into an XML format or perform additional steps during deployment. For more information, seeCreating a Custom Feedin theLive Services Management Guide.
NetWitness Topology Feature
The following enhancements help administrators and analysts to:
Obtain quick insights using the Search Option– The search option helps locate a specific service, without having to look at the entire hierarchical layout.
View ESA hosts: ESA service and the connected services can be viewed in the hierarchical layout.
Improved error messaging to include the source string and target format when an unrecognized string format exception is generated to help users determine the root cause.
Support for new internal RAID controller (PERC H750) on Series 6 Appliances
The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances are replaced with PERC H750. All S6 appliances will have the new ISO to support PERC H750. All future S6 appliances and RMA will have PERC H750. Before adding a new appliance with PERC H750 to your existing deployment (For example, 11.7.0.0 or 11.7.0.1), you must first upgrade the Admin Server and Standby Admin Server to version 11.7.0.2 or higher.
The NetWitness 11.7.0.2 release notes provides information about the hardware changes in NetWitness Platform 11.7.
Security Fixes
The Log4j vulnerability in the commonly used open source logging library has been addressed. For more information, see the 11.7.0.1 Release Notes.
Support for new internal RAID controller (PERC H750) on Series 6 Appliances
The existing internal controller (PERC H740 Mini) on S6 RSA PowerEdge 640/740 based appliances is replaced with PERC H750. All S6 appliances from now on will have the new ISO to support PERC H750.
Note: By default, all future S6 appliances and RMA will have PERC H750, so you must upgrade the Admin Server and Standby Admin Server to 11.7.0.2, before adding a new appliance with PERC H750 to your existing 11.7.0.0 or 11.7.0.1 deployment.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.0.2:
The NetWitness 11.7.0.1 release notes provides information about the changes in NetWitness Platform 11.7.
Security Fixes
The Log4j vulnerability recently discovered in the commonly used open source logging library has been addressed. This applies toCVE-2021-44228. For more information, see theSecurity Advisoryfor Log4j.
Note: This patch release of NetWitness addresses log4j vulnerabilities reported till date. The following CVEs were validated and found to be not exploitable. - CVE-2021-44228 - CVE-2021-44832 - CVE-2021-4104 - CVE-2021-45105 - CVE-2021-45046 NetWitness will continuously monitor this issue for new developments and provide periodic updates.
Note: If you have the Export Connector plugin in your deployment, you must do the following: - If you have Logstash installed separately, not as part of the NetWitness installation, you must uninstall the Export Connector plugin and install the updated Export Connector plugin after 11.7.0.1 patch upgrade. For more information to install the updated plugin, see Post-Upgrade Tasks. - If you have Logstash installed as part of the NetWitness installation on the Log Collector service, the updated Export Connector plugin will be automatically installed during the 11.7.0.1 patch upgrade.
In both the above cases, the old Export Connector plugin files are not automatically removed after upgrade. You must remove the old plugin files, so the scans do not list them as vulnerabilities. For more information on how to remove the old plugin files, see Post-Upgrade Tasks.
Upgrade Paths
The following upgrade paths are supported forNetWitness11.7.0.1:
As analysts review events, the new compact and expanded metadata views provide an alternative workflow to only view the high-level details of the event and in use cases where no raw data is present.
Improved Broker Query Experience
Analyst queries at the top-level Broker now by default provide partial results when one of the sub-services loses connectivity or times out. In addition, a hierarchical view of what is attached to the Broker is available to analysts to exclude certain sub-services prior to query if necessary.
Email Reconstruction Improvement
Analyst can view the content of all the emails in a single session using the Expand All Emails option available on the Email view.
Direct Query Interaction with Meta Keys in Event Filter Panel
Analyst steps to create a query have been streamlined by clicking directly on the meta key name to generate a query with only the meta key. Alternatively, searches with combination of key value pairs are available inside the Event Filter panel without requiring direct interaction with the query bar.
Network Fragment Identification
Analysts can view the related sessions for an event for analysis and investigation by hovering over the icon for the event.
Saved Time Ranges
Analysts can take advantage of the last five recently used time ranges for future searches saving the investigation time. The saved time ranges are displayed under the Recent Time Ranges section.
For more information, see theInvestigation User Guide.
Endpoint Investigation
Granular Role Based Access Control for Endpoint Server
With the enhanced RBAC (Role-Based Access Control), administrators can grant or revoke access to specific Endpoint servers rather than all. And the addition of new permissions called endpoint-server.file.analyze and endpoint-server.tag.manage, adds flexibility in managing user privileges. For more information on managing permissions for an individual Endpoint server, seeNetWitness Endpoint Configuration Guide.
Few Privileges Removed Fromendpoint-server.agent.manageAnd Added toendpoint-server.file.analyze
Analyze File, Save Local Copy and Scan with OPSWAT privileges are removed fromendpoint-server.agent.manageand added to a new permission calledendpoint-server.file.analyze. For more information see theSystem Security and User Management Guide.
Manage Hosts Using Tags
Analysts can create Tags to manage the hosts. Tags are custom texts (can combine alphanumeric and special characters) that you can create and assign to hosts. You can create host groups based on tags, and on the Hosts view, you can filter hosts by tags using the filters pane. Administrators can create and assign tags while generating the agent packager, and these are added to the hosts by default when the Endpoint agent is installed. For more information on managing tags, seeNetWitness Endpoint User Guide.
Enhanced Windows Agent to Support Detecting the Persistence Techniques Targeting the Registry
The enhanced Windows agents detects persistence techniques that use the Windows registry. The registry monitor is more reliable now as it detects suspicious activity in an enhanced manner. For more information, see theNetWitness Endpoint User Guide.
Enhanced Suspicious Thread Detection
This enhancement to the suspicious thread detection helps detect and report suspicious threads more effectively using different methods. This enhancement enables analysts to have access to all the details and capabilities related to the suspicious threads as before. For more information, referNetWitness Endpoint User Guide.
Delete Blocked Files Through Elevated Command Prompt
You can delete the blocked files on the host using the delete command on the elevated command prompt on the host.
Concentrator, Decoder, and Log Decoder Services
Introduction of Centralized Configuration Management
The management of general NetWitness core services namely Concentrator, Decoder, and Log Decoder configurations can be administered centrally from a single policy-based interface and distributed to multiple services. With centralized configuration management, administrators can:
Create a group of the same service type based on similar hardware profiles or other criteria
Add configuration items to policies in order to customize settings. Any settings which are not in the policy will be left as default
Apply customized settings to any number of services in one step
Restart all services within a group to apply changes
View when an action is required, such as service restart, unpublished policies or out-of-compliance services indicated by the icon.
Revert changes to a policy or group quickly
For more information, seeHost and Services Getting Started Guide.
Enhanced Query Accuracy
An optional index configuration is available on a per meta key basis to extend the default key-value search into an N-gram layout. In addition to enabling query and reporting capabilities, this combination also provides complete and accurate search results, even if a maximum value threshold has been met.
For more information, see N-grams in theCore Database Tuning Guide.
Event Stream Analysis (ESA)
Enhancements for persisting Events and Incidents
Analysts can persist events encompassed in an incident, thus enabling to view the incident in the future, regardless of its age. Analysts can:
Pin or unpin multiple events at an incident and alert level
View details on when the events were persisted.
Check the status of the persisted events, whether it is Completed, Partial, or None.
Administrators can set up permissions for users to persist raw data associated with a particular incident.
For more information, see theRespond User Guide.
Platform
Backup and Restore Improvements
A new NetWitness Recovery Wrapper tool is introduced to centrally back up and restore individual or multiple hosts. This tool allows custom files to be incorporated in restorations and handles all supported deployment installations (Physical, Virtual, and Cloud).
With NetWitness Recovery Tool administrators can:
Back up (export) an individual, a specific, or all hosts at a time
Restore (import) an individual host at a time
Customize files or folders during backup and restore
Copy backup data to remote host location from NetWitness hosts and vice versa
For more information, see "Disaster Recovery (Back Up and Restore)" topic in theNetWitness Recovery Tool User Guidefor NetWitness.
Upgrades
Introduction of Pre-Upgrade Check Utility
A new health-check utility is introduced for administrators to analyze the current NetWitness setup and identify conditions that may impact the upgrade. If any issues are detected, the issues can be resolved before proceeding with the upgrade.
The pre-upgrade check verifies the following:
Security Client File Check- Ensuressecurity-client-amqp.ymlfile is not present
Node-0 NW Service-id Status- Ensures all the service-ids are intact with the services in Node 0
Broker Service Trustpeer Symlink- Ensures Broker symlink file(/etc/netwitness/ng/broker/trustpeers/)is not broken
Node-0 NW Services Status- Checks the status of all the services in Node 0
Yum External Repo Check- Ensures external repos are not available
RPM DB Index Check- Checks if the RPM DB is corrupted
Salt Master Communication- Verifies the salt communication from Node 0 to all the Nodes
Node-0 Certificates Check- Checks if any certificates are missing, expired, or invalid
For more information, seeUpgrade Guide for NetWitness 11.7.
NetWitness Services
Introduction of NetWitness Service Topology Map
A view of the hierarchical layout of all NetWitness core services depicting the collection and aggregation of services provides administrators and analysts quick insights into their deployment and the services that are online or offline. This topology displays only the Broker, Concentrator, Log Decoder, Packet Decoder, Hybrids, and Log Collector services.
Note: Reporting Engine, Malware Analysis, UEBA, Endpoint Server, Cloud Link service, and Warehouse Connectors are not supported.
On the compact view, the Event Filter Panel and Event Meta Labels are optimized to display maximum information on a single page. With this view, analysts can easily perform the investigation. The label and icon size on the Event Filter Panel are optimized so that the meta keys and values are displayed on the same line.
Timeline Options
Analysts can now easily view the timeline for event by clicking on the icon. By default the timelines is enabled for all events.
For more information, see the Investigate User Guide.
User Entity Behavior Analytics
Alert Feedback Enhancement
Analysts have the option to mark the status of mutliple alerts as Not a Risk or None. None is used when the events are Not a Risk. Multiple alerts grouped by date can be selected to perform this action. When the status is updated, the alert contribution score will change automatically, for example, if an alert is marked as Not a Risk, the alert score is reduced. If the status is updated as None, the score increases. For more information, see the UEBA User Guide.
Endpoint Investigation
Support for OPSWAT Scans
Analysts can simultaneously perform threat detection with multiple anti-malware engines with OPSWAT (MetaDefender Core). Executable files(PE, Macro, Script, ELF) will automatically be sent to the OPSWAT server for scanning. Analysts will get alerts if a file is found Infected or Suspicious (critical for Infected and High severity for Suspicious files). The risk score will also increase for the file and the corresponding host, thus helping to respond to threats quickly. For more information on how to use OPSWAT within the NetWitness Platform, see the NetWitness Endpoint User Guide. And, for more information on how to configure OPSWAT on endpoint servers, see NetWitness Endpoint Configuration Guide.
Create groups with Machine OU as a filter
Analysts can use Machine Organizational Unit (Machine OU) as a filter while creating groups on the Admin > Endpoint Sources > Groups view. Using Machine OU to filter hosts can save much time and effort as it is more effective than using IPV4 or domain names in an environment with thousands of agents.
Extended Agent Support for Mac BigSur (version 11) on M1
NetWitness Endpoint agents now support Mac BigSur on both M1 and Intel. For more information, see NetWitness Endpoint Agent Installation Guide.
Automatic download of memory DLL files
Analysts can now investigate the memory DLL files in detail. All memory DLL files that are detected during a scan, are automatically downloaded to the server irrespective of the file size.
Added agent folder protection in the driver
Netwitness platform version 11.6.1 and higher, the files inside the agent folder are protected from delete, rename, or modification operations. This protection will prevent malware from locking files inside the agent folder to block sending the tracking data.
Event Stream Analysis (ESA)
Optionally Persist Incident Artifacts
You can persist events that are associated with particular incidents, thereby enabling you to view the incident in the future, regardless of its age. You can also add a new journal entry in the JOURNAL tab for the persisted events for future reference. The event data will always be available for viewing and reconstruction as long as the event is persisted, enabling you to easily refer back to details, even if the original event has rolled over from the NetWitness database.
Once you persist an event, the data is copied from the NetWitness database into a long term storage cache within the data source. The persisted events are saved in the directory /var/netwitness/pin- <servicetype>, by default. You can manually change the event storage location from the default directory to any other directory, as per the requirement. For more information, see the Respond User Guide.
Log Collection
Trusted Authentication for NetWitness Export Connector
Trusted authentication allows you to authenticate using the existing certificates for aggregation while configuring NetWitness Export Connector. This eliminates the need to manually enter the credentials (username and password) and avoid storing passwords locally.
Support for Logstash Keystore from UI
Logstash keystore management allows you to securely store and maintain (add, edit, or delete) secret values key and password through NetWitness Platform UI. The key set is used during the Logstash pipeline configuration.
This eliminates the need to manually create or update credentials on the Log Decoder or Virtual Log Collector using Logstash Keystore CLI commands. For more information, see the Log Collection Guide.
Reports
View Creator Information
The Created By column has been added to the Reports List page. This column enables you to view and analyze the ownership information of all the reports that exist in the system, which includes new, copied, and imported reports. When a report is exported, the owner details are retained. However, when a report is copied, the owner of the report changes to the user who created the copy. For more information, see the Reporting User Guide.
Note: When you upgrade from a previous version to NetWitness Platform Release 11.6.1, the Created By column does not display the ownership information for the reports that exist prior to the upgrade.
The RSA NetWitness Platform 11.6.0.1 release notes provides information about the changes in NetWitness Platform 11.6.
GPG Key Changes
The GPG Signing for NetWitness has changed for releases beyond 11.6.0.0. In order to upgrade to 11.6.0.1 release, you must first upgrade to a version that is signed by the old GPG key but contains the new GPG key. For more information, see GPG Key Change in NetWitness Platform Beyond 11.6.0.0.
Upgrade Paths
The following upgrade paths are supported for NetWitness Platform 11.6.0.1:
The new faceted search layout of the default Events view makes interacting with large amounts of data collected from the enterprise a more familiar experience and efficient workflow. By combining the functions of the Navigate and Event views, analysts can apply filters by interacting with any metadata generated by the platform which in turn creates the query and automatically executes a search to fetch the resulting events.
Organize Investigate Content (Column groups, Meta groups and Query Profiles)
All Investigate content is displayed in a folder structure to help analysts organize their views depending on use cases. The RSA Groups (RSA Live content and RSA OOTB groups), and Shared group folders are available to all analysts. All Private groups, folders and sub-folders are displayed only to the analysts who created them. You can create, edit, copy, and delete Shared and Private folders and sub-folders.
Deliver Investigate Content (Column groups, Meta groups and Query Profiles) using RSA Live
Investigate content can be deployed using RSA Live providing updates outside the NetWitness release cycle. Analysts now have the ability to utilize the latest Investigate content to focus their view into the data based on use cases. All the RSA generated content is now contained in a RSA specific folder.
Multiple values
When investigating a list of events an analyst can see that an event has multiple values for a meta key in that specific session. A hover over indicator shows a list of multiple values that can be further investigated without requiring to drill into the reconstruction of the event.
Direct Free-form query or text search
To immediately create a blank free-form filter, an advanced user can select the option “Click to start a free form query” from the Advanced Options panel. In the same manner an analyst can choose “Click to start a text search” to create a new text search. In both scenarios, the analysts can bypass the auto-completion input logic and save some time in generating a query format.
Query filter enhancements
When a query is added in the Events, any filter that is selected will have a red highlighted border, so the analyst knows which filter is selected. When you edit a filter, the border will be in blue color to indicate that the analyst needs to provide some input in case they move their focus away from the query input.
Custom Column group enhancements
Metadata such as custom.logdata that are defined in Legacy Events or defined in OOTB Summary List column group can be used to combine the raw logs as a customized column of additional metadata. List of recommended metas that contain data are displayed. An analyst can create custom column groups using the summary and raw log (custom.logdata) meta keys.
Column Group Meta Key Recommendations
While reviewing query results in the Events table with a selected column group, analysts have the option to view recommended columns that may have data for those events but are not part of the current column group. These suggested meta keys help analysts to have the best column groups applied so that no relevant data is missed for the events displayed.
Investigate Screen Layout Options
A new user preference allows analysts to choose between a Compact or Expanded format to determine how close the rows of data are to be displayed in the Event table on a single page. The following image is an example where Event Preference view is displayed with the Compact view selected.
Meta Panel Enhancements
The meta panel on the Events investigation page has been enhanced with a Hide Duplicate Entries radio button to limit the display of metadata only if they are a unique key value pair. A filter field is also introduced so analysts can search, and filter based on meta keys or values.
IndexNone Meta keys
As analysts create meta groups with multiple meta keys, the Open option is disabled for all non-indexed meta keys to avoid adverse effects on query performance.
Reconstruction Enhancements (view content and copy option)
The pagination of the Text tab has been enhanced to make it more obvious when there is further content available than can be displayed on a single page. Also, if required analysts can copy selected content to the clipboard using keyboard shortcut (in addition to menu option) for further investigation.
Search Indicator
When analysts do a free-text search a message is displayed on top of the Events page to make it clear that only indexed metadata is being searched. This message contains a link that helps in further search if the analysts requires to search more extensively beyond what is indexed. In case the maximum search limit has been reached, a message is displayed at the bottom to indicate there are no more results available.
Investigate Timeout Setting
The Extraction timeout setting helps an administrator to increase or decrease the time available to retrieve the required sessions or events or files from Investigate. This can be configured by navigating to Admin > System > Investigation > Common Settings.
A new and enhanced dotted chart is introduced in version 11.6. The dotted chart, provides the analyst with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly in case of an indicator. In version 11.6, the pie chart is replaced with a dotted chart to provide analysts with additional visibility to the entities activity over time. For more information, see NetWitness UEBA User Guide.
Incident Response
Respond Persist Data (BETA)
Analysts and Administrators can pin events that are associated with particular incidents, thereby enabling you to view the evidence related to an incident in the future. Once you pin an event, data is copied from the regular database into a long term storage cache within the data source. Event retention depends upon the available space in the directory (10 GB is offered by default). The roll over in the meta database does not impact the events that already saved in the pin directory. The BETA version comes with the limitation where you cannot download the pinned events, which will be enabled and notified in the subsequent releases.
For more information, see Respond Persist Data in the NetWitness Respond User Guide.
Endpoint Investigation
Support for YARA scans
YARA helps analysts with rule-based detection capabilities in identifying and classifying malware. You can easily create malware descriptions, called YARA rules, that are robust in detecting malware. YARA automatically scans downloaded files at regular intervals and increases the file's risk score if it matches any rule. Thus, helps analysts quickly respond to a threat. For more information, see NetWitness Endpoint User Guide. To learn how to enable and configure YARA, see NetWitness Endpoint Configuration Guide.
Centralized agent upgrade options using UI
Administrators can now upgrade and uninstall selected or all agents using the UI and thus helping you manage NetWitness agents with a lot of ease. For more information, see NetWitness Endpoint Agent Installation Guide.
Centralized agent uninstall options using UI
Administrators can uninstall selected agents or all the agents easily using the UI. Bulk uninstall can be performed without even selecting any hosts. This enhancement will save time and help to focus more on responding to threats. To qualify for bulk uninstall, the agents must be on version 11.5.1 or later. For more information, seeNetWitness Endpoint Agent Installation Guide.
Support for Saving Local Copies of Multiple Downloaded Files
Now analysts can perform detailed investigations and forensics quickly and easily by saving copies of downloaded system dump, process dump, MFT, etc.
Support to Download MFT From Any Windows Drive
Analysts can now download MFT for any drive and can also download it on the NTFS mount path. This can help analysts perform critical investigation, analysis, and forensics on files in addition to the system volume.
Expanded Lateral Movement Visibility
Enhanced Windows agent to report executable write events on the target machine when copied to network shares. Analysts can now have deeper visibility into lateral movement activities on Windows around files that are being copied to network shares.
Support for Forwarding Windows/File Logs to Custom Systems
Administrators can now collect the Windows and File logs on a non-VLC system by forwarding them to a custom system.
New rules added to detect Persistence tactic
New rules have been added to the Endpoint rules bundle to detect threats that follow the Persistence tactic. When such a threat is detected, these rules will trigger alerts and increase the risk score.
Broker, Concentrator, Decoder, and Log Decoder Services
Assembler Threading Modes
To enhance the throughput at which a Decoder can analyze data, the assembler is enhanced to perform further parallel processing. The process that reassembles captured packets into streams is known as the assembler. You can now customize the assembler operation using its two modes. These modes can be configured by setting the value of assembler.threading.enabled to on or off. The default value is off. The on mode enables higher throughput as each assembler instance operates on a dedicated processor.
The assembler modes work only when Multi Adapter Packet Capture is enabled. For more information on Multi Adapter Packet Capture and Assembler Modes, see the (Optional) Multiple Adapter Packet Capture topic in the Decoder and Log Decoder Configuration Guide.
High Speed Packet Capture
You can now analyze network data (packets) from higher speed networks and optimize your Network Decoder to capture network traffic up to 40 Gbps. In order to understand what capabilities are supported at different network speeds, the Decoder now operates in the following three modes:
Normal: For capture speeds less than 5 Gbps with large amounts of deep packet inspection while storing network sessions. This is the default mode.
10G: For capture speeds up to 10 Gbps with medium amounts of deep packet inspection while storing network sessions.
NDR: For capture speeds greater than 10 Gbps but less than 40 Gbps with small amounts of deep packet inspection while only storing metadata.
Decoder now detects and decompresses the Brotli payload in the HTTP/HTTPS session parsing. Brotli is a data format specification that compresses data streams with a specific combination of the general-purpose LZ77 lossless compression algorithm, Huffman coding, and 2nd order context modelling. Brotli encoding is supported by most web browsers, major web servers, and some CDNs.
To enable Brotli decompression, perform the following steps:
Decoder can identify applications using the OpenApp ID detectors generating new metadata (app.id). It helps analysts to identify applications in a session. OpenApp ID from Cisco is an application-layer network security plug-in for Snort (an open source network intrusion detection system). It is a set of open source Lua libraries (detectors) that identifies applications in the network traffic.
To enhance the throughput at which a Decoder can analyze data, the pipeline to create sessions is enhanced to use Receive side scaling (RSS). RSS enables the efficient distribution of network receive processing across multiple CPUs in multiprocessor systems. RSS ensures that the processing that is associated with a given connection stays on the assigned CPU. RSS is supported on DPDK devices only using ixgbe or i40e device drivers.
Simultaneous Ingestion of the Encrypted and Decrypted Traffic Streams to Decoder
Decoder with multi-adapter capture and multi-thread assembler features enabled, can receive encrypted and decrypted streams of the same traffic when on separate adapters. This supports the use case when both the encrypted and decrypted versions of the same traffic are traversing the same Decoder. The multi-thread assembler feature allows Decoder to assemble packets from its corresponding capture work thread. It keeps the packets from encrypted and decrypted sessions separate during assembly to avoid inaccuracies in session parsing and content extraction.
For more information, see the Decrypt Incoming Packets topic in the Decoder and Log Decoder Configuration Guide.
Trusted Authentication for Aggregation Hosts
When configuring aggregation connections, you can use trusted authentication to perform this task instead of using service account credentials. The trusted authentication reduces administrator overhead by eliminating the need to manage service account password changes.
Make a note that this authentication method change requires the device to be offline. Also, once you switch to Trusted Authentication, you cannot switch back to the login method using the user credentials.
Event Stream Analysis (ESA)
Support for Meta Entities
Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts can use them as regular keys to get to multiple, similar concepts. From 11.6 release, meta key entities are configured to be a part of the event schema and can enable the string [] meta keys entities. Analysts can create rules and configure alerts based on the meta key entities selected. You can also add meta entities to create rules. The meta entities retrieve data from the data sources to trigger alerts.
For more information, see NetWitness ESA Alerting User guide.
Import and Edit Position Tracking Information
When you deploy a data source, by default, ESA starts processing information from the latest available session. Position tracking information enables the administrator to visualize the progress of the sessions that ESA has processed and provides information on the session IDs and the time or date when the events were processed.
The edit function enables you to visualize the number of sessions that a particular ESA data source analyzes after you edit the position tracking, review the number of processed sessions, and plan your work. To edit position tracking information, see Editing Position Tracking Information.
The import function enables you to migrate the settings of position tracking for one or more data sources at the same time from an existing deployment. To import position tracking information, see Importing Position Tracking Information.
While working with data sources, you can use trusted authentication to perform tasks, instead of logging in with the admin credentials. You need not log in using your admin credentials, every time you want to access the data sources.
For more information, see Trusted Authentication in the NetWitness Getting Started Guide.
Support for Detect AI
Detect AI has been added as an alert source in the Respond view. It captures the alerts from the cloud based user behavior analytics to create incidents from alerts.
You can filter the alerts list to show the alerts of interest using filters such as, alert name, alert source, and specific time range.
You can remove redundant dashboards (dashboards that are not owned, not shared, and duplicate default dashboards) by enabling the dashboard cleaning job.
NetWitness Platform 11.6 introduces the ability to add any RESTful API data source to Context Hub.
REST API allows analysts to query third-party applications by providing a meta value as a query parameter and rendering results in the Context Hub Panel in real-time. The results can be rendered in JSON or HTML format depending on the preference and capabilities of the third-party application. An analyst can now gain additional context about IPs, users, hosts, or files faster during an investigation without requiring them to leave the NetWitness Platform.
Improvements to Context Highlighting
Some additional configurations are introduced to the Context Highlighting feature to make the capability more usable and efficient in specific environments. Administrators can now configure specific Context Hub sources (For example, specific lists, Respond, Endpoint, and so on) for context highlighting. If the context highlighting is disabled for a Context Hub source, analysts can view results from all sources while opening the Context Panel for a meta value, but the values are not highlighted in the Investigate > Navigate, Event, and Respond views. Administrators can also disable the context highlighting globally for all sources.
In 11.5, the NetWitness Output Codec for Logstash was introduced, making Logstash integrations possible with a customer-managed Logstash server. From 11.6 onwards, the Logstash server is packaged and supported along with the NetWitness Log Collector or Virtual Log Collector (VLC) service to provide easy access to Logstash. This is referred to as Managed Logstash and it eliminates the need for a separate Logstash server outside of the NetWitness Platform.
You can create Logstash pipelines (for example beats, export connector and so on) in the Event Sources tab within the Log Collector service. The custom category allows for a fully-custom Logstash pipeline configuration.
The following is an example of Logstash Event Source.
A new Data Export tab is added to the Decoder or Log Decoder configuration view. It lists the available Log Collector services in your environment. Once you select a Log Collector service, you can configure the Export Connector in the Event Sources tab.
Also, New stats for both legacy and New Health and Wellness are introduced to monitor the health and throughput for each Logstash pipeline. Logstash Input Plugin Overview dashboard is added to showcase the new stats.
JSON Mapping Usability Improvements - In the tree view of a JSON sample, the corresponding RAW node or Mapping entry is highlighted when either is selected if the match exists. The highlighting indicates whether a match is successful in the current sample; that is, the value should parse correctly, including the node path and any DataType or RegEx.
Custom Regex for JSON mappings - For fine-parsing JSON values (for example, ip:port), the user can create a custom RegEx pattern for each mapping within the UI. Multiple values (captures) can be extracted and assigned to separate meta keys.
Import or Export for custom UI Rules (Dynamic Rules or JSON mappings) - Custom Dynamic Rules and JSON mappings that are created in the UI can now be easily imported or exported right from the UI. This enables customers to develop parse rules in one environment (For example, Lab) and move them to another (For example, Production).
Note: Import or Export for custom UI rules does not export or import any "parser.XML" or "parser_custom.XML" that correspond to the Parse Rules.
Licensing
Introducing License Usage Dashboard
A new license dashboard is introduced in New Health & Wellness to manage licenses efficiently. This dashboard provides insights on the license usage of all the Throughput licenses in your deployment. Administrators can do the following on this dashboard:
Track daily license usage for individual hosts
Track daily usage of Throughput licenses for all the hosts in your deployment
NetWitness Platform versions 11.5.1 to 11.6, includes fixes to the metrics used in reporting for Network (Packet) Throughput usage. License metrics includes the overall network traffic analyzed and the raw network data stored after the analysis. Your Network Throughput License usage may increase, which may cause license violation banners in some situations. The Out-of-Compliance notifications for Network Throughput licenses has been adjusted to delay the display of the license violation banner by 45-days. For more information, see theLicensing Management Guide.
Platform
Support for Third Party Server Hardware
This allows you to use any third party server hardware to run NetWitness Platform. The kickstart wizard provides a list of available block devices, and prompts you to select the device to install the OS and NetWitness Platform application. For more information, see Installation Tasks topic in the Physical host installation guide.
