NetWitness Community

Table of Contents

•   Release Notes
  •   Release Notes for 11.7
    •   What's New
    •   Fixed Issues
    •   Product Documentation
    •   Getting Help with NetWitness Platform
    •   Build Numbers
    •   Revision History
  •   Release Notes for 11.7.0.1
    •   What's New
    •   Product Documentation
    •   Getting Help with NetWitness Platform
    •   Build Numbers
    •   Revision History
    •   Appendix
    •   Upgrade Instructions
  •   Release Notes for 11.7.0.2
    •   What's New
    •   Known Issues
    •   Product Documentation
    •   Getting Help with NetWitness Platform
    •   Build Numbers
    •   Revision History
    •   Appendix
    •   Upgrade Instructions
  •   Release Notes for 11.7.1
    •   What's New
    •   Fixed Issues
    •   Product Documentation
    •   Getting Help with NetWitness Platform
    •   Build Numbers
    •   Revision History
  •   Known Issues
  •   Security Fixes
•   Getting Started
  •   Getting Started With NetWitness
    •   Getting Started with NetWitness Platform
    •   Logging in to NetWitness Platform
    •   Changing Your Password
    •   Identifying Your Role
    •   NetWitness Platform Basic Navigation
    •   Setting Up Your Default View by SOC Role
    •   Managing the Springboard
    •   Managing Dashboards
    •   Setting User Preferences
    •   Managing Jobs
    •   Viewing and Deleting Notifications
    •   Viewing Help in the Application
    •   Finding Documents on NetWitness Community
    •   Troubleshooting for User Setup
    •   NetWitness Platform Getting Started References
      •   User Preferences
      •   Notifications Panel and Notifications Tray
      •   Jobs Panel and Jobs Tray
  •   Set up your Hosts and Services
    •   Hosts and Services Basics
    •   Hosts and Services Set Up Procedures
    •   Hosts and Services Maintenance Procedures
    •   References
      •   Hosts View
      •   Services View
        •   Edit Service Dialog
        •   Services Config View
        •   Services Config View - Appliance Service Configuration Tab
        •   Services Config View - Data Retention Scheduler Tab
        •   Services Config View - Files Tab
        •   Services Explore View
        •   Services Explore View - Properties Dialog
        •   Services Logs View
        •   Services Security View
        •   Services Security View - Users Tab
        •   Services Security View - Roles Tab
          •   Services Security View - Service User Roles and Permissions
          •   Services Security View - Aggregation Role
        •   Services Security View - Settings Tab
        •   Services Stats View
        •   Services Stats View - Chart Stats Tray
        •   Services Stats View - Gauges
        •   Services Stats View - Timeline Charts
        •   Services System View
        •   Services Topology View
        •   Services System View - Host Task List Dialog
      •   Service Configuration Parameters
        •   Aggregation Configuration Parameters
        •   Appliance Service Configuration Parameters
        •   Archiver Service Configuration Parameters
        •   Broker Service Configuration Parameters
        •   Concentrator Service Configuration Parameters
        •   Core Service Logging Configuration Parameters
        •   Core Service-to-Service Configuration Parameters
        •   Core Service System Configuration Parameters
        •   Decoder Configuration Parameters
        •   Network Decoder Service Configuration Parameters
        •   Log Decoder Service Configuration Parameters
        •   REST Interface Configuration Parameters
        •   NetWitness Platform Core Service system.roles Modes
      •   Centralized Service Configuration via Policy
        •   Centralized Service Configuration - Groups Tab
        •   Centralized Service Configuration - Policies Tab
    •   Troubleshooting Version Installations and Updates
  •   Service Configuration Properties Guide
    •   Introduction
    •   Admin-server Configuration
    •   Analysis-server Configuration
    •   Config-server Configuration
    •   Content-server Configuration
    •   Contexthub-server Configuration
    •   Correlation-server Configuration
    •   Endpoint-broker-server Configuration
    •   Endpoint-server Configuration
    •   Enrichment-server Configuration
    •   Integration-server Configuration
    •   Investigate-server Configuration
    •   Launch-framework Configuration
    •   License-server Configuration
    •   Metrics-server Configuration
    •   Node-infra-server Configuration
    •   No-op-server Configuration
    •   Orchestration-server Configuration
    •   Relay-server Configuration
    •   Respond-server Configuration
    •   Security-server Configuration
    •   Source-server Configuration
  •   Quick Start - Investigation
    •   What Is NetWitness Investigate
  •   Quick Start - Endpoints
    •   QuickStart
  •   Quick Start - UEBA
    •   QuickStart
•   Install and Upgrade
  •   Deploy NetWitness
    •   The Basics
    •   Deployment Optional Setup Procedures
    •   Network Architecture and Ports
    •   Site Requirements and Safety
  •   Manage Licensing
    •   Entitlement Capability Implementation
    •   Initial Set Up
      •   Obtain License Server ID from NetWitness Platform UI
      •   Access Product Licenses from myRSA
      •   Synchronize NetWitness Server
      •   Synchronize Local Licensing Server Offline
    •   License Types
    •   Configure NetWitness Notifications
    •   About Out-of-Compliance Banners
    •   Troubleshoot Licensing
    •   Licensing Panel Reference
      •   Usage Trend
      •   Reassign Licenses
      •   Export Usage Stats
    •   Settings Tab
    •   Out-of-Compliance Reference
  •   Physical Host Installation
    •   Introduction
    •   Installation Tasks
    •   Update or Install Legacy Windows Collection
    •   Post Installation Tasks
    •   Appendix A. Troubleshooting
    •   Appendix B. Create External Repo
    •   Appendix C. Silent Installation Using CLI
    •   Appendix D. Third Party Server System Requirement
  •   Virtual Host Installation
    •   Basic Deployment
    •   Install NW Virtual Host in Virtual Environment
      •   Step 1a. Create Virtual Machine - VMware
      •   Step 1b. Deploy the Virtual Host in Hyper-V
      •   Step 1c. Create Virtual Machine in Nutanix AHV
      •   Step 2. Configure Databases to Accommodate NetWitness Platform
        •   Task 1. Add New Disk
        •   Task 2. Storage Configurations
      •   Step 3. Installation Tasks
      •   Step 4. Configure Host-Specific Parameters
      •   Step 5. Post Installation Tasks
    •   Appendix A. Troubleshooting
    •   Appendix B. Silent Installation Using CLI
    •   Appendix C. Virtual Host Recommended System Requirements
    •   Appendix D. Update the Virtual ESA Host Memory
  •   NetWitness Storage Configuration
    •   Storage Overview
    •   Storage Requirements
    •   Prepare Physical Storage
    •   Prepare Virtual or Cloud Storage
    •   Configure Storage Using the REST API
    •   Prepare Unity Storage
    •   Migrate Data to Another Storage Type
    •   Appendix A. How NetWitness Platform Hosts Store Data
    •   Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py)
    •   Appendix C. Troubleshooting
    •   Appendix D. Sample Storage Configuration Scenarios
    •   Revision History
  •   AWS Deployment
    •   AWS Deployment Overview
    •   AWS Deployment
      •   Establish AWS Environment
      •   Find NetWitness AMIs
      •   Launch an Instance and Configure a Host
      •   Configure Hosts (Instances) in NetWitness Platform
      •   Configure Packet Capture
    •   Instance Configuration Recommendations
    •   Appendix A Silent Installation Using CLI
  •   Azure Deployment
    •   Azure Installation Overview
    •   Azure Configuration Recommendations
    •   Azure Deployment
      •   Partition Recommendations
      •   Deploy NW Server Host in Azure
      •   Deploy Component Core Services in Azure
      •   Installation Tasks
    •   Appendix A. Silent Installation Using CLI
  •   Google Cloud Platform Deployment
    •   Google Cloud Platform Installation Overview
    •   GCP Deployment
      •   Prerequisites
      •   Find NetWitness Platform GCP Images
      •   Establish gcloud Environment
      •   Create an Instance using Google Cloud SDK Shell
      •   Installation Tasks
      •   Configure Hosts (Instances) in NetWitness Platform
    •   GCP Instance Configuration Recommendations
  •   Endpoint Agent Installation
    •   Introduction to Endpoint Agent Installation
    •   Prerequisites
    •   Generate an Agent Packager
    •   Generate Agent Installers
    •   Deploy and Verify Agents
    •   Uninstall Agents
    •   Upgrade Agents
    •   Recommendations for Installing Agents in Virtual Desktop Infrastructure Environment
    •   Troubleshooting
  •   Migration Guide for NetWtiness Endpoint to RSA NetWitness Platform
    •   Introduction
    •   Migrating NetWitness Endpoint 4.4.0.x to NetWitness Platform
    •   Importing NetWitness Endpoint 4.4.0.x Configurations to NetWitness Platform
  •   UEBA Standalone Installation
    •   Introduction
    •   NetWitness UEBA Standalone Installation
    •   System Requirement
    •   Installation Tasks
    •   Post Installation Tasks
  •   Upgrade to NetWitness Platform 11.7
    •   Overview
    •   Contacting Customer Care
    •   Pre Upgrade Checks
    •   Upgrade Preparation Tasks
    •   Upgrade Tasks
    •   Post Upgrade Tasks
    •   Endpoint Upgrade Tasks
    •   Enable New Features
    •   Appendix A. Offline Upgrade Using CLI
    •   Appendix B. Set Up External Repo
    •   Appendix C. Troubleshooting Version Installations and Upgrades
  •   Upgrade to NetWitness Platform 11.7.1
    •   Overview
    •   Contacting Customer Care
    •   Upgrade Preparation Tasks
    •   Upgrade Tasks
    •   Post Upgrade Tasks
    •   Endpoint Upgrade Tasks
    •   Enable New Features
    •   Appendix A. Offline Upgrade Using CLI
    •   Appendix B. Troubleshooting Version Installations and Upgrades
  •   Windows Legacy Log Collection Configuration
    •   Windows Legacy Collection
  •   NetWitness Export Connector Deployment
    •   Overview
    •   Logstash Input Plugin - Configuration Process
    •   Install Logstash
    •   Install NetWitness Logstash Input Plugin
    •   Configure Logstash Input Plugin
      •   Configure SSL
      •   Health and Wellness
      •   Configure Custom Value Meta
    •   (Optional) Configure Logstash Filter Plugin
    •   Configure Logstash Output Plugin
    •   Known Issues
•   Configure and Manage
  •   Decoder and Log Decoder Configuration
    •   Decoder and Log Decoder Quick Setup
    •   Configure Common Settings on a Decoder
      •   Configure Capture Settings
        •   (Optional) Configure System-Level (BPF) Packet Filtering
        •   (Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces
        •   (Optional) Configure Meta-Only Decoders
        •   (Optional) Configure Selective Network Data Collection
        •   (Optional) Configure a Decoder to Write Standard pcap-formatted Files
        •   (Optional) Multiple Adapter Packet Capture
        •   (Optional) Internet Content Adaptation Protocol Capture
        •   (Optional) Data Plane Development Kit Packet Capture
        •   (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface
        •   (Optional) Process Raw Syslog Data without Priority Field
        •   (Optional) Configure Decoder to Support OpenAppID
      •   Enable and Disable Parsers and Log Parsers
      •   Start and Stop Data Capture
    •   Configure Decoder Rules
      •   Configure Application Rules
      •   Configure Correlation Rules
      •   Configure Network Rules
      •   Fix Rules with Invalid Syntax
      •   Decoder Commands for Managing Rules
    •   Configure Parsers and Feeds
      •   Configure Parsers
        •   Use Custom Parsers
        •   Enable and Configure the Entropy Parser
        •   Flex Parser
          •   Arithmetic Functions
          •   Common Parser Operations
          •   General Functions
          •   Logging Functions
          •   Nodes
          •   Payload Functions
          •   Regex
          •   String Functions
        •   GeoIP2 Parsers
        •   Lua Parsers
        •   HTTP Parsers
        •   Snort Parsers
        •   Search Parser
        •   Wireless LAN Configuration
        •   Troubleshooting Parsers | NetWitness
      •   Configure Feeds
        •   Custom Feed Definition File Structure
        •   Feed Definitions File
        •   Create a Custom Feed
        •   Create a STIX Custom Feed
        •   Create an Identity Feed
        •   Upload, Edit, or Remove a Feed
        •   Create Custom Meta Keys Using Custom Feed
    •   Decoder and Log Decoder Additional Procedures
      •   Config_10g115
      •   Configure 10G Capability
      •   Configure a Log Decoder to Accept Protobuf
      •   Configure Session Split Timeouts
      •   Configure Syslog Forwarding to Destination
      •   Configure Transaction Handling on a Decoder
      •   Configure Data Export
      •   Decrypt Incoming Packets
      •   Edit Decoder System Configuration Settings
      •   Enable CPU Usage Stats for Installed Content
      •   Enable Parser Mappings
      •   Enable or Disable Lua and Flex Parsing Systems
      •   Map IP Address to Service Type
      •   Event Time Support
      •   Obtain Log Files from a Pre-11.0 Log Decoder
      •   Upload a Log File to a Log Decoder
      •   Upload a Packet Capture File
    •   Decoder and Log Decoder References
      •   Services Config View - Capture Policies Tab
      •   Services Config View - Edit Policies Wizard
      •   Services Config View - Data Privacy Tab
      •   Services Config View - Data Retention Scheduler
      •   Services Config View - Feeds Tab
      •   Services Config View - Upload Feeds Dialog
      •   Services Config View - Files Tab
      •   Services Config View - General Tab
      •   Services Config View - Parsers Tab
      •   Services Config View - Parser Mappings Tab
      •   Services Config View - Data Export Tab
      •   Services Config View - Rules Tab
      •   Services Config View - App Rules Tab
      •   Services Config View - Correlation Rules Tab
      •   Services Config View - Network Rules Tab
      •   Services System View - Decoders
  •   Broker and Concentrator Configuration
    •   Broker and Concentrator Basics
    •   Overview of Brokers and Concentrators
    •   Basic Setup Procedures
      •   Step 1. Verify Service System Configuration
      •   Step 2. Configure the Aggregation Process
      •   Step 3. Configure Aggregate Services
      •   Step 4. (Optional) Configure Group Aggregation
      •   Step 5. Start and Stop Aggregation
    •   Broker and Concentrator Configuration References
      •   Services Config View - Broker/Concentrator General Tab
      •   Services System View - Broker
  •   Core Database Tuning
    •   NetWitness Core Database Introduction
    •   Basic Database Configuration
      •   Tiered Database Storage
      •   Manifests
    •   Advanced Database Configuration
      •   Database Configuration Nodes
      •   Index Configuration Nodes
      •   SDK Configuration Nodes
      •   Per-User Configuration Nodes
      •   Scheduler
      •   Rollover
      •   Snort Rules and Configuration
    •   Queries
    •   Index Customization
    •   Rebuilding of the Index
    •   Optimization Techniques
    •   Rule Examples
    •   Appendix A: Statistics
    •   Appendix B: Index Inspect
  •   Live Services Management
    •   Live Content in NetWitness Suite
    •   Required Procedures
      •   Create Live Account
      •   Set Up Live Services in NetWitness
      •   Find and Deploy Live Resources
      •   Manage Live Resources
      •   Search and Download Content from NetWitness Platform Live
    •   Additional Procedures
      •   Export Data to RSA
      •   Create a Resource Package
      •   Manage Custom Feeds
        •   Create a Custom Feed
        •   Create a STIX Custom Feed
        •   MetaCallback Feeds
        •   Create an Identity Feed
        •   Edit a Feed
        •   Remove a Feed
      •   Subscribing to Resources
      •   Miscellaneous Live Services Procedures
    •   References
      •   Live Configure View
        •   Deployments Tab
        •   Subscriptions Tab
        •   Discontinued Resource Tab
      •   Live Feeds View
      •   Live Resource View
      •   Live Search View
      •   Live Search Content View
      •   Resource Package Deployment Wizard
      •   RSA Live Registration Portal
      •   Netwitness Feedback and Data Sharing
    •   Troubleshooting
  •   Log Collection Configuration
    •   About Log Collection
    •   Log Collection Architecture
    •   Basic Implementation
      •   Provision Local and Remote Collectors
      •   Configure LC/RC
      •   Configure Failover
      •   Configure Replication
      •   Configure Chain of Remote Collectors
      •   Throttle RC to LC Bandwidth
      •   Set up a Lockbox
      •   Start Collection Services
      •   Verify Log Collection is Working
      •   Configure Certificates
      •   Configure Custom Certificates
    •   Log Collection Basics
      •   Basic Procedure
      •   Search for Specific Event Sources
      •   Configure Event Filters for Log Collector
      •   Import, Export, Edit and Test Event Sources in Bulk
    •   Collection Protocols
      •   Configure AWS (CloudTrail) Event Sources
      •   Configure Azure Event Sources
      •   Configure Check Point Event Sources
      •   Configure File Event Sources
      •   Configure Logstash
      •   Configure Netflow Event Sources
      •   ODBC
        •   Configure ODBC Event Sources
        •   Configure DSNs
        •   Create Custom Typespec
        •   Troubleshoot ODBC Collection
      •   Configure SDEE Event Sources
      •   Configure SNMP Event Sources
      •   Configure Syslog Event Sources
      •   Configure VMware Event Sources
      •   Configure Windows Event Sources
      •   Windows Legacy Configuration
        •   Set Up Windows Legacy Collector
        •   Configure Windows Legacy and NetApp Event Sources in RSA NetWitness
        •   Troubleshoot Windows Legacy and NetApp Collection
    •   Reference
      •   AWS Parameters
      •   Azure Parameters
      •   Check Point Parameters
      •   File Parameters
      •   Service System View
      •   ODBC Parameters
      •   ODBC DSN Parameters
      •   Remote/Local Collectors Configuration Parameters
      •   Tabs
        •   General Tab
        •   Event Destinations Tab
        •   Event Sources Tab
        •   Settings Tab
    •   Log Collection: Troubleshoot
  •   Event Source Management
    •   NetWitness Event Sources
    •   Managing Event Sources
      •   Alarms and Notifications
      •   Automatic Alerting
      •   Common Scenarios for Monitoring Policies
    •   Manage Event Source Groups
      •   Create Event Source Groups
      •   Create Event Source Group Form
      •   Acknowledge and Map Event Sources
      •   Edit or Delete Event Source Groups
      •   Remove Idle Event Sources
      •   Create an Event Source and Edit its Attributes
      •   Bulk Edit Event Source Attributes
      •   Import Event Sources
      •   Export Event Sources
      •   Sort Event Sources
    •   Monitor Polices
      •   Configure Event Source Group Alerts
      •   Set Up Notifications
      •   Disable Notifications
    •   Configure Automatic Alerting
    •   View Event Source Alarms
    •   Event Source References
      •   Discovery Tab
      •   Manage Tab
      •   Manage Tab - Historical Graph View
      •   Manage Event Source Tab
      •   Event Sources View
      •   Create/Edit Group Form
      •   Details View
      •   Manage Parser Mappings
      •   Alarms Tab
      •   Monitoring Policies Tab
      •   Settings Tab
      •   Log Parser Rules Tab (version 11.1 only)
    •   Troubleshooting/Appendix
      •   Alarms and Notifications Issues
      •   Duplicate Log Messages
      •   Troubleshoot Feeds
      •   Import File Issues
      •   Negative Policy Numbering
      •   Viewing Logs from Pre-11.0 Log Decoder
  •   Log Parser Customization
    •   Log Parser Rules Customization
    •   Add or Delete Log Parser
    •   JSON Mappings
    •   Create Custom Log Parser Rules
    •   Log Parsers and the Default Log Parser
    •   Use Cases
    •   Extend a Log Parser Example
    •   Select the Reference Log Decoder
    •   Move Log Parser Rules to Production
    •   Troubleshooting and Limitations
    •   Log Parser Rules Tab
  •   Logstash Integration Configuration
    •   Overview
    •   Dataflow
    •   Install Logstash
    •   Install and Configure the NetWitness Codec
    •   Configure Logstash Output Plugins
    •   Configure Event Source
    •   Advanced NetWitness Configuration
    •   Coding Appendix: Linux event Source Example
    •   Coding Appendix: Build a Parser
  •   NetWitness Export Connector Configuration
    •   Overview
    •   Logstash Input Plugin - Configuration Process
    •   Install Logstash
    •   Install NetWitness Logstash Input Plugin
    •   Configure Logstash Input Plugin
      •   Configure SSL
      •   Health and Wellness
      •   Configure Custom Value Meta
    •   (Optional) Configure Logstash Filter Plugin
    •   Configure Logstash Output Plugin
    •   Known Issues
  •   Archiver Configuration For Logs
    •   Archiver Overview
    •   Basic Archiver Configuration
      •   Add the Archiver Service
      •   Add Log Decoder as a Data Source to Archiver
      •   Configure Archiver Storage and Log Retention
        •   Configure Hot, Warm, and Cold Storage
        •   Configure Log Storage Collections
        •   Define Retention Rules
      •   Add Archiver as a Data Source to Reporting Engine
      •   Configure Archiver Monitoring
    •   Additional Archiver Configuration
      •   Configure Data Backup and Restore
      •   Retrieve Hash Information
    •   Archiver References
      •   Archiver Collection Dialog
      •   Archiver Services Config View - General Tab
      •   Archiver Service Configuration
      •   Data Retention Tab - Archiver
      •   Services Config View - Archiver
  •   Workbench Configuration For Logs
    •   Overview
    •   Configuration Procedures
      •   Add Workbench Service as a Data Source to Broker
      •   Add Workbench as a Data Source to Reporting Engine
      •   Manage Collections
    •   Services Config View
    •   Services Config View - Collections Tab
    •   Services Config View - General Tab
    •   Troubleshooting
  •   Event Stream Analysis Configuration
    •   Event Stream Analysis Overview
    •   Configure ESA Correlation Rules
    •   Additional ESA Correlation Rules Procedures
      •   Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys
      •   Configure Advanced Settings for ESA Correlation
      •   Configure Character Case for Advanced ESA Rules
      •   Deploy Endpoint Risk Scoring Rules on ESA
      •   Change Memory Threshold for ESA Rules
      •   Start, Stop, or Restart ESA Service
      •   View Audit Logs and Verify ESA Component Versions
    •   References - Previous ESA Versions
      •   Services Config View Data Sources Tab (11.2 and Earlier)
      •   Services Config View Advanced Tab (11.2 and Earlier)
      •   Whois Lookup Service Configuration (11.1.x to 11.4.x)
      •   ESA Analytics Mappings (11.1.x to 11.4.x)
      •   Module Settings (11.1.x to 11.4.x)
  •   Alerting with ESA Correlation Rules
    •   Getting Started with ESA
      •   Best Practices
      •   Troubleshoot ESA
      •   View Memory Metrics for Rules
    •   How ESA Handles Sensitive Data
    •   ESA Rule Types
      •   ESA Permissions
      •   Practice with Sample Rules
    •   Working with Trial Rules
    •   Add Rules to the Rules Library
    •   Download Configurable RSA Live ESA Rules
      •   Customize an RSA Live ESA Rule
    •   Add a Rule Builder Rule
      •   Step 1. Name and Describe the Rule
      •   Step 2. Build a Rule Statement
      •   Step 3. Add Conditions to a Rule Statement
    •   Working With Rules
      •   Edit, Duplicate or Delete a Rule
      •   Filter or Search for Rules
      •   Import or Export Rules
    •   Choose How to Be Notified of Alerts
      •   Notification Methods
      •   Add Notification Method to a Rule
    •   Add a Data Enrichment Source
      •   Enrichment Sources
      •   Configure a Context Hub List as an Enrichment Source
      •   Configure an In-Memory Table as an Enrichment Source
      •   Add an Enrichment to a Rule
    •   Deploy Rules to Run on ESA
      •   ESA Rule Deployment Steps
      •   Additional ESA Rule Deployment Procedures
    •   View ESA Stats and Alerts
      •   View Stats for an ESA Service
      •   View a Summary of Alerts
    •   Add an Advanced EPL Rule
      •   Event Processing Language (EPL)
      •   ESA Annotations
      •   Example Advanced EPL Rules
    •   Configure an In-Memory Table Using an EPL Query
    •   ESA Alert References
      •   RulesTab
      •   Rules Tab Options Panel
      •   Rule Library Panel
      •   Rule Builder Tab
      •   Build a Statement Dialog
      •   Advanced EPL Rule Tab
      •   Rule Syntax Dialog
      •   Deployment Panel
      •   Deploy ESA Services Dialog
      •   Deploy ESA Rules Dialog
      •   Updates to the Deployment Dialog
      •   Services Tab
      •   Settings Tab
  •   Context Hub Configuration
    •   How Context Hub Works
    •   Configure Lists as a Data Source
    •   Configure Archer as a Data Source
    •   Configure Active Directory Data Source
    •   Configure RSA EndPoint Data Source
    •   Configure Respond Data Source
    •   Configure File Reputation Server Data Source
    •   Configure STIX as a Data Source
    •   Configure RESTAPI as a Data Source
    •   Configure Data Sources Settings
    •   Import or Export Lists for Context Hub
    •   Manage Meta Type and Meta Key Mapping
    •   Context Hub Data Sources Tab
    •   Context Hub Lists Tab
    •   Context Hub STIX Tab
    •   Troubleshooting
  •   Malware Analysis Configuration
    •   How Malware Analysis Works
    •   Basic Setup
      •   Configure Malware Analysis Operating Environment
      •   Configure General Malware Analysis Settings
      •   Configure Indicators of Compromise
      •   Configure Installed Antivirus Vendors
      •   Enable Community Scoring
      •   (Optional) Configure Auditing on Malware Analysis Host
      •   (Optional) Configure Hash Filter
      •   (Optional) Configure Malware Analysis Proxy Settings
      •   (Optional) Register for a ThreatGRID API Key
    •   Additional Procedures for Configuring Malware Analysis
      •   Create Custom Alert in CEF Format
      •   Enable Custom YARA Content
    •   Supported Antivirus Vendors
    •   Malware Analysis References
      •   Services Config View - General Tab
      •   Services Config View - Indicators of Compromise Tab
      •   Services Config View - IOC Summary Tab
      •   Services Config View - Auditing Tab
      •   Services Config View - Hash Tab
      •   Services Config View - AV Tab
      •   Services Config View - Proxy Tab
      •   Services Config View - ThreatGRID Tab
      •   Services Config View - Integration Tab
  •   NetWitness Endpoint Configuration
    •   NetWitness Endpoint Overview
    •   Agent Modes
    •   Endpoint Server Configuration
    •   Deploy Endpoint Application Rules and ESA Correlation Rules
    •   Setup Meta Forwarding to Log Decoder
    •   Endpoint Sources
    •   Create Groups and Policies
    •   Manage Groups
    •   Manage Policies
    •   Change Policy Ordering for Groups
    •   Configure Data Retention Policy
    •   Manage Role Permissions at Endpoint Server Level
    •   Manage Inactive Agents
    •   Configure Retention Policy for Memory Dumps and MFT
    •   (Optional) Installing and Configuring Relay Server
    •   Endpoint YARA Rules
    •   Configure OPSWAT
    •   Integrate NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.3
    •   Endpoint References
      •   General Tab
      •   Data Retention Scheduler Tab
      •   Packager Tab
      •   Relay Server Tab
      •   Endpoint Sources - Groups
      •   Endpoint Sources - Policies
    •   Troubleshooting
    •   Appendices
      •   Reset File Collection Bookmarks
      •   Supported File Log Event Source Types
      •   Specify UNC Paths
  •   Respond Configuration for Incident Management
    •   About this Document
    •   NetWitness Respond Configuration Overview
    •   Configuring NetWitness Respond
      •   Step 1. Configure Alert Sources to Display Alerts in the Respond View
      •   Step 2. Assign Respond View Permissions
      •   Step 3. Enable and Create Incident Rules for Alerts
    •   Additional Procedures for Respond Configuration
      •   Set Up and Verify Default Incident Rules
      •   Configure Risk Scoring Settings for Automated Incident Creation
      •   Configure Custom Respond Server Alert Normalization
      •   Configure Analyst UI for Respond Server Alert Normalization
      •   Configure Incident Email Notification Settings
      •   Set a Retention Period for Alerts and Incidents
      •   Obfuscate Private Data
      •   Manage Incidents in Archer Cyber Incident & Breach Response
      •   Configure the Option to Send Incidents to RSA Archer
      •   Configure Threat Aware Authentication
      •   Set a Counter for Matched Alerts and Incidents
      •   Edit the Incident Rules Export ZIP File
      •   Configure a Database for the Respond Server Service
    •   NetWitness Respond Configuration Reference
      •   Configure View
      •   Incident Rules View
      •   Incident Rule Details View
      •   Incident Email Notification Settings View
      •   Aggregation Rules Tab (11.0 and earlier)
      •   New Rule tab (11.0 and earlier)
  •   Reporting Configuration
    •   How Reporting Engine Works
    •   Configure Reporting Engine
    •   Configure the Data Sources
      •   (Optional) Add Workbench as Data Source to Reporting Engine
      •   (Optional) Add Archiver as Data Source to Reporting Engine
      •   (Optional) Integrate EndPoint Information Into Reports
      •   (Optional) Add Collection as Data Source to Reporting Engine
    •   Configure Data Privacy for Reporting Engine
    •   Configure Data Source Permissions
    •   Configure Reporting Engine Settings
      •   Enable LDAP Authentication
      •   Add Additional Space for Large Reports
      •   Managing Log File Parameters
      •   Configure Task Scheduler for a Reporting Engine
    •   How to Define Reports, Charts, and Alerts
    •   Configure Reporting Engine General Settings
    •   Reporting Engine Reference
      •   Reporting Engine General Tab
      •   Reporting Engine Sources Tab
      •   Reporting Engine Output Actions Tab
      •   Reporting Engine Manage Logos Tab
  •   Warehouse Connector Configuration
    •   How Warehouse Connector Works
    •   Install Warehouse Connector Service on a Log Decoder or Decoder
    •   Configure a Warehouse Connector Service
    •   Configure the Data Source for Warehouse Connector
    •   Configure the Destination
      •   Configure the Destination Using NFS
      •   Configure the Destination Using SFTP
      •   Configure the Destination Using WebHDFS
    •   Configure a Stream
    •   Monitor a Warehouse Connector
    •   Add Warehouse as a Data Source to Reporting Engine
    •   Analyze a Warehouse Report
    •   View the Warehouse Connector Service
    •   Troubleshoot the Warehouse Connector
    •   Manage a Stream
    •   Manage a Lockbox
    •   Warehouse Connector Configuration References
      •   General Tab Settings
      •   Appliance Service Configuration Tab Settings
      •   Sources and Destinations Configuration
      •   Add Stream Dialog
      •   Streams Configuration
      •   Lockbox Settings
  •   UEBA Configuration
    •   UEBA Configuration Overview
    •   UEBA Configuration
    •   UEBA Configuration Troubleshooting
  •   Service Configuration
    •   Introduction
    •   Admin-server Configuration
    •   Analysis-server Configuration
    •   Config-server Configuration
    •   Content-server Configuration
    •   Contexthub-server Configuration
    •   Correlation-server Configuration
    •   Endpoint-broker-server Configuration
    •   Endpoint-server Configuration
    •   Enrichment-server Configuration
    •   Integration-server Configuration
    •   Investigate-server Configuration
    •   Launch-framework Configuration
    •   License-server Configuration
    •   Metrics-server Configuration
    •   Node-infra-server Configuration
    •   No-op-server Configuration
    •   Orchestration-server Configuration
    •   Relay-server Configuration
    •   Respond-server Configuration
    •   Security-server Configuration
    •   Source-server Configuration
  •   System Security and User Management
    •   Set Up System Security
      •   Configure Password Complexity
      •   Change the Default Admin Passwords
      •   Configure System-Level Security Settings
      •   (Optional) Configure External Authentication
        •   Configure Active Directory
        •   Configure PAM Login Capability
      •   (Optional) Configure PKI Authentication
      •   (Optional) Use a Custom Server Certificate
      •   (Optional) Create a Customized Login Banner
    •   How Role-Based Access Control Works
      •   Role Permissions
    •   Manage Users with Roles and Permissions
      •   Review the Preconfigured NetWitness Platform Roles
      •   (Optional) Add a Role and Assign Permissions
      •   Verify Query and Session Attributes per Role
      •   Set Up Users
      •   (Optional) Map User Roles to External Groups
      •   Search for External Groups
    •   Set Up Multi-Factor Authentication
    •   Set Up Single Sign-On Authentication
      •   Configure Single Sign-On
    •   (Optional) Set Up Public Key Infrastructure (PKI) Authentication
      •   Configure PKI Authentication
        •   Import Server Certificate and Trusted CA Certificate
        •   (Optional) Configure the CRL Manually
        •   Enable PKI Authentication
      •   Disable PKI
      •   Delete Server Certificate and Trusted CA Certificate
    •   Troubleshooting
    •   References
      •   Admin Security View
      •   Users Tab
        •   Add or Edit User Dialog
      •   Roles Tab
        •   Add or Edit Role Dialog
      •   External Group Mapping Tab
        •   Add Role Mapping Dialog
        •   Search External Groups Dialog
      •   Settings Tab
      •   PKI Settings Tab
      •   Login Banner Tab
      •   Single Sign-On Settings Tab
  •   Data Privacy Management
    •   Data Privacy Overview
    •   Recommended Configurations
    •   Quick Start Procedures
      •   Prepare to Configure Data Privacy
      •   Configure the Recommended Data Privacy Solution
    •   In-Depth Procedures
      •   Configure Data Obfuscation
      •   Configure Data Retention
      •   Configure User Accounts for Use in Data Privacy
    •   Data Privacy References
  •   System Configuration
    •   System Configuration Overview
    •   Standard Procedures
      •   Access System Settings
      •   Configure Notification Servers
        •   Notification Servers Overview
        •   Configure the Email Settings as Notification Server
        •   Configure Script as a Notification Server
        •   Configure the SNMP Settings as Notification Server
        •   Configure a Syslog Notification Server
      •   Configure Notification Outputs
        •   Notification Outputs Overview
        •   Configure Email as a Notification
        •   Configure Script as a Notification
        •   Configure SNMP as a Notification
        •   Configure Syslog as a Notification
      •   Configure Templates for Notifications
        •   Configure Global Notification Templates
        •   Define a Template for ESA Alert Notifications
        •   Import and Export a Global NotificationsTemplate
      •   Configure Email Server and Notification Account
      •   Configure Global Audit Logging
        •   Configure a Destination to Receive Global Audit Logs
        •   Define a Template for Global Audit Logging
        •   Define a Global Audit Logging Configuration
        •   Verify Global Audit Logs
      •   Configure Centralized Audit Logging
      •   Configure Investigation Settings
      •   Configure Live Services Settings
        •   Live Feedback Overview
        •   Upload Data to RSA
      •   Configure Log File Settings
      •   Configure Syslog and SNMP Settings
    •   AdditionalProcedures
      •   Add Custom Context Menu Actions
      •   Configure NTP Servers
      •   Configure Proxy for Security Analytics
    •   Troubleshooting System Configuration
    •   References
      •   Global Audit Logging Configurations Panel
        •   Add New Configuration Dialog
        •   Supported CEF Meta Keys
        •   Supported Global Audit Logging Meta Key Variables
        •   Global Audit Logging Operation Reference
        •   Local Audit Log Locations
      •   Global Notifications Panel
        •   Define Notification Server Dialogs
        •   Define Notification Output Dialogs
        •   Define Notification Template Dialog
        •   Output Tab
        •   Servers Tab
        •   Templates Tab
      •   HTTP Proxy Settings Panel
      •   Email Configuration Panel
      •   Investigation Configuration Panel
      •   Live Services Configuration Panel
      •   NTP Settings Panel
      •   Context Menu Actions Panel
      •   Legacy Notifications Configuration Panel
  •   System Maintenance
    •   Overview
    •   Review Best Practices
    •   Health and Wellness
      •   Monitor Health and Wellness using NetWitness Platform UI
        •   Manage Policies
          •   Include the Default Email Subject Line
        •   Monitor System Statistics
          •   Filter System Statistics
          •   Create Historical Graph of System Statistics
        •   Monitor Service Statistics
          •   Add Statistics to a Gauge or Chart
          •   Edit Properties of Statistics Gauges
          •   Edit Properties of Timeline Charts
        •   Monitor Hosts and Services
          •   Filter Hosts and Services in the Monitoring View
          •   Monitor Host Details
          •   Monitor Service Details
        •   Monitor Event Sources
          •   Configure Event Source Monitoring
          •   Filter Event Sources
          •   Create Historical Graph of Events Collected for an Event Source
        •   Monitor Alarms
        •   Monitor Health and Wellness Using SNMP Alerts
        •   Troubleshooting Health & Wellness
      •   Monitor using New Health and Wellness
        •   Configuring Alert Notifications
          •   Adding Alert Notifications
          •   Suppressing Notifications
        •   Monitoring through Dashboards
          •   Creating Custom dashboard
        •   Monitoring through Alerts
          •   Creating Custom Monitors
          •   Adding Custom Trigger to an Existing Monitor
        •   Managing Dashboards and Alerts
        •   Managing Alert Notifications
        •   Advanced Configurations
        •   Backup and Restore New Health and Wellness
        •   Troubleshooting Health and Wellness
        •   Appendices
          •   New Health and Wellness Dashboards
          •   New Health and Wellness Monitors
          •   Uninstall New Health and Wellness
    •   Manage NetWitness Platform Updates
    •   Reissue Certificates
    •   DisplaySystem and Service Logs
      •   Access Reporting Engine Log File
      •   Search and Export Historical Logs
    •   Maintain Queries Using URL Integration
    •   Manage the deploy_admin Account
    •   NW Server Host Secondary IP Configuration Management
    •   Change Host Network Configuration
    •   Manage Custom Host Entries
    •   Configure FIPS Support
    •   Configure DISA STIG Hardening
    •   Troubleshoot NetWitness Platform
      •   Debugging Information
      •   Error Notification
      •   Miscellaneous Tips
      •   Troubleshoot Feeds
    •   Troubleshooting Cert-Reissue Command
    •   References
      •   Health and Wellness
        •   Health and Wellness View - Alarms View
        •   Event Source Monitoring View
        •   Health and Wellness Historical Graphs
          •   Historical Graph View for Events Collected from an Event Source
          •   Historical Graph View for System Stats
        •   Health and Wellness Settings View - Archiver
        •   Health and Wellness Settings View - Event Sources
        •   Health and Wellness Settings View - Warehouse Connector
        •   Monitoring View
          •   Archiver Details View
          •   Broker Details View
          •   Concentrator Details View
          •   Decoder Details View
          •   ESA Correlation Details View
          •   ESA Analytics Details View
          •   Host Details View
          •   Log Collector Details View
          •   Log Decoder Details View
          •   Malware Details View
          •   Warehouse Connector Details View
        •   Policies View
          •   Health and Wellness Email Templates
          •   NetWitness Platform Out-of-the-Box Policies
        •   System Stats Browser View
      •   New Health and Wellness Settings
      •   System View - System Info Panel
      •   System Updates Panel - Settings View
      •   System Logging - Settings View
      •   System Logging - Realtime View
      •   System Logging - Historical View
  •   Disaster Recovery Tool
    •   Disaster Recovery
    •   Disaster Recovery Azure
    •   Disater Recovery AWS
    •   Appendix A. Modify fstab for Series 5 and 6 Hybrid Storage After Recovery
•   Investigate and Respond
  •   NetWitness Investigation
    •   How NetWitness Investigate Works
    •   Configuring NetWitness Investigate Views and Preferences
      •   Configure the Navigate View and Legacy Events View
      •   Configure the Events View
    •   Beginning an Investigation
      •   Begin an Investigation in the Navigate or Legacy Events View
      •   Begin an Investigation in the Events View
    •   Refining the Results Set
      •   Use Meta Groups to Focus on Relevant Meta Keys
      •   Use Columns and Column Groups in the Events List
      •   Use Query Profiles to Encapsulate Common Areas for Investigation
      •   Drill into Metadata in the Events View (Beta)
      •   Filter Results in the Events View
      •   Filter Results in the Navigate View
      •   Filter Results in the Legacy Events View
      •   Create a Query in the Navigate and Legacy Events Views
      •   Search for Text Patterns in the Navigate and Legacy Events Views
      •   View and Modify Queries Using URL Integration
    •   Reconstructing and Analyzing Events
      •   Examine Event Details in the Events View
      •   Analyze Events in the Events View
      •   Reconstruct an Event in the Legacy Events View
      •   Look Up Additional Context for Results
      •   Launch a Lookup of a Meta Key
      •   Launch a Malware Analysis Scan from the Navigate View
      •   Group Events from Split and Related Sessions in the Events and Legacy Events Views
      •   Visualize Metadata as Parallel Coordinates
      •   Visualize the Current Drill Point in Informer
    •   Downloading and Acting Upon Results
      •   Download Data in the Events View
      •   Export or Print a Drill Point in the Navigate View
      •   Export Events in the Legacy Events View
      •   Add Events to an Incident in the Events View
      •   Add Events to an Incident in the Legacy Events View
    •   Troubleshooting Investigate
    •   Investigate Reference Materials
      •   Add Events to an Incident Dialog
      •   Add/Remove from List Dialog
      •   Column Groups Dialogs
      •   Context Lookup Panel
      •   Create an Incident Dialog
      •   Events View
      •   Events View - Email Tab
      •   Events View - File Tab
      •   Events View - Host Tab
      •   Events View - Packet Tab
      •   Events View - Text Tab
      •   Investigate Dialog
      •   Investigation Tab - User Preferences Panel
      •   Investigate View
      •   Legacy Event Reconstruction View
      •   Legacy Events View
      •   Manage Default Meta Keys Dialog
      •   Meta Groups Dialogs
      •   Navigate View
      •   Query Dialog
      •   Query Profiles Dialogs
      •   Settings Dialogs for Investigate Views
  •   Malware Analysis
    •   Malware Analysis Functions
    •   Malware Scoring Modules
    •   Conducting Malware Analysis
      •   Begin a Malware Analysis Investigation
      •   Implement Custom YARA Content
      •   Examine Scan Files and Events in List Form
      •   Configure the Malware Analysis Summary of Events View
      •   Filter Dashlet Data in the Summary of Events View
      •   Upload Files for Malware Analysis Scanning
      •   View Detailed Malware Analysis of an Event
    •   Malware Analysis Reference Materials
      •   Malware Analysis View
      •   Malware Analysis Events List and Files List
      •   Scan For Malware Dialog
      •   Select a Malware Analysis Service Dialog
  •   NetWitness Endpoint Investigation
    •   Introduction to Endpoint Investigation
    •   Workflow of an Investigation
    •   Investigate Files
    •   Investigate Hosts
    •   Investigate Process
    •   Change File Status and Remediate
    •   Analyze Downloaded Files
    •   Perform Forensic Investigation
    •   Analyze Events
    •   Network Isolation
    •   NetWitness Endpoint with Third-Party Antivirus Products
    •   Troubleshooting NetWitness Endpoint
    •   NetWitness Endpoint Reference Materials
      •   Files View
      •   Hosts View
      •   Hosts View - Details Tab
      •   Hosts View - Process Tab
      •   Hosts View - Autoruns Tab
      •   Hosts View - Files Tab
      •   Hosts View - Drivers Tab
      •   Hosts View - Libraries Tab
      •   Hosts View - Anomalies Tab
      •   Hosts View - Downloads Tab
      •   Hosts View - System Information
      •   Hosts View - Agent History Tab
  •   User and Entity Based Analytics
    •   Introduction
    •   UEBA use Cases for Windows Logs
    •   How to Investigate High-Risk Entities
      •   Identify High-Risk Entities
      •   Begin an Investigation of High-Risk Entities
      •   Take Action on High-Risk Entities
      •   Manage High-Risk Entities
    •   Investigate Top Alerts
      •   Filter Alerts
      •   Investigate Indicators
      •   Manage Top Alerts
    •   Modeled Behaviors for Users
    •   View NetWitness UEBA Metrics in Health and Wellness
    •   Monitor Health and Wellness of UEBA
    •   Reference
      •   Overview View
      •   Users View
      •   Alerts View
      •   User Profile View
    •   Appendix: UEBA Windows Audit Policy
  •   Respond to Incidents
    •   NetWitness Respond Process
    •   Responding to Incidents
    •   Determine which Incidents Require Action
    •   Investigate the Incident
    •   Escalate or Remediate the Incident
    •   Incident Response Use Case Examples
    •   Reviewing Alerts
    •   NetWitness Respond Reference Information
      •   Incidents List View
      •   Incident Details View
      •   Alerts List View
      •   Alert Details View
      •   Tasks List View
      •   Add/Remove From List Dialog
      •   Context Lookup Panel - Respond View
  •   Generate Reports
    •   Reporting Overview
    •   Configure and Generate a Report
    •   Configure a Rule
    •   Create and Schedule a Report
    •   View a Report
    •   Investigate a Report
    •   Manage a List or Rule or Report
    •   Working with Charts
      •   Chart Overview
      •   Configure a Chart
      •   Schedule a Chart
      •   View a Chart
      •   Test a Chart
      •   Investigate a Chart
      •   Manage Chart Groups and Charts
    •   Working with Alerts
      •   Alert Overview
      •   Configure Reporting Engine
      •   Configure an Alert
      •   Schedule an Alert
      •   View an Alert
      •   Investigate an Alert
      •   Manage Alerts and Alert Templates
    •   Appendix
      •   Rule Syntax
      •   Warehouse DB Simple Rules
      •   Warehouse DB Advanced Rules
      •   Task Scheduler for Warehouse Reporting
      •   Query Aggregates
      •   Troubleshoot Reporting
    •   Reporting References
      •   Build Chart View
      •   Build List View
      •   Build Report View
      •   Build Rule View
      •   Chart Permissions Dialog
      •   Chart View
      •   Execution History Panel
      •   Generate List Dialog
      •   Import Chart Dialog
      •   Import Report Dialog
      •   Investigate a Chart View
      •   List Permissions Dialog
      •   List View
      •   Reports Permissions Dialog
      •   Report View
      •   Rule Permissions Dialog
      •   Rule View
      •   Select a Logo Dialog
      •   Schedule a Chart View
      •   Schedule Report Panel
      •   Scheduled Reports View
      •   Test a Chart View
      •   View a Chart Panel
      •   View All Charts Panel
      •   View a Report Panel
      •   View All Reports Panel
    •   Alerting References
      •   Alert List View
      •   Alert Permissions Dialog
      •   Alert Schedules View
      •   Create or Modify Alert Panel
      •   Investigate an Alert View
      •   Import Alert Dialog
      •   Template References
        •   Alert Template View
        •   Create or Modify Template View
      •   View Alerts Schedule View
      •   View Alerts View
•   Develop and Integrate
  •   RSA Archer Integration
    •   RSA Archer Integration
    •   Configure NetWitness Suite to Work With Archer
    •   Manage Unified Collector Framework
    •   Troubleshoot RSA Archer Integration
  •   RSA Endpoint Integration
    •   RSA Endpoint Integration
    •   Configure Endpoint Alerts via Message Bus
    •   Configure Contextual Data from Endpoint via Recurring Feed
    •   Configure Endpoint Alerts via Syslog into a Log Decoder
  •   RESTful API Guide
    •   Intro
    •   Usage
    •   Enable
    •   Packets
    •   Parser/Feed Upload
    •   Statistics Graph
    •   SDK Commands
  •   NetWitness Core Services API Guide
  •   NetWitness API Guide
  •   NetWitness Shell User Guide
    •   shell
    •   tree
  •   NetWitness NwConsole Guide
    •   Access NwConsole and Help
    •   Basic Command Line Parameters and Editing
    •   Connecting to a Service
    •   Monitoring Stats
    •   Useful Commands
    •   SDK Content Command
    •   SDK Content Command Examples
    •   Commands Used for Troubleshooting