NetWitness Platform XDR

RSA Security, LLC

NetWitness Platform XDR

RSA Security, LLC

NetWitness Platform XDR on Azure

NetWitness Platform XDR

RSA Security, LLC

NetWitness Platform XDR for Azure Increases Visibility, Improves Response Efficiency

See Everything. Fear Nothing. By rapidly detecting and responding to today’s targeted attacks
NetWitness is an Evolved SIEM and Open XDR platform that accelerates threat detection and response. It can collect and analyze data across all capture points (Logs, Packets, NetFlow, Endpoint, and IoT) and computing platforms (physical, virtual and cloud), enriching data with threat intelligence and business context.
The NetWitness Platform XDR allows security analysts to prioritize, respond, reconstruct, survey, investigate and confirm information about the threats in their environment and take the appropriate response—quickly and precisely.

Key Features:

  • Unparalleled visibility

    Gives security teams the visibility they need to detect sophisticated threats hiding in today’s complex, hybrid IT infrastructures. Provides real-time visibility into all network traffic with full packet capture, deep packet inspection, along with on-board decryption, allowing you to detect emerging, targeted, and unknown threats as they traverse the network, monitor attackers’ movement, and reconstruct entire network sessions.
  • Improved analyst productivity

    Orchestration and automation capabilities make it easier for analysts to prioritize and investigate threats faster and coordinate activities across the entire security team. Empowers analysts to hunt the most advanced threats.
  • Faster, more advanced threat detection

    Detects attacks in a fraction of the time of other platforms and connects incidents to expose the full attack scope. Speeds threat detection and investigation by enriching network and endpoint data at capture time with threat intelligence and business context.
  • Smarter, faster analytics

    Analytics powered by machine learning with the scale of cloud delivers early detection of anomalies that lead to external and internal threats.


  • Policy Based Centralized Content Management

    A unified approach to find, deploy, and manage content through the entire lifecycle based on policies that can be assigned to groups of devices
  • Content Bundles

    A logical grouping of content that allows customers to deploy based on detection use cases without knowledge of all the underlying content types
  • Detections using Yara Rules

    Endpoint agents run Yara rules locally to find malicious files
  • Endpoint Detections using Imported File Hashes

    Analysts can import a list of file hashes that will automatically be blocked if seen in the environment
  • Arm Processor Support

    Administrators can install endpoint agents on Arm based systems, including Microsoft Surface hosts
  • TLS 1.3 Decryption

    Expands the network packet decryption capability to provide customers with the ability to inspect TLS 1.3 encrypted communications using ephemeral session keys
  • Improved Log Parsing

    Improvements to handle parsing of structured and unstructured data embedded in variables of logs and handling multiple duplicate meta


  • Reimagined Response to Endpoint Alerts

    As analysts triage alerts all the relevant information is made available including a process tree
  • Key Performance Indicators

    Reports to provide SOC managers operational metrics, including MTTA, MTTD and MTTR
  • Rich OOTB Springboard Panels

    Analysts gain insight to suspicious behaviors and can customize the Springboard
  • Convert Query into Springboard Panel

    During investigations an analyst can convert a query into a Springboard panel to keep a watch on the results
  • Bulk MFT Download

    Analysts reviewing an incident related to multiple endpoint agents save time by doing bulk downloads of all the master file tables
  • Respond Flexible Deployment

    Increased visibility into detections with Respond and context enrichment are more accessible as both components can be deployed in the absence of the Event Stream Analytics


  • Endpoint Agent IP Filtering by CIDR Notation

    Administrators can group endpoint agents using CIDR notation in addition to individual IP addresses
  • Guidance to Automate Full Stack Cloud & VM Deployments

    Customers with virtual or cloud environments can use documented steps to automate their existing infrastructure and manage upgrades

Learn More