Overall, it is easy to implement.

I can have enterprise security, email security, next generation firewall security logs, HIDS and NIDS logs, etc. all on the same dashboard. It makes it easy to pinpoint or correlate our server to this. I can find out if there is lateral movement. This is the biggest advantage of this solution.

The solution's most valuable feature is incident management.

The product has a user-friendly interface and a valuable feature for threat intelligence integration.

The development of use cases on the SSA console is quite user friendly. This means that the security analyst or the researcher does not have to learn another language.

The wireless feature is good, it tells you when to check a spot, which file it has used to encrypt, whether it is spreading and how many hosts have been infected. It's about data analysis. Looking at the network logs, it's difficult to figure out where the problem is coming from and where it's going, but those kinds of features help me a lot. The solution provides lots of automatic rules which is helpful. Technically speaking, this is a good product. 

NetWitness Platform is valuable for creating rules that the solution must detect.

The most valuable feature is the hunting ability to work in a CERT.

The most valuable feature of RSA NetWitness Logs and Packets are the alerts and correlations tools.

The most valuable feature of the NetWitness Platform, as I've found through occasional engagements, is its Total Customer Ownership (TOC) approach. It encompasses having a unified engine and database where all collected information, including logs, network traffic, and endpoint data, is correlated and analyzed. This centralized database enables efficient analysis and correlation of security events aided by artificial intelligence algorithms. Additionally, customers can develop custom parsers to integrate new data sources into the database, enhancing its speed and reliability.

I don't really see any valuable features in the product. I feel that it is time to move away from NetWitness Platform. All SIEM tools have to deal with advanced use cases, and many of them are getting upgrades, but this is not the case with NetWitness Platform. NetWitness Platform has remained the same for almost four to five years. The support and RMAs offered by the product in our region have also become very bad.

It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets. I think the most important thing was that it gives the customer the capability to discover and respond to an incident. It gives customers visibility about their most important servers and devices.

Regarding the packet model, the most important thing is how easy it is to rebuild the raw data. Through one click, you can see an email that was sent even without accessing the mailbox from the user. It's easy to rebuild the raw data, especially the packet.

We have not evaluated this tool. It is evaluated by the client's company directly. That said, I have found it has good threat intel insights, comparatively speaking. 

From the client-side, there are economical kinds of features.  It's quite economical compared to other solutions in the market. 

The solution is scalable. 

The technical support is very good.

In my opinion, the solution's most valuable feature is its capacity to monitor network traffic, logs from devices within the network, and network captures.

This capability extends beyond logs to include full network capturing.

The newer 11.5 version that my team is using has found it to have good mapping.

The most valuable features are the threat prediction and network forensics. For example, if there is any malware on the network, I am able to see who received it and who clicked on it. I like this functionality the most.

The deployment of the appliance is easy, where even a non-technical person can configure it.

The most valuable feature is the security that it provides.

The log-related capabilities are good.

It integrates well with other risk-assessment tools.

The most valuable features are the packet decoder, log decoder, and concentrator. The packet decoder is capable of collecting the flow, whereas the log decoder is capable of collecting the event. NetWitness offers a hybrid solution that collects both and also uses the concentrator.

The most valuable features are the integration and ease of use. It is a pretty simple platform that can integrate very well with our system.

The most valuable features are the packet inspection and the automated incident response.

The most valuable feature is that we can create our own connectors for any application, and NetWitness provides the training and tools to do it. With some other solutions, creating custom connectors is very costly.

The dashboard is very simple to use.

The most valuable feature is the ability to write rules and triggers for network communication and then being able to investigate based on that. You can see the payload and deconstruct the packets.

RSA NetWitness is a SIEM and real-time network traffic solution. It collects logs/packets and applies a set of alerting, reporting and analysis rules on them. Thus, it provides the enterprise with a full visibility of the networks and activities of the systems.

Its main features/components are:

• Investigation Module: It is the location where the SOC analysts can find all logs/packets captured in a time-frame, that are related/non-related and have drill-down/filtration capabilities all in one table, for investigation and analysis.
• Alerting Module: It provides real-time event processing language on all the logs/packets stream for advanced alerting, i.e., using SQL LIKE statements.
• Reporting Module: It provides advanced reporting capabilities.
• Dashboard Module: It provides dashboards for specific activities on the systems and networks.
• Command and Control Detection: In additional to identifying the C&C IPs through threat intelligence, NetWitness investigates the packets to determine any type of suspicious C&C communication, by using a feature called Automated Threat Detection.
• Threat Hunting Package: By using this advanced technique, NetWitness automatically investigates all the service sessions, files/packets and then it identifies any IoCs, BoCs and EoCs.
• Context Lookup: In order to give an overview during investigation, this feature highlights any value related to the previous alert, incident, RSA ECAT feed mentioned or even if it had any comment from the RSA community, that leads to detecting any recent attack (even if it is still not announced on threat intelligence).
• Incident Module: It provides an automated incident handling utility to ensure that right actions have been taken to close the incident.
• Malware Analysis Module: It provides a file analysis environment including sandboxing, community etc., so as to investigate more of the files captured through the environment traffic.

What we are mainly using are the RSA Concentrator, RSA Decoder, Archiver, Broker, and Log Decoder.

Performance and reporting are very good. 

• Packet Solution: Allows analyst proactive hunting and alerting on daily sophisticated APTs.
• Broker service: Aggregate multiple concentrator devices deployed in various sites which accelerates analyst’s duties.
• Archiver – Does log retention for three to five years for forensics purposes or targeted investigations in the future.

The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs. So, the capture packet also gives you specific insight into what's going on in the network, and it makes your trace investigation much more comprehensive.

The user interface is fine.

The most valuable features are its

• ingestion of logs 
• raising of alerts based on those logs.

Full packet capture: A must in an SOC

Possibility to investigate incidents based on logs and raw packets, such as extracting files sent over the network

Built-in Incident Management module for small security/SOC teams

Advanced correlation engine based on metadata flow: Provides nearly real time correlation

Rich reporting options

The protection that we get from the firewall is the most valuable aspect that we get from this solution.

The most valuable feature is the correlation. It can report in real-time and monitor the management. 

It gives the ability to investigate into network traffic in the Net and the organization what we couldn't do before.