Importing NetWitness Endpoint 4.4.0.x Configurations to NetWitness Platform

You can import file status, certificate status, and blocked hashes from NetWitness Endpoint 4.4.0.x to NetWitness using the MigrationHelper python script.

Note: The MigrationHelper python script must be run only on a Windows host.

You can download the script from RSA Link:

RSA NetWitness > Downloads > RSA NetWitness Platform > Version 11.3 > Tools.

Prerequisites

To run the python script:

  • Install Python 3.6.x or later on a Windows host that can connect to the NetWitness Endpoint 4.4.0.x primary database.
  • Install pyodbc by downloading the wheel file from https://pypi.org/project/pyodbc/#files, and run the following command:

    pip install wheel-file.whl

  • If json and os.path libraries are not available on Python installation, install these libraries by downloading the corresponding wheel file from https://pypi.org/, and run the following command:

    pip install wheel-file.whl

Import File and Certificate Status

Note: If the certificate status is graylisted in NetWitness Endpoint, this status is not exported as graylist is not supported for certificates in NetWitness Platform 11.3 and later.

  1. Run the MigrationHelper python script.

    Note: Run this script from any host that has access to NetWitness Endpoint primary database.

  2. Enter the following:
    1. Database server host name or IP address (for example, 10.40.40.10)
    2. Database name (for example, ECATPrimary)
    3. Database credentials
  3. Enter the path to store the exported files and press Enter. Make sure that the path exist. The file and certificate status are exported to JSON files.

  4. Log in to the Context Hub server and copy the exported file to the /var/netwitness/contexthub-server/data/ directory.

  5. On the NW server, run the nw-shell command from the command line.

    Note: Make sure all Endpoint servers on NetWitness 11.3 and later are online while importing data.

  6. Run the login command and enter the credentials.

  7. Connect to the Context Hub server using the following command:

    connect --service contexthub-server

  8. Run the following commands to import the file status:

    cd contexthub/file/status/import

    show

    invoke <file path>/FileStatus.json

    Note: <file path> is the path in the Context Hub server where the file is saved. The Context Hub server is located in the ESA primary host.

  9. Run the following commands to import the certificate status:

    cd contexthub/certificate/status/import

    show

    invoke <file path>/CertificateStatus.json

    Note: <file path> is the path in the Context Hub server where the file is saved. The Context Hub server is located in the ESA primary host.

  10. Check the progress of the import in the /var/log/netwitness/contexthub-server/contexthub-server.log file.

    Once the import is complete, a message Imported File status successfully or Imported Certificate status successfully is displayed in the log file.

If you want to unblock the imported 4.4.0.x blocked files:

  1. On the NW server, run the nw-shell command from the command line.
  2. Run the login command and enter the credentials.
  3. Connect to the Context Hub server using the following command:

    connect --service contexthub-server

  4. Run the following commands to unblock the file status:

    cd contexthub/file/status/unblock

    invoke <checksum of blocked file>