Installation Tasks

This topic contains the tasks you must complete to install NetWitness UEBA standalone installation.

Note: Download or make sure you have access to the Physical Host Installation Guide for Version 12.3.1  before beginning the tasks. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

For Physical Hosts:

You need to complete the following tasks in the order shown below.

Task 1. Install 12.3.1 on the NetWitness Server Host

Task 2. Install 12.3.1 Log Hybrid Host

Task 3. Install and Configure NetWitness® UEBA

Task 1. Install 12.3.1 on the NetWitness Server Host

For the NetWitness Server (NW Server), this task:

  • Creates a base image.
  • Sets up the 12.3.1 NW Server host.

For more information on how to install the NetWitness Server host, see "Install 12.3.1  on the NetWitness Server (NW Server) Host" section in the Physical Host Installation Guide for Version 12.3.1. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Task 2. Install 12.3.1 Log Hybrid Host

For a non-NW Server host, this task:

  • Creates a base image.
  • Sets up the 12.3.1  non-NW Server host or Log Hybrid.

For more information on how to install the Log Hybrid host, see "Task 2 - Install 12.3.1 on Other Component Hosts" section in the Physical Host Installation Guide for Version 12.3.1. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Task 3. Install and Configure NetWitness® UEBA

To set up NetWitness UEBA, you must install and configure the NetWitness UEBA service.

The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.

  1. Complete steps 1 - 14 under "Task 2 - Install 12.3.1 on Other Component Hosts" in "Installation Tasks" of the NetWitness Platform Physical Host Installation Guide for Version 12.3.1. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

    Note: The Kibana and Airflow webserver User Interface password is the same as the deploy_admin password. Make sure that you record this password and store it in a safe location.

  2. Log in to the NetWitness Platform and go to netwitness_adminicon_25x22.png (Admin) > Hosts.

    The New Hosts dialog is displayed with the Hosts view grayed out in the background.

    Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

  3. Select the host in the New Hosts dialog and click Enable.

    The New Hosts dialog closes and the host is displayed in the Hosts view.

  4. Select that host in the Hosts view (for example, UEBA) and click netwitness_ic-install.png.

    The Install Services dialog is displayed.

  5. Select the UEBA Host Type and click Install.

    installueba.png

  6. Make sure that the UEBA service is running.
  7. Complete licensing requirements for NetWitness UEBA.

    See the NetWitness Platform 12.3.1 Licensing Management Guide for more information. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

    Note: NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is used based on the number of users. The Out-of-the-Box Trial License is a 90-day trial license. In case of UEBA licenses, the 90-day trial period begins from the time the UEBA service deployed on the NetWitness Platform product.

Configure NetWitness UEBA

To start running UEBA:

  1. Define the following parameters: data schemas, data source (NetWitness Broker or Concentrator) and start date.

    1. Define UEBA schemas:
      Choose schemas from the following list:

      AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY and TLS.

      Note: The TLS packet requires adding the hunting package and enabling the JA3 feature. For more information regarding events that each schema contains, see the NetWitness UEBA Configuration Guide.

    2. Define the data source:
      If your deployment has multiple Concentrators, we recommend that you assign a Broker at the top of your deployment hierarchy for the NetWitness UEBA data source.

    3. Define the UEBA start-date:

      Note: The selected start date must contain events from all configured schemas.

      NetWitness recommends that the UEBA start date is set to 28 days earlier than the current date. For UEBA systems that intend to process TLS data, you must make sure that the start date is set to no later than 14 days earlier than the current date.

  2. . Create a user account for the data source (Broker or Concentrator) to authenticate to the data.
    1. Log into NetWitness Platform.
    2. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    3. Locate the data source service (Broker or Concentrator).
      Select that service, and select netwitness_actiondd.png (Actions) > View > Security.

    4. Create a new user and assign the “Analysts” role to that user.

      The following example shows a user account created for a Broker.

      netwitness_ueba_login_datasource.png

  3. SSH to the NetWitness UEBA server host.
  4. (For Virtual Machines Only) Set the appropriate parallelism value:
    If the UEBA system runs on VM, update the airflow parallelism value to be 64 by running the following command:
    sed -i "s|parallelism = 256|parallelism = 64|g" /var/netwitness/presidio/airflow/airflow.cfg

  5. Submit the following commands with the above parameters that you already defined.
    /opt/rsa/saTools/bin/ueba-server-config -u <user> -p <password> -h <host> -o <type> -t <startTime> -s <schemas> -v -e <argument>
    Where:
Argument Variable Description
-u <user> User name of the credentials for the Broker or Concentrator instance that you are using as a data source.
-p <password>

Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password.

!"#$%&()*+,-:;<=>?@[\]^_`\{|}

If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example:
sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY TLS PROCESS REGISTRY' -o broker -v

-h <host> IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.
-o <type> Data source host type (broker or concentrator).
-t <startTime>

Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z).

Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.

-s <schemas>

Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS).

-v   verbose mode.
-e <argument>

Boolean Argument. This enables the UEBA indicator forwarder to Respond.

Note: If your NetWitness deployment includes an active Respond server, you can transfer NetWitness UEBA indicators to the Respond server and create incidents by enabling the indicator forwarder, from this data. For more information on how to enable the NetWitness UEBA incidents aggregation, see Installation Tasks.

  1. Set the appropriate "Boot Jar Pools" slots:

    • Physical Appliance: Update the spring_boot_jar_pool" slots to be 18.

    • Virtual Appliance: If the UEBA system is running on VM, update the spring_boot_jar_pool and the retention_spring_boot_jar_pool slots values to 5.
      To update the “Spring Boot Jar Pools” slots, Go to the Airflow main page, tap the “Admin” tab at the top bar and tap “Pools”.

    1. To access the Airflow UI, go to https://<UEBA_host>/admin and enter the credentials.

    • User: admin

    • Password: The environment deploy admin password.

    1. Click on the pencil mark of the polls to update the slot values.
      netwitness_airflowslt.png

Enable Access Permission for the NetWitness UEBA User Interface

After you install NetWitness UEBA standalone 12.3, you need to assign the UEBA_Analysts and Analysts roles to the UEBA users. For more information, see 'Assign User Access to UEBA' topic in the NetWitness UEBA Configuration Guide. After this configuration, UEBA users can access the Investigate > Users view.

Note: To complete NetWitness UEBA configuration according to the needs of your organization, See the NetWitness UEBA Configuration Guide.

For Virtual Hosts:

You must complete the following tasks in the order shown below.

Task 1. Install 12.3.1 on the NetWitness Server Host

Task 2. Install 12.3.1 Log Hybrid Host

Task 3. Install and Configure NetWitness® UEBA

Task 1. Install 12.3  on the NetWitness Server Host

On the host you have deployed for the NetWitness Server (NW Server), this task installs:

  • The 12.3.1.0 NW Server environmental platform.
  • The NW Admin Server.
  • A repository with the RPM files required to install the other functional components or services.

For more information on how to install the NetWitness Server host, see "Task 1- Install 12.3.1.0 on the NW Server Host" section in the Virtual Host Installation Guide for Version 12.3.1. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Task 2. Install 12.3.1 Log Hybrid Host

Complete the following tasks on a non-NW Server host:

  • Install the 12.3.1.0 environmental platform.
  • Apply the 12.3.1.0 RPM files to the service from the NW Server Update Repository.

Note: You must install the Log Hybrid host.

For more information on how to install the non-NetWitness Server host, see "Task 3 - Install 12.3.1 for on Other Component Hosts" section in the Virtual Host Installation Guide for Version 12.3.1. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Task 3. Install and Configure NetWitness® UEBA

Prerequisite: Increase Memory for Virtual Deployment

Virtual Machines are deployed with approximately 104 GB in the storage mount by default. To install NetWitness UEBA, you must increase the storage space in your virtual environment to at least 800 GB.

To set up NetWitness UEBA, you must install and configure the NetWitness UEBA service.

The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.

  1. Complete steps 1 - 15 for Virtual Hosts under "Task 3 - Install 12.3.1  on Other Component Hosts" in "Installation Tasks" of the NetWitness Platform Virtual Host Installation Guide for Version 12.3.1. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

    Note: The Kibana and Airflow webserver User Interface password is the same as the deploy admin password. Make sure that you record this password and store it in a safe location.

  2. Complete steps 2 - 9 under Task 3. Install and Configure NetWitness® UEBA.