Migrating NetWitness Endpoint 4.4.0.x to NetWitness Platform 11.3 and Later

This topic describes tasks required to migrate NetWitness Endpoint 4.4.0.x to NetWitness 11.3 and later.

Task 1 - Plan your NetWitness Deployment

  1. Review the Endpoint architecture and choose one of the following deployments based on number, distribution, and location of endpoints, and data collected from the agents. For more information, see the "NetWitness Endpoint Architecture" topic in the Deployment Guide.

    • Small deployment includes NetWitness Server, an Endpoint Log Hybrid, and Event Stream Analysis (ESA).

    • Large deployment includes NetWitness Server, one or more Endpoint Log Hybrids, one or more ESA.

      If you have multiple Endpoint Log Hybrids, install an Endpoint Broker. Once installed, it automatically queries all Endpoint servers in your deployment and provides a consolidated view of all Endpoint servers.

      Note: RSA recommends that you install the Endpoint Broker on the NetWitness Broker host. It is also supported on a separate host, NetWitness Server, and on an Endpoint Log Hybrid.

  2. Review existing licenses and hardware, and procure them as required.

    Make sure you have the required hardware for your deployment. For more information, see the "Supported Hardware" topic in the Physical Host Installation Guide.

    If you have existing NetWitness Endpoint 4.4.0.x licenses, you do not need to procure a new license. Your existing NetWitness Endpoint 4.4.0.x licenses will be available on myRSA as a NetWitness 11.3 and later license, with a different serial/license number.

    For more information, see the Licensing Management Guide.

Task 2 - Set up NetWitness Platform 11.3 and Later

  1. Configure the ports on your firewall. For more information, see the "Network Architecture and Ports" topic in the Deployment Guide.

  2. Install the following NetWitness components:
    • NetWitness Server
    • Endpoint Log Hybrid

    • ESA
    • Endpoint Broker (for more than one Endpoint Log Hybrids)

    For more information, see the Physical Host Installation Guide.

  3. If you have NetWitness Endpoint 4.4.0.x licenses:

  4. Verify if licenses are reflected on ADMIN > System > Licenses.

Task 3 - Configure NetWitness Platform for Endpoints

  • Configure your RSA Live account and make sure the File Reputation service is enabled. For more information, see the Live Services Management Guide.

  • Create users and assign appropriate roles. For more information, see the System Security and User Management Guide.
  • Configure Endpoint Meta forwarding on Endpoint Log Hybrid. For more information, see the NetWitness Endpoint Configuration Guide.

  • Deploy ESA rules.

    The existing NetWitness Endpoint 4.4.0.x IIOCs are available as out-of-the-box Application rules and automatically available on installation.

    You must configure the ESA Correlation server with an Endpoint Concentrator and deploy the ESA content for risk score calculation. For more information, see the ESA Configuration Guide.

  • Review the default Agent Endpoint (EDR) policy and create groups as required. If you want to enable agents for log collection, review and apply the Windows Log policy.

    For more information, see the NetWitness Endpoint Configuration Guide.

Task 4 - Import NetWitness Endpoint 4.4.0.x Configurations

Import file status, certificate status, and blocked hashes from NetWitness Endpoint 4.4.0.x to NetWitness Platform. For more information, see Importing NetWitness Endpoint 4.4.0.x Configurations to NetWitness Platform.

Task 5 - Set up Other NetWitness Endpoint 4.4.0.x Configurations

You have to manually set up the following configurations:

  • Deploy Blacklisted IP addresses and other feeds that are relevant for your deployment from RSA Live through the NetWitness user interface.

  • (Optional) For any other external threat feeds, such as blacklisted IP address, domain, and checksum, that you may want to use to tag endpoint metadata, see the "Create a Custom Feed" topic in the Live Services Management Guide.

    For example, to notify an analyst about any communication from a host or file to a certain blacklisted IP address, domain, or hash, create a feed on the Log Decoder, and tag appropriate sessions for investigation and alerting .

  • (Optional) Review custom IIOCs and write Endpoint rule. For more information, see the "Custom Endpoint Rule for Risk Scoring" topic in the NetWitness Endpoint Configuration Guide.

Task 6 - Deploy Agents

  1. Generate an agent packager from NetWitness 11.3 and later.
  2. Copy the agent packager (AgentPackager.zip) to a Windows machine and generate the 11.3 and later agent installers.

  3. Do one of the following to upgrade 4.4.0.x agents to 11.3 and later:
    • If you have NetWitness Endpoint 4.4.0.9 Console Server, copy the agent installers to the NetWitness Endpoint Console Server, and upgrade from the NetWitness Endpoint user interface.

    • If you have 4.4.0.0 or 4.4.0.8, copy the agent installers, and use the third-party software distribution tool.

  4. Deploy the agents.

For more information, see the NetWitness Endpoint Agent Installation Guide.

Task 7 - Verify the Agent Migration

After the agent migration, verify the following:

  • Agents are able to communicate with the Endpoint Server and are listed in the Investigate > Hosts view.

  • Perform a scan and make sure that the snapshot details are displayed in the Investigate > Host Details view.

  • Hosts metadata is available in Investigate > Navigate and Events view.

    If the Windows Log collection is enabled, make sure that the Windows logs are available in the Navigate and Events view.

  • File reputation, file status, risk scores are available in Hosts and Files view.

For detailed information, see the NetWitness Endpoint Configuration Guide.