Step 5. Post Installation Tasks

This topic contains the tasks you complete after you install 12.1.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Event Stream Analysis (ESA)

Configure Meta Keys on New ESA Hosts to Match Upgraded ESA Hosts in the Same NetWitness Platform NetworkConfigure Meta Keys on New ESA Hosts to Match Upgraded ESA Hosts in the Same NetWitness Platform Network

If you have one or more ESA hosts in a NetWitness Platform network, which were upgraded from a version before 11.3.0.2 to 11.7, and you add a new ESA host, you must configure the meta keys on the new ESA host to match the other ESA hosts. All ESA Correlation services on the same NetWitness Platform network must have the same Meta Key configurations.

  1. For each ESA Correlation service on an upgraded ESA host and for the ESA Correlation service on the newly installed ESA host:
    1. Open a new tab, go to netwitness_adminicon_25x22.png (Admin) > Services, and in the Services view, select the ESA Correlation service and then select netwitness_ic-actns.png> View > Explore.
    2. In the Explore view node list for the ESA Correlation service, select correlation > stream.

  2. Ensure that the multi-valued and single-valued meta key values are the same on each of the upgraded ESA Correlation services.
  3. Ensure that the multi-valued and single-valued meta key values on the newly installed ESA host are the same as those on the upgraded services.
  4. To apply any changes on the ESA Correlation services, go to netwitness_configureicon_24x21.png (Configure) > ESA Rules and click the Settings tab. In the Meta Key References, click the Meta Re-Sync (Refresh) icon (netwitness_ic-refresh.png ).
  5. If you updated the ESA Correlation services, redeploy the ESA rule deployments.

For more information, see "Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys" in the ESA Configuration Guide.

NetWitness Endpoint

The tasks in this section only apply to customers that use the NetWitness Endpoint component of NetWitness Platform.

Install Endpoint Log Hybrid

Depending on the number of agents and the location of the agents, you can choose to deploy a single Endpoint Log Hybrid host or multiple Endpoint Log Hybrid hosts. To deploy a host, you provision it and install a category on it.

  • Single Endpoint Log Hybrid host - Deploy NetWitness Server host, Endpoint Log Hybrid host, and ESA host or hosts.

  • Multiple Endpoint Log Hybrid hosts - Deploy NetWitness Server host, ESA host or hosts, Endpoint Log Hybrid hosts. For a consolidated view of all endpoint data from multiple Endpoint Log Hybrid hosts, install the Endpoint Broker.

    Note: NetWitness recommends that you co-locate the Endpoint Broker on the NetWitness Broker host. However, you can deploy the Endpoint Broker on a separate host or co-locate it on the Endpoint Log Hybrid.

    Note: You must plan to scale your ESA deployment to support multiple Endpoint Log Hybrid hosts.

Follow these steps to deploy an Endpoint Log Hybrid host.

Complete the following steps first:

Configuring Multiple Endpoint Log Hybrids

Follow these steps to install another Endpoint Log Hybrid.

Step 1: Install additional Endpoint Log Hybrid

  • To install a physical host, complete steps 1 - 16 in "Install NetWitness Platform" under Installation Tasks in the Physical Host Installation Guide for NetWitness Platform 12.1
  • To install a virtual host, complete steps 1 - 16 in "Step 4. Install NetWitness Platform" under Install NetWitness Platform Virtual Host in Virtual Environment in the Virtual Host Installation Guide for NetWitness Platform 12.0

Step 2: Setup the Endpoint Log Hybrid

    1. Create a directory

mkdir -p /etc/pki/nw/nwe-ca.

  1. Copy the following certificates from the first Endpoint Log Hybrid to the secondary Endpoint Log Hybrid:

    /etc/pki/nw/nwe-ca/nwerootca-cert.pem

    /etc/pki/nw/nwe-ca/nwerootca-key.pem

     

    Note: NetWitness recommends that you copy certificates from Endpoint Log Hybrid to secondary Endpoint Log Hybrid CentOS to Windows using the SCP command to avoid any corruption caused by Antivirus or third-party tools. 

IMPORTANT: You must backup the nwerootca-cert.pem and nwerootca-key.pem certificate files after installing the first Endpoint Log Hybrid. This is an important pre-requisite for Endpoint recovery configuration. For more information, see High Availability (Endpoint Recovery) topic in the NetWitness Endpoint User Guide for 12.3.1.

Step 3: Switch to the NetWitness UI and add Hosts

Add Hosts to the Endpoint Log Hybrid:

  1. Log into NetWitness Platform and click netwitness_adminicon_25x22.png (Admin) > Hosts.

    The New Hosts dialog is displayed with the Hosts view grayed out in the background.

    Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

  2. Select the host in the New Hosts dialog and click Enable.

    The New Hosts dialog closes and the host is displayed in the Hosts view.

  3. Select that host in the Hosts view (for example, Endpoint) and click netwitness_ic-install.png.

    The Install Services dialog is displayed.

  4. Select the Endpoint Log Hybrid category and click Install.
  5. Make sure that the Endpoint Log Hybrid service is running.
  6. Configure Endpoint Meta forwarding.

    See the Endpoint Configuration Guide for instructions on how to configure Endpoint Meta forwarding.

  7. Deploy the ESA Rules from the Endpoint Rule Bundle. For more information, see "Deploy Endpoint Risk Scoring Rules on ESA" section in the ESA Configuration Guide.

    Note: The Endpoint IIOCs are available as OOTB Endpoint Application rules.

  8. Review the default policies and create groups to manage your agents. See Endpoint Configuration Guide.

    Note: In 11.3 or later, agents can operate in Insights or Advanced mode depending on the policy configuration. The default policy enables the agent in an advanced mode. If you want to continue to use the Insights agent, before updating, review the policy, and make sure that the Agent mode is set to Insights.

  9. Install the Endpoint Agent. You can install an Insights (free version) or an Advanced agent (licensed). See Endpoint Agent Installation Guide for detailed instructions on how to install the agent.

    Note: You can migrate the Endpoint Agent from 4.4.0.x to 12.1. For more information, see the NetWitness Endpoint 4.4.0.x to NetWitness Platform 12.1 Migration Guide.

(Optional) Configure an Endpoint Service on an Existing Log Decoder Host

You can install an Endpoint service category on an existing Log Decoder host. For an overview of installing service categories on hosts, see "Hosts and Services Set Up Procedures" in the Host and Services Getting Started Guide. (missing or bad snippet)

  • If you have an existing Endpoint Log Hybrid, you must copy certificates from that Endpoint Hybrid host to the Log Decoder before you install the Endpoint service category on the Log Decoder.
  • If you do not have an Endpoint Log Hybrid host, you do not need to copy over the certificates before you install the Endpoint service category on the Log Decoder.

Do You Need to Install an Endpoint Service onto Separate Hardware

If you are only using NW Platform for collecting and analyzing logs, you can co-locate your Endpoint Server on the same physical hardware as your Log Decoder. For more information, see the Prepare Virtual or Cloud Storage topic in the Storage Guide for NetWitness Platform.

If you exceed these guidelines, the amount of disk space usage and CPU might become so high as to create alarms for your Endpoint Server in Health and Wellness. If you notice this, and are running both log collection and EDR scans, you can use Throttling to control the amount of data coming into the Log Decoder.

If that doesn't help, NetWitness recommends that you move your Endpoint Server onto separate hardware from that used by your Log Decoder.

Install an Endpoint Service Category on an Existing Log Decoder

To install an Endpoint service category on an existing Log Decoder if you have an existing Endpoint Log Hybrid:

  1. Create a directory mkdir -p /etc/pki/nw/nwe-ca.
  2. Copy the following certificates from the first Endpoint Log Hybrid to the Log Decoder on which you are going to install the additional Endpoint service category.

    Note: NetWitness recommends that you copy certificates from Endpoint Log Hybrid to secondary Endpoint Log Hybrid using the SCP command to avoid any corruption caused by Antivirus or third-party tools.

    /etc/pki/nw/nwe-ca/nwerootca-cert.pem

    /etc/pki/nw/nwe-ca/nwerootca-key.pem

  3. Log into NetWitness Platform and click netwitness_adminicon_25x22.png (Admin) > Hosts.
  4. Select the Log Decoder host in the Hosts view and click netwitness_ic-install.png.

    The Install Services dialog is displayed.

  5. Select the Endpoint category and click Install.

To install an Endpoint service category on an existing Log Decoder if you do not have an existing Endpoint Log Hybrid:

  1. Log into NetWitness Platform and click netwitness_adminicon_25x22.png (Admin) > Hosts.
  2. Select the Log Decoder host in the Hosts view and click netwitness_ic-install.png.

    The Install Services dialog is displayed.

  3. Select the Endpoint category and click Install.

NetWitness UEBA

The tasks in this section only apply to customers that use the UEBA component of NetWitness Platform.

Install UEBA

To set up NetWitness UEBA in NetWitness Platform 12.1, you must install and configure the NetWitness UEBA service.

The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.

  1. For:
    • A physical host, complete steps 1 - 16 in "Install NetWitness Platform" under "Installation Tasks" in the Physical Host Installation Guide for NetWitness Platform.
    • A virtual host, complete steps 1 - 16 in "Step 4. Install NetWitness Platform" in the Virtual Host Installation Guide for NetWitness Platform.

    Note: The Kibana and Airflow webserver User Interface password is the same as the deploy admin password. Make sure that you record this password and store it in a safe location.

  2. Log into NetWitness Platform and go to netwitness_adminicon_25x22.png (Admin) > Hosts.
    The New Hosts dialog is displayed with the Hosts view grayed out in the background.

    Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

  3. Select the host in the New Hosts dialog and click Enable.
    The New Hosts dialog closes and the host is displayed in the Hosts view.
  4. Select that host in the Hosts view (for example, UEBA) and click netwitness_ic-install.png.
    The Install Services dialog is displayed.
  5. Select the UEBA Host Type and click Install.
  6. Make sure that the UEBA service is running.

  7. Complete licensing requirements for NetWitness UEBA.
    See the Licensing Management Guide for more information.

    Note: NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is used based on the number of users. The Out-of-the-Box Trial License is a 90-day trial license. In case of UEBA licenses, the 90-day trial period begins from the time the UEBA service deployed on the NetWitness Platform product.

Configure NetWitness UEBA

To start running UEBA:

  1. Define the following parameters: data schemas, data source (NetWitness Broker or Concentrator) and start date.

    1. Define UEBA schemas:
      Choose schemas from the following list:

      AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY and TLS.

      Note: The TLS packet requires adding the hunting package and enabling the JA3 feature. For more information regarding events that each schema contains, see the NetWitness UEBA Configuration Guide.

    2. Define the data source:
      If your deployment has multiple Concentrators, we recommend that you assign a Broker at the top of your deployment hierarchy for the NetWitness UEBA data source.

    3. Define the UEBA start-date:

      Note: The selected start date must contain events from all configured schemas.

      NetWitness recommends that the UEBA start date is set to 28 days earlier than the current date. For UEBA systems that intend to process TLS data, you must make sure that the start date is set to no later than 14 days earlier than the current date.

  2. . Create a user account for the data source (Broker or Concentrator) to authenticate to the data.
    1. Log into NetWitness Platform.
    2. Go to (missing or bad snippet) > Services.
    3. Locate the data source service (Broker or Concentrator).
      Select that service, and select netwitness_actiondd.png (Actions) > View > Security.

    4. Create a new user and assign the “Analysts” role to that user.

      The following example shows a user account created for a Broker.

      netwitness_ueba_login_datasource.png

  3. SSH to the NetWitness UEBA server host.
  4. Set the appropriate parallelism value:
    If the UEBA system runs on VM, update the airflow parallelism value to be 64 by running the following command:
    sed -i "s|parallelism = 256|parallelism = 64|g" /var/netwitness/presidio/airflow/airflow.cfg

  5. Submit the following commands with the above parameters that you already defined.
    /opt/rsa/saTools/bin/ueba-server-config -u <user> -p <password> -h <host> -o <type> -t <startTime> -s <schemas> -v -e <argument>
    Where:
Argument Variable Description
-u <user> User name of the credentials for the Broker or Concentrator instance that you are using as a data source.
-p <password>

Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password.

!"#$%&()*+,-:;<=>?@[\]^_`\{|}

If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example:
sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY TLS PROCESS REGISTRY' -o broker -v

-h <host> IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.
-o <type> Data source host type (broker or concentrator).
-t <startTime>

Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z).

Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.

-s <schemas>

Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS).

-v   verbose mode.
-e <argument>

Boolean Argument. This enables the UEBA indicator forwarder to Respond.

Note: If your NetWitness deployment includes an active Respond server, you can transfer NetWitness UEBA indicators to the Respond server and create incidents by enabling the indicator forwarder, from this data. For more information on how to enable the NetWitness UEBA incidents aggregation, see Step 5. Post Installation Tasks.

  1. If you are deploying a hot fix on 11.x.x.x version, you must do the following:

    1. Run the presidio-upgrade DAG.
    1. Press the play sign next to the DAG and then click the trigger button.

  1. Set the appropriate "Boot Jar Pools" slots:

    • Virtual Appliance: If the UEBA system is running on VM and update the spring_boot_jar_pool and the retention_spring_boot_jar_pool slots values to 22.
      To update the “Spring Boot Jar Pools” slots, Go to the Airflow main page, tap the “Admin” tab at the top bar and tap “Pools”.

    1. To access the Airflow UI, go to https://<UEBA_host>/admin and enter the credentials.
      User: admin
      Password: The environment deploy admin password
    1. Click on the pencil mark of the polls to update the slot values.
      netwitness_airflowslt.png

Enable Access Permission for the NetWitness UEBA User Interface

After you install NetWitness UEBA 11.7, you need to assign the UEBA_Analysts and Analysts roles to the UEBA users. For more information, see 'Assign User Access to UEBA' topic in the NetWitness UEBA Configuration Guide. After this configuration, UEBA users can access the Investigate > Users view.

Note: To complete NetWitness UEBA configuration according to the needs of your organization, See the NetWitness UEBA Configuration Guide.

Deployment Options

The NetWitness Platform has the following deployment options. See the NetWitness Deployment Guide for detailed instructions on how to deploy these options.

  • Analyst User Interface - gives you access to a subset of features in the NetWitness Platform UI that you can set up in individual locations when you deploy NetWitness Platform in multiple locations. It is designed to reduce latency and improve the performance that can occur when accessing all functionality from the Primary User Interface on the NW Server Host (Primary UI).
  • Group Aggregation - configures multiple Archiver or Concentrator services as a group and share the aggregation tasks between them.
  • New Health and Wellness Search - New Health and Wellness is an advanced monitoring and alerting system that provides insights on the operational state of the host and services in your deployment, and helps identify potential issues.
  • Second Endpoint Server - deploys a second Endpoint Server.