NetWitness 12.2.0.0 provides enhancements and fixes for all products in NetWitness Platform. The instructions in this guide apply to both physical and virtual hosts (including AWS, Azure Public Cloud, and Google Cloud Platform) unless stated to the contrary.

In 12.2.0.0, NetWitness has several new features in the user interface.

Warning: Before upgrading the UEBA host from 12.0 and older versions to 12.2, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see Upgrade Preparation Tasks. This action is not required if you are upgrading the UEBA host from 12.1 to 12.2.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.2.0.0:

  • NetWitness 11.6.x.x to 12.2.0.0

  • NetWitness 11.7.0.0 to 12.2.0.0
  • NetWitness 11.7.0.1 to 12.2.0.0
  • NetWitness 11.7.0.2 to 12.2.0.0
  • NetWitness 11.7.1.0 to 12.2.0.0
  • NetWitness 11.7.1.1 to 12.2.0.0
  • NetWitness 11.7.1.2 to 12.2.0.0
  • NetWitness 11.7.2.0 to 12.2.0.0
  • NetWitness 12.0.0.0 to 12.2.0.0
  • NetWitness 12.1.0.0 to 12.2.0.0
  • NetWitness 12.1.0.1 to 12.2.0.0
  • NetWitness 12.1.1.0 to 12.2.0.0

This guide applies to both physical and virtual hosts (including AWS and Azure Public Cloud).

Running in Mixed Mode

Running in mixed mode occurs when some services are upgraded to the latest version and some services are on older versions. See "Running in Mixed Mode" in the NetWitness Platform Hosts and Services Getting Started Guide for further information.

Note: If you are running Endpoint Log Hybrid in mixed mode, make sure Endpoint Broker is on the same version as one of the Endpoint Servers.

Upgrade Considerations for ESA Hosts

  • Mixed mode is not supported for ESA hosts in NetWitness Platform XDR.

  • In 12.1 and later versions, you can only manage the ESA deployments and Data Sources through Centralized Content Management. Go to ConfigureIcon_12x10.png(CONFIGURE) > Policies > Content > Event Stream Analysis page to manage the ESA deployments and Data Sources. Refer the following screenshot.

    esa_deployments_policies.PNG

  • After upgrading to 12.1 and later versions, you can only manage the ESA Rules in the ESA Rules page. Refer the following screenshot.

    esa_rules_tab_configure_1929x910.png

  • After upgrading to the 12.2 version, all the ESA deployments will be migrated to ConfigureIcon_14x12.png(CONFIGURE) > Policies page. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.2.x.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.

  • You must upgrade the ESA hosts immediately after upgrading the Admin Server.

    For more information on Centralized Content Management and managing the deployments, see https://community.netwitness.com/t5/rsa-netwitness-platform-staged/centralized-content-management-guide-for-12-1-1/ta-p/694426.

IMPORTANT: The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.

Upgrade or install Legacy Windows Log Collection

Refer to the Legacy Windows Log Collection Guide for NetWitness.

Note: After you update or install Legacy Windows Log Collection, reboot the system to ensure that Log Collection functions correctly.

Feedback on Product Documentation

You can send an email to feedbacknwdocs@netwitness.com to provide feedback on NetWitness documentation.