NetWitness 126.96.36.199 provides enhancements and fixes for all products in NetWitness Platform. The instructions in this guide apply to both physical and virtual hosts (including AWS, Azure Public Cloud, and Google Cloud Platform) unless stated to the contrary.
In 188.8.131.52, NetWitness has several new features in the user interface.
Warning: Before upgrading the UEBA host from 12.0 and older versions to 12.2, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see Upgrade Preparation Tasks. This action is not required if you are upgrading the UEBA host from 12.1 to 12.2.
The following upgrade paths are supported for NetWitness 184.108.40.206:
NetWitness 11.6.x.x to 220.127.116.11
- NetWitness 18.104.22.168 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
- NetWitness 184.108.40.206 to 220.127.116.11
- NetWitness 18.104.22.168 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
- NetWitness 184.108.40.206 to 220.127.116.11
- NetWitness 18.104.22.168 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
- NetWitness 184.108.40.206 to 220.127.116.11
- NetWitness 18.104.22.168 to 22.214.171.124
- NetWitness 126.96.36.199 to 188.8.131.52
This guide applies to both physical and virtual hosts (including AWS and Azure Public Cloud).
Running in Mixed Mode
Running in mixed mode occurs when some services are upgraded to the latest version and some services are on older versions. See "Running in Mixed Mode" in the NetWitness Platform Hosts and Services Getting Started Guide for further information.
Note: If you are running Endpoint Log Hybrid in mixed mode, make sure Endpoint Broker is on the same version as one of the Endpoint Servers.
Upgrade Considerations for ESA Hosts
Mixed mode is not supported for ESA hosts in NetWitness Platform XDR.
In 12.1 and later versions, you can only manage the ESA deployments and Data Sources through Centralized Content Management. Go to (CONFIGURE) > Policies > Content > Event Stream Analysis page to manage the ESA deployments and Data Sources. Refer the following screenshot.
After upgrading to 12.1 and later versions, you can only manage the ESA Rules in the ESA Rules page. Refer the following screenshot.
After upgrading to the 12.2 version, all the ESA deployments will be migrated to (CONFIGURE) > Policies page. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.2.x.x version. Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events.
You must upgrade the ESA hosts immediately after upgrading the Admin Server.
For more information on Centralized Content Management and managing the deployments, see https://community.netwitness.com/t5/rsa-netwitness-platform-staged/centralized-content-management-guide-for-12-1-1/ta-p/694426.
IMPORTANT: The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.
Upgrade or install Legacy Windows Log Collection
Refer to the Legacy Windows Log Collection Guide for NetWitness.
Note: After you update or install Legacy Windows Log Collection, reboot the system to ensure that Log Collection functions correctly.
Feedback on Product Documentation
You can send an email to email@example.com to provide feedback on NetWitness documentation.