NetWitness 18.104.22.168 provides enhancements and fixes for all products in NetWitness Platform. The instructions in this guide apply to both physical and virtual hosts (including AWS, Azure Public Cloud, and Google Cloud Platform) unless stated to the contrary.
In 22.214.171.124, NetWitness has several new features in the user interface.
Warning: Before upgrading the UEBA host to 12.1, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators to retain them post upgrade. For more information, see Upgrade Preparation Tasks.
The following upgrade paths are supported for NetWitness 126.96.36.199:
NetWitness 188.8.131.52 to 184.108.40.206
NetWitness 220.127.116.11 to 18.104.22.168
NetWitness 22.214.171.124 to 126.96.36.199
NetWitness 188.8.131.52 to 184.108.40.206
- NetWitness 220.127.116.11 to 18.104.22.168
- NetWitness 22.214.171.124 to 126.96.36.199
- NetWitness 188.8.131.52 to 184.108.40.206
- NetWitness 220.127.116.11 to 18.104.22.168
- NetWitness 22.214.171.124 to 126.96.36.199
- NetWitness 188.8.131.52 to 184.108.40.206
- NetWitness 220.127.116.11 to 18.104.22.168
- NetWitness 22.214.171.124 to 126.96.36.199
- NetWitness 188.8.131.52 to 184.108.40.206
- NetWitness 220.127.116.11 to 18.104.22.168
This guide applies to both physical and virtual hosts (including AWS and Azure Public Cloud).
Running in Mixed ModeRunning in Mixed Mode
Running in mixed mode occurs when some services are upgraded to the latest version and some services are on older versions. See "Running in Mixed Mode" in the NetWitness Platform Hosts and Services Getting Started Guide for further information.
Note: If you are running Endpoint Log Hybrid in mixed mode, make sure Endpoint Broker is on the same version as one of the Endpoint Servers.
Upgrade Considerations for ESA Hosts
Mixed mode is not supported for ESA hosts in NetWitness version 11.5 and later.
IMPORTANT: The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.
Upgrade Considerations for STIX Custom Feeds
The custom feeds created before version 22.214.171.124 are processed automatically. On upgrade, the data sources created for ADHOC, REST and TAXII server and the feeds are pulled automatically. See "Create a STIX Custom Feed" in the NetWitness Platform Live Service Management Guide and "Configure STIX as a Data Source" in the NetWitness Platform Context Hub Configuration Guide for further information.
Upgrade or install Legacy Windows Log Collection
Refer to the Legacy Windows Log Collection Guide for NetWitness.
Note: After you update or install Legacy Windows Log Collection, reboot the system to ensure that Log Collection functions correctly.
Feedback on Product Documentation
You can send an email to firstname.lastname@example.org to provide feedback on NetWitness documentation.