Virtual Host Setup: Post Installation Tasks

Document created by RSA Information Design and Development on Apr 10, 2019
Version 1Show Document
  • View in full screen mode
 

This topic contains the tasks you complete after you install 11.3.

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

General

General tasks apply to all customers regardless of the NetWitness Components you deploy.

(Optional) Task 1 - Re-Configure DNS Servers Post 11.3

On the NetWitness Server, complete the following steps to re-configure the DNS servers in NetWitness Platform 11.3.

  1. Log in to the server host with your root credentials.
  2. Edit the /etc/netwitness/platform/resolv.dnsmasq file:
    1. Replace the IP address corresponding to nameserver.
      If you need to replace both DNS servers , replace the IP entries for both the hosts with valid addresses.
      The following example shows both DNS entries.

      The following example shows the new DNS values.

    1. Save the /etc/netwitness/platform/resolv.dnsmasq file.
    2. Restart the internal DNS by running the following command:
      systemctl restart dnsmasq

    Task 2 - Update HIVE Version

    After you update to 11.3, you must update to the HIVE version that is compatible with the 11.3 Warehouse (either HIVE version 0.12 or version 1.0)

    • HIVE Version 0.12
      SSH to the NW Server and run the following command.
      rpm -ivh rsa-nw-HIVE-jdbc-0.12.0-1.x86_64.rpmHIVE
    • Version 1.0
      SSH to the NW Server and run the following command.
      rpm -ivh rsa-nw-HIVE-jdbc-1.0.0-1.x86_64.rpm

    RSA NetWitness Endpoint

    The tasks in this section only apply to customers that use the RSA NetWitness Endpoint component of NetWitness Platform.

    (Optional) Task 3 - Install Endpoint Log Hybrid

    Depending on the number of agents and the location of the agents, you can choose to deploy a single Endpoint Log Hybrid host or multiple Endpoint Log Hybrid hosts. To deploy a host, you provision it and install a category on it.

    • Single Endpoint Log Hybrid host - Deploy NetWitness Server host , Endpoint Log Hybrid host, and ESA host or hosts.

    • Multiple Endpoint Log Hybrid hosts - Deploy NetWitness Server host, ESA host or hosts, Endpoint Log Hybrid hosts. For a consolidated view of all endpoint data from multiple Endpoint Log Hybrid hosts, install the Endpoint Broker.

      Note: RSA recommends that you co-locate the Endpoint Broker on the NetWitness Broker host. However, you can deploy the Endpoint Broker on a separate host or co-locate it on the Endpoint Log Hybrid.

      Note: You must plan to scale your ESA deployment to support multiple Endpoint Log Hybrid hosts.

    To deploy an Endpoint Log Hybrid host:

    1. For:
      • A physical host, complete steps 1 - 14 under "Task 2 - Install 11.3 on Other Component Hosts" under "Installation Tasks" in the Physical Host Installation Guide for NetWitness Platform 11.3.
      • A virtual host, complete steps 1 - 15 under "Task 2 - Install 11.3 on Other Component Hosts" under "Installation Tasks" in the Virtual Host Installation Guide for NetWitness Platform 11.3.
    2. Log into NetWitness Platform and click ADMIN > Hosts.
      The New Hosts dialog is displayed with the Hosts view grayed out in the background.

      Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

    3. Select the host in the New Hosts dialog and click Enable.
      The New Hosts dialog closes and the host is displayed in the Hosts view.
    4. Select that host in the Hosts view (for example, Endpoint) and click .
      The Install Services dialog is displayed.
    5. Select Endpoint Log Hybrid category and click Install.
    6. Make sure that the Endpoint Log Hybrid service is running.

    7. Configure Endpoint Meta forwarding.
      See Endpoint Configuration Guide for instructions on how to configure Endpoint Meta forwarding.

    8. Deploy the ESA Rules from the Endpoint Rule Bundle. For more information, see "Deploy Endpoint Risk Scoring Rules on ESA" section in the ESA Configuration Guide.

    Note: The Endpoint IIOCs are available as OOTB Endpoint Application rules.

    1. Review the default policies and create groups to manage your agents. See Endpoint Configuration Guide.

    Note: In 11.3, agents can operate in Insights or Advanced mode depending on the policy configuration. The default policy enables the agent in an advanced mode. If you want to continue to use the Insights agent, before updating, review the policy, and make sure that the Agent mode is set to Insights.

    1. Install the Endpoint Agent. You can install an Insights (free version) or an Advanced agent (licensed). See Endpoint Agent Installation Guide for detailed instructions on how to install the agent.

      Note: You can migrate the Endpoint Agent from 4.4.0.x to 11.3. For more information, see NetWitness Endpoint 4.4.0.x to NetWitness Platform 11.3 Migration Guide.

    Task 4 - Configuring Multiple Endpoint Log Hybrid

    To install another Endpoint Log Hybrid: 

    1. For
      • A physical host, complete steps 1 - 14 under "Task 2 - Install 11.3 on Other Component Hosts" under "Installation Tasks" in the Physical Host Installation Guide for NetWitness Platform 11.3.
      • A virtual host, complete steps 1 - 15 under "Task 2 - Install 11.3 on Other Component Hosts" under "Installation Tasks" in the Virtual Host Installation Guide for NetWitness Platform 11.3.
    2. Create a directory mkdir -p /etc/pki/nw/nwe-ca.
    3. Copy the following certificates from the first Endpoint Log Hybrid to the second Endpoint Log Hybrid:

      Note: RSA recommends that you copy certificates from CentOS to Windows using the SCP command to avoid any corruption caused by Antivirus or third-party tools.

      /etc/pki/nw/nwe-ca/nwerootca-cert.pem

      /etc/pki/nw/nwe-ca/nwerootca-key.pem

    4. Complete steps 2 - 10 under "Task 3 - Install Endpoint Log Hybrid" in "Post Installation Tasks" of the Platform Physical Host Installation Guide.
    5. Repeat steps 1 - 4 to add more Endpoint Log Hybrids.

    RSA NetWitness® UEBA

    The tasks in this section only apply to customers that use the RSA UEBA component of NetWitness Platform.

    (Optional) Task 5 - Install UEBA

    To set up NetWitness UEBA in NetWitness Platform 11.3, you must install and configure the NetWitness UEBA service.

    The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.

    1. For:
      • A physical host, complete steps 1 - 14 under "Task 2 - Install 11.3 on Other Component Hosts" under "Installation Tasks" in the Physical Host Installation Guide for NetWitness Platform 11.3.
      • A virtual host, complete steps 1 - 15 under "Task 2 - Install 11.3 on Other Component Hosts" under "Installation Tasks" in the Virtual Host Installation Guide for NetWitness Platform 11.3.

      Note: The Kibana and Airflow webserver User Interface password is the same as the deploy admin password. Make sure that you record this password and store it in a safe location.

    2. Log into NetWitness Platform and go to ADMIN > Hosts.
      The New Hosts dialog is displayed with the Hosts view grayed out in the background.

      Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

    3. Select the host in the New Hosts dialog and click Enable.
      The New Hosts dialog closes and the host is displayed in the Hosts view.
    4. Select that host in the Hosts view (for example, UEBA) and click .
      The Install Services dialog is displayed.
    5. Select the UEBA Host Type and click Install.

    6. Make sure that the UEBA service is running.

    7. Complete licensing requirements for NetWitness UEBA.
      See the Licensing Management Guide for more information.

      Note: NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is used based on the number of users. The Out-of-the-Box Trial License is a 90-day trial license. In case of UEBA licenses, the 90-day trial period begins from the time the UEBA service deployed on the NetWitness Platform product.

    8. Configure NetWitness UEBA.
      You need to configure a data source (Broker or Concentrator), historical data collection start date, and data schemas.

      IMPORTANT: If your deployment has multiple Concentrators, RSA recommends that you assign the Broker at the top of your deployment hierarchy for the NetWitness UEBA data source.

      1. Determine the earliest date in the NWDB of the data schema you plan to choose (AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY or any combination of these schemas) to specify in startTime in step c. If you plan to specify multiple schemas, use the earliest date among all the schemas. If you are not sure which data schema to choose, you can specify all five data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS and REGISTRY) to have UEBA adjust the models it can support based on the Windows logs available. You can use one of the following methods to determine the data source date.
        • Use the Data Retention date (that is, if the Data Retention duration is 48 hours, startTime = <48 hours earlier than the current time>).
        • Search the NWDB for the earliest date.
      2. Create a user account for the data source (Broker or Concentrator) to authenticate to the data source.

        1. Log into NetWitness Platform.

        2. Go to Admin > Services.

        3. Locate the data source service (Broker or Concentrator).

          Select that service, and select (Actions) > View > Security.

        4. Create a new user and assign the “Analysts” role to that user.
          The following example shows a user account created for a Broker.

      3. SSH to the NetWitness UEBA server host.
      4. Submit the following commands.

        /opt/rsa/saTools/bin/ueba-server-config -u <user> -p <password> -h <host> -o <type> -t <startTime> -s <schemas> -v -e

        Where:

        ArgumentVariableDescription
        -u<user> User name of the credentials for the Broker or Concentrator instance that you are using as a data source.
        -p<password>

        Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password.

        !"#$%&()*+,-:;<=>?@[\]^_`\{|}

        If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example:
        sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY' -o broker -v

        -h<host> IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.
        -o<type>Data source host type (broker or concentrator).
        -t<startTime>

        Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z).

        Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.

        -s<schemas>

        Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, 'AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY').

        Note: If you specify all five data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORYPROCESS, and REGISTRY), UEBA adjusts the models it can support based on the Windows logs available.

        -v verbose mode.
        -e<argument>

        Boolean Argument. This enables the UEBA indicator forwarder to Respond.

        Note: If the Respond server is configured in NetWitness platform, you can transfer the NetWitness UEBA indicators to the respond server and to the correlation server to create an Incidents.

    1. Complete NetWitness UEBA configuration according to the needs of your organization.
      See the NetWitness UEBA User Guide for more information.

    Note: If NetWitness Endpoint Server is configured, you can view the alerts associated with the Process and Registry data schemas.

    Task 6 - Set up Permission

    If you have installed UEBA, you need to assign the UEBA_Analysts and Analysts roles to the UEBA users. For more information, see System Security and User Management Guide.

    After this configuration, UEBA users can access the Investigate > Users view.

    Federal Information Processing Standard (FIPS) Enablement

    Task 7 - Enable FIPS Mode

    Note: This task is optional for Upgrades from 10.6.6.x with FIPS enabled for Log Collectors, Log Decoders and Network Decoders).

    Federal Information Processing Standard (FIPS) is enabled on all services except Log Collector, Log Decoder, and Decoder. FIPS cannot be disabled on any services except Log Collector, Log Decoder, and Decoder.

     

You are here
Table of Contents > Install SA Virtual Host in Virtual Environment > Step 6. Post Installation Tasks

Attachments

    Outcomes