UEBA Install: Installation Tasks

This topic contains the tasks you must complete to install NetWitness UEBA standalone installation.

Note: Download or make sure you have access to the Physical Host Installation Guide for Version 11.3 before beginning the tasks. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

For Physical Hosts:

You must complete the following tasks in the order shown below.

Task 1. Install 11.3 on the NetWitness Server Host

Task 2. Install 11.3 Log Hybrid Host

Task 3. Install and Configure RSA NetWitness UEBA

Task 1. Install 11.3 on the NetWitness Server Host

For the NetWitness Server (NW Server), this task:

• Creates a base image.
• Sets up the 11.3 NW Server host.

For more information on how to install the NetWitness Server host, see "Install 11.3 on the NetWitness Server (NW Server) Host" section in the Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Task 2. Install 11.3 Log Hybrid Host

For a non-NW Server host, this task:

• Creates a base image.
• Sets up the 11.3 non-NW Server host or Log Hybrid.

For more information on how to install the Log Hybrid host, see "Task 2 - Install 11.3 on Other Component Hosts" section in the Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Task 3. Install and Configure RSA NetWitness UEBA

To set up NetWitness UEBA, you must install and configure the NetWitness UEBA service.

The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.

1. Complete steps 1 - 14 under "Task 2 - Install 11.3 on Other Component Hosts" in "Installation Tasks" of the NetWitness Platform Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
   

   Note: The Kibana and Airflow webserver User Interface password is the same as the deploy_admin password. Make sure that you record this password and store it in a safe location.
   

2. Log in to NetWitness Platform and go to ADMIN > Hosts.
   The New Hosts dialog is displayed with the Hosts view grayed out in the background.

   Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.
   

3. Select the host in the New Hosts dialog and click Enable.
   The New Hosts dialog closes and the host is displayed in the Hosts view.
4. Select that host in the Hosts view (for example, UEBA) and click .
   The Install Services dialog is displayed.
5. Select the UEBA Host Type and click Install.
   
   

6. Make sure that the UEBA service is running.

7. Complete licensing requirements for NetWitness UEBA.
   See the NetWitness Platform 11.3 Licensing Management Guide for more information. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Note: NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is used based on the number of users. The Out-of-the-Box Trial License is a 90-day trial license. In case of UEBA licenses, the 90-day trial period begins from the time the UEBA service deployed on the NetWitness Platform product.

8. Configure NetWitness UEBA.
   You need to configure a data source (Broker or Concentrator), historical data collection start date, and data schemas.

   IMPORTANT: If your deployment has multiple Concentrators, RSA recommends that you assign the Broker at the top of your deployment hierarchy for the NetWitness UEBA data source.

   1. Determine the earliest date in the NWDB of the data schema you plan to choose (AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY or any combination of these schemas) to specify in startTime in step c. If you plan to specify multiple schemas, use the earliest date among all the schemas. If you are not sure which data schema to choose, you can specify all five data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS and REGISTRY) to have UEBA adjust the models it can support based on the Windows logs available. You can use one of the following methods to determine the data source date.
      • Use the Data Retention date (that is, if the Data Retention duration is 48 hours, startTime = <48 hours earlier than the current time>).
      • Search the NWDB for the earliest date.

   2. Create a user account for the data source (Broker or Concentrator) to authenticate to the data source.

      1. Log into NetWitness Platform.

      2. Go to Admin > Services.

      3. Locate the data source service (Broker or Concentrator).

         Select that service, and select (Actions) > View > Security.

      4. Create a new user and assign the “Analysts” role to that user.
         The following example shows a user account created for a Broker.
         
         

   3. SSH to the NetWitness UEBA server host.
   4. Submit the following commands.

      /opt/rsa/saTools/bin/ueba-server-config -u <user> -p <password> -h <host> -o <type> -t <startTime> -s <schemas> -v -e <argument>

      Where:

      Argument	Variable	Description
      -u	<user>	User name of the credentials for the Broker or Concentrator instance that you are using as a data source.
      -p	<password>	Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password. !"#$%&()*+,-:;<=>?@[\]^_`\{|} If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example: sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY' -o broker -v
      -h	<host>	IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.
      -o	<type>	Data source host type (broker or concentrator).
      -t	<startTime>	Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z). Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.
      -s	<schemas>	Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, 'AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY'). Note: If you specify all five data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORY PROCESS, and REGISTRY), UEBA adjusts the models it can support based on the Windows logs available.
      -v	NA	verbose mode.
      -e	<argument>	Boolean Argument. This enables the UEBA indicator forwarder to Respond. Note: If the Respond server is configured in NetWitness platform, you can transfer the NetWiness UEBA indicators to the respond server and to the correlation server to create an Incidents.

9. Complete NetWitness UEBA configuration according to the needs of your organization.
   See the RSA NetWitness UEBA User Guide for more information. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Note: If NetWitness Endpoint Server is configured, you can view the alerts associated with the Process and Registry data schemas.

For Virtual Hosts:

You must complete the following tasks in the order shown below.

Task 1. Install 11.3 on the NetWitness Server Host

Task 2. Install 11.3 Log Hybrid Host

Task 3. Install and Configure RSA NetWitness UEBA

Task 1. Install 11.3 on the NetWitness Server Host

On the host you have deployed for the NetWitness Server (NW Server), this task installs:

• The 11.3.0.0 NW Server environmental platform.
• The NW Admin Server.
• A repository with the RPM files required to install the other functional components or services.

For more information on how to install the NetWitness Server host, see "Task 1- Install 11.3.0.0 on the NW Server Host" section in the Virtual Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Task 2. Install 11.3 Log Hybrid Host

Complete the following tasks on a non-NW Server host:

• Install the 11.3.0.0 environmental platform.
• Apply the 11.3.0.0 RPM files to the service from the NW Server Update Repository.

Note: You must install the Log Hybrid host.

For more information on how to install the non-NetWitness Server host, see "Task 3 - Install 11.3 for on Other Component Hosts" section in the Virtual Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents..

Task 3. Install and Configure RSA NetWitness UEBA

Prerequisite: Increase Memory for Virtual Deployment

Virtual Machines are deployed with approximately 104 GB in the storage mount by default. To install NetWitness UEBA, you must increase the storage space in your virtual environment to at least 800 GB.

To set up NetWitness UEBA, you must install and configure the NetWitness UEBA service.

The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.

1. Complete steps 1 - 15 for Virtual Hosts under "Task 3 - Install 11.3 on Other Component Hosts" in "Installation Tasks" of the NetWitness Platform Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
   

   Note: The Kibana and Airflow webserver User Interface password is the same as the deploy admin password. Make sure that you record this password and store it in a safe location.
   

2. Complete steps 2 - 9 under Task 3. Install and Configure RSA NetWitness UEBA.