This topic contains the tasks you must complete to install NetWitness UEBA standalone installation.
Note: Download or make sure you have access to the Physical Host Installation Guide for Version 11.3 before beginning the tasks. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
For Physical Hosts:
You must complete the following tasks in the order shown below.
Task 1. Install 11.3 on the NetWitness Server Host
Task 2. Install 11.3 Log Hybrid Host
Task 3. Install and Configure RSA NetWitness UEBA
Task 1. Install 11.3 on the NetWitness Server Host
For the NetWitness Server (NW Server), this task:
- Creates a base image.
- Sets up the 11.3 NW Server host.
For more information on how to install the NetWitness Server host, see "Install 11.3 on the NetWitness Server (NW Server) Host" section in the Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Task 2. Install 11.3 Log Hybrid Host
For a non-NW Server host, this task:
- Creates a base image.
- Sets up the 11.3 non-NW Server host or Log Hybrid.
For more information on how to install the Log Hybrid host, see "Task 2 - Install 11.3 on Other Component Hosts" section in the Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Task 3. Install and Configure RSA NetWitness
UEBA
To set up NetWitness UEBA, you must install and configure the NetWitness UEBA service.
The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.
- Complete steps 1 - 14 under "Task 2 - Install 11.3 on Other Component Hosts" in "Installation Tasks" of the NetWitness Platform Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Note: The Kibana and Airflow webserver User Interface password is the same as the deploy_admin password. Make sure that you record this password and store it in a safe location.
- Log in to NetWitness Platform and go to ADMIN > Hosts.
The New Hosts dialog is displayed with the Hosts view grayed out in the background.Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.
- Select the host in the New Hosts dialog and click Enable.
The New Hosts dialog closes and the host is displayed in the Hosts view. - Select that host in the Hosts view (for example, UEBA) and click
.
The Install Services dialog is displayed. - Select the UEBA Host Type and click Install.
-
Make sure that the UEBA service is running.
- Complete licensing requirements for NetWitness UEBA.
See the NetWitness Platform 11.3 Licensing Management Guide for more information. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Note: NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is used based on the number of users. The Out-of-the-Box Trial License is a 90-day trial license. In case of UEBA licenses, the 90-day trial period begins from the time the UEBA service deployed on the NetWitness Platform product.
- Configure NetWitness UEBA.
You need to configure a data source (Broker or Concentrator), historical data collection start date, and data schemas.IMPORTANT: If your deployment has multiple Concentrators, RSA recommends that you assign the Broker at the top of your deployment hierarchy for the NetWitness UEBA data source.
- Determine the earliest date in the NWDB of the data schema you plan to choose (AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY or any combination of these schemas) to specify in startTime in step c. If you plan to specify multiple schemas, use the earliest date among all the schemas. If you are not sure which data schema to choose, you can specify all five data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS and REGISTRY) to have UEBA adjust the models it can support based on the Windows logs available. You can use one of the following methods to determine the data source date.
- Use the Data Retention date (that is, if the Data Retention duration is 48 hours, startTime = <48 hours earlier than the current time>).
- Search the NWDB for the earliest date.
Create a user account for the data source (Broker or Concentrator) to authenticate to the data source.
- SSH to the NetWitness UEBA server host.
- Submit the following commands.
/opt/rsa/saTools/bin/ueba-server-config -u <user> -p <password> -h <host> -o <type> -t <startTime> -s <schemas> -v -e <argument>
Where:
- Determine the earliest date in the NWDB of the data schema you plan to choose (AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY or any combination of these schemas) to specify in startTime in step c. If you plan to specify multiple schemas, use the earliest date among all the schemas. If you are not sure which data schema to choose, you can specify all five data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS and REGISTRY) to have UEBA adjust the models it can support based on the Windows logs available. You can use one of the following methods to determine the data source date.
- Complete NetWitness UEBA configuration according to the needs of your organization.
See the RSA NetWitness UEBA User Guide for more information. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Note: If NetWitness Endpoint Server is configured, you can view the alerts associated with the Process and Registry data schemas.
For Virtual Hosts:
You must complete the following tasks in the order shown below.
Task 1. Install 11.3 on the NetWitness Server Host
Task 2. Install 11.3 Log Hybrid Host
Task 3. Install and Configure RSA NetWitness UEBA
Task 1. Install 11.3 on the NetWitness Server Host
On the host you have deployed for the NetWitness Server (NW Server), this task installs:
- The 11.3.0.0 NW Server environmental platform.
- The NW Admin Server.
- A repository with the RPM files required to install the other functional components or services.
For more information on how to install the NetWitness Server host, see "Task 1- Install 11.3.0.0 on the NW Server Host" section in the Virtual Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Task 2. Install 11.3 Log Hybrid Host
Complete the following tasks on a non-NW Server host:
- Install the 11.3.0.0 environmental platform.
- Apply the 11.3.0.0 RPM files to the service from the NW Server Update Repository.
Note: You must install the Log Hybrid host.
For more information on how to install the non-NetWitness Server host, see "Task 3 - Install 11.3 for on Other Component Hosts" section in the Virtual Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents..
Task 3. Install and Configure RSA NetWitness
UEBA
Prerequisite: Increase Memory for Virtual Deployment
Virtual Machines are deployed with approximately 104 GB in the storage mount by default. To install NetWitness UEBA, you must increase the storage space in your virtual environment to at least 800 GB.
To set up NetWitness UEBA, you must install and configure the NetWitness UEBA service.
The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.
- Complete steps 1 - 15 for Virtual Hosts under "Task 3 - Install 11.3 on Other Component Hosts" in "Installation Tasks" of the NetWitness Platform Physical Host Installation Guide for Version 11.3. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Note: The Kibana and Airflow webserver User Interface password is the same as the deploy admin password. Make sure that you record this password and store it in a safe location.
- Complete steps 2 - 9 under Task 3. Install and Configure RSA NetWitness
UEBA.