on Apr 11, 2019You can import file status, certificate status, and blocked hashes from NetWitness Endpoint 4.4.0.x to NetWitness Platform using the MigrationHelper python script.
Note: The MigrationHelper python script must be run only on a Windows host.
You can download the script from RSA Link:
RSA NetWitness Platform > Downloads > RSA NetWitness Platform > Version 11.3 > Tools.
Prerequisites
To run the python script:
- Install Python 3.6.x or later on a Windows host that can connect to the NetWitness Endpoint 4.4.0.x primary database.
-
Install pyodbc by downloading the wheel file from https://pypi.org/project/pyodbc/#fileshttps://pypi.org/project/pyodbc/#files, and run the following command:
pip install wheel-file.whl
-
If json and os.path libraries are not available on Python installation, install these libraries by downloading the corresponding wheel file from https://pypi.org/, and run the following command:
pip install wheel-file.whl
Import File and Certificate Status
Note: If the certificate status is graylisted in NetWitness Endpoint, this status is not exported as graylist is not supported for certificates in NetWitness Platform 11.3 and later.
-
Run the MigrationHelper python script.
Note: Run this script from any host that has access to NetWitness Endpoint primary database.
- Enter the following:
- Database server host name or IP address (for example, 10.40.40.10)
- Database name (for example, ECATPrimary)
- Database credentials
-
Enter the path to store the exported files and press Enter. Make sure that the path exist. The file and certificate status are exported to JSON files.
-
Log in to the Context Hub server and copy the exported file to the /var/netwitness/contexthub-server/data/ directory.
-
On the NW server, run the nw-shell command from the command line.
Note: Make sure all Endpoint servers on NetWitness Platform 11.3 and later are online while importing data.
-
Run the login command and enter the credentials.
-
Connect to the Context Hub server using the following command:
connect --service contexthub-server
-
Run the following commands to import the file status:
cd contexthub/file/status/import
show
invoke <file path>/FileStatus.json
Note: <file path> is the path in the Context Hub server where the file is saved. The Context Hub server is located in the ESA primary host.
-
Run the following commands to import the certificate status:
cd contexthub/certificate/status/import
show
invoke <file path>/CertificateStatus.json
Note: <file path> is the path in the Context Hub server where the file is saved. The Context Hub server is located in the ESA primary host.
-
Check the progress of the import in the /var/log/netwitness/contexthub-server/contexthub-server.log file.
Once the import is complete, a message Imported File status successfully or Imported Certificate status successfully is displayed in the log file.
If you want to unblock the imported 4.4.0.x blocked files:
- On the NW server, run the nw-shell command from the command line.
- Run the login command and enter the credentials.
-
Connect to the Context Hub server using the following command:
connect --service contexthub-server
-
Run the following commands to unblock the file status:
cd contexthub/file/status/unblock
invoke <checksum of blocked file>
