Update Instructions: Post Update Tasks

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Apr 18, 2019
Version 3Show Document
  • View in full screen mode
 

Complete the following tasks after you update to NetWitness Platform 11.3.0.0.

General

These tasks apply to all NetWitness Platform 11.3.0.0 customers.

Task 1 - Start Data Capture and Aggregation

Restart network and log capture and aggregation after updating to 11.3.0.0.

Start Network Capture

  1. In the NetWitness Platform menu, select ADMIN > Services.
    The Services view is displayed.
  2. Select each Decoder service.
  3. Under (actions), select View > System.
  4. In the toolbar, click .

Start Log Capture

  1. In the NetWitness Platform menu, select ADMIN > Services.
    The Services view is displayed.
  2. Select each Log Decoder service.
  3. Under (actions), select View > System.
  4. In the toolbar, click .

Start Aggregation

  1. In the NetWitness Platform menu, select ADMIN > Services.
    The Services view is displayed.
  2. For each Concentrator and Broker service.
    1. Select the service.
    1. Under (actions), select View > Config.
    1. In the toolbar, click .

Task 2 - Set Up Context Menu Actions User Permissions

Complete the following steps for Analysts, SOC Managers, Data Privacy Officers roles to set up their Context Menu Actions. You must complete these steps for the Analysts, SOC Managers, and Data Privacy Officers roles.

  1. In the NetWitness Platform menu, select ADMIN > Security > Roles.
  2. Double-click on the user role (for example, Data Privacy Officers), or click to select the role and click (Edit ).

  3. In the Edit Role view under Permissions, check the Manage Logs, Manage Plugins, and Manage System Settings check boxes and click Save.

     

  4. Complete steps 1 through 3 for the Analysts and SOC Managers roles in addition to Data Privacy Officers.

Task 3 - Add "Manage Jobs" Permission to Roles Missing this Permission

Add the 'Manage Jobs' Administration permission to the following roles:

  • SOC_Managers
  • Operators
  • Data_Privacy_Officers
  1. In the NetWitness Platform menu, select ADMIN > Security and click Roles.
  2. Select the role you need to update (that is, SOC_Managers, Operators, or Data_Privacy_Officers) and click .

  3. Click Administration, check the Manage Jobs checkbox, and click Save.

  4. Complete steps 1 through 3 inclusive for all three roles (SOC_Managers, Operators, and Data_Privacy_Officers).

Task 4 - Modify the Analyst Role - investigate-server Permissions

The default permissions for the SOC Managers, Malware Analysts, and Analysts roles are fixed in 11.3 so that these roles have specific permissions required to view and work in Event Analysis view. Prior to 11.3, the default permissions were different.

In addition, the predicate.manage permission should not be assigned to the SOC Managers, Malware Analysts, and Analysts roles because it grants them access to get-predicates, edit-predicates, remove-predicates, remove-all-predicates and so on. This access could be a security risk because it allows them to circumvent settings that restrict access to certain data.

As a result, you must update the default permissions and to match the 11.3 default permissions as described in the following procedure.

  1. In the NetWitness Platform menu, select ADMIN > Security > Roles.
  2. Complete the following steps for SOC Managers, Malware Analysts, and Analysts roles.
    1. Check the user role checkbox (for example, Analysts) and click (Edit icon).

    1. Under Permissions, click the Investigate-server tab.
    2. Make sure that the following permissions are not checked.
      • investigate-server.*
      • investigate-server.predicate.manage
    3. Check the following permissions.
      • investigate-server.content.export
      • investigate-server.content.reconstruct
      • investigate-server.event.read
      • investigate-server.metagroup.read
      • investigate-server.predicate.read

    4. Click Save.

(Optional) Task 5 - Reissue Certificates for Your Hosts

In 11.3.0.0, RSA introduced a cert-reissue command line command and its arguments to reissue host certificates. After you update all your hosts to 11.3, you should reissue certificates for all of them as soon as possible to avoid having them expire. If the certificates expire, this places your NetWitness deployment in a bad security state. Refer to the RSA NetWitness® Platform 11.3 Security Configuration Guide for instructions on how to use the cert-reissue command.

(Conditional) Task 6 - If NetWitness Platform Has No Web Access, Upload Response .bin File Again (License Server)

If your NetWitness Deployment does not have Internet access, after you update to 11.3, you must upload the response .bin file again to view the license information in the ADMIN > System > Licensing view in the NetWitness Platform User Interface. See “Upload an Offline Capability Response to NetWitness Platform” in the RSA NetWitness Platform Licensing Management Guide for Version 11.3 for instructions. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

NW Server

(Conditional) Task 7 - Reconfigure PAM Radius Authentication

If you configured PAM Radius authentication in 11.0.x.x using the pam_radius package, you must reconfigure it in 11.3.0.0 using the pam_radius_auth package to achieve better performance. See “Configure PAM Login Capability” in the RSA NetWitness® Platform 11.3 System Security and User Management Guide for instructions. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Decoder and Log Decoder

(Conditional - for 11.0.x.x and 11.1.x.x Update paths, Not 11.2.x.x) Task 8 - Enable Metadata for GeoIP2 Parser

By default, the GeoIP2 parser generates less metadata than the GeoIP parser did. After updating to 11.3, if you require any of the additional metadata, you must enable them (once only) for each Decoder. This can also be altered post-update. Keep in mind that the isp and org meta fields usually produce an equivalent value to domain.

To enable metadata:

  1. Go to ADMIN > Services.
  2. In the Administration services view, select a Log Decoder or a Decoder.
  3. Click the settings icon (Image of the Action button) and select View > Config. The Parsers Configuration panel is displayed, from which you can select GeoIP2 to enable the desired metadata.

For more information about GeoIP2 parsers, see the "GeoIP2 and GeoIP Parsers" topic in the Decoder and Log Decoder Configuration Guide.

NetWitness Endpoint

Task 9 - Reconfigure Recurring Feed Configured from Legacy Endpoint Because Java Version Changed

You must reconfigure the Legacy Endpoint recurring feed due to the change in Java version. Complete the following step to fix this problem.

  1. Import the NetWitness Endpoint CA certificate into the NetWitness Platform Trusted store as described in "Export the NetWitness Endpoint SSL Certificate" under the "Configure Contextual Data from Endpoint via Recurring Feed" topic in the RSA NetWitness Endpoint Integration Guide to import the certificate.
    Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Task 10 - Restore Backed Up Endpoint Custom Meta Data Mappings

RSA recommends not to override any 11.3 default mappings unless required. If you backed up 11.1.x.x custom mappings, before updating to 11.3, review the list of custom mappings, and restore only those mappings that are not already in the default, using the set-custom API through nw-shell.

To modify any mappings, see Endpoint Insights Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Event Stream Analysis

These tasks apply to NetWitness Platform 11.3.0.0 customers using Event Stream Analysis.

Task 11 (Conditional) Verify String Array Type Meta Keys on the ESA Correlation Service

If you added any string array type meta keys to the Event Stream Analysis service for your ESA correlation rules prior to updating to 11.3, verify that they appear on the ESA Correlation service in 11.3.

  1. Follow the “Configure Meta Keys as Arrays in ESA Correlation Rule Values” procedure in the ESA Configuration Guide to verify if the string array type meta keys that were added before the update are on the ESA Correlation service. Add any missing string array type meta keys. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
  2. Do not remove any meta keys from the multi-valued parameter on the ESA Correlation service. In NetWitness Platform 11.3, the ESA rules from Live use meta keys with array syntax and they depend on these meta keys to work correctly. Removing values from the multi-valued list can cause the ESA Rule Deployments to fail.

Task 12 (Conditional) Update RSA Live ESA Rules with Meta Type Changes from String to Array

The following table lists the ESA rules from RSA Live that had meta key type changes from String to Array in NetWitness Platform 11.3.

                                                
Rule #Rule NameArray Type Meta Keys in 11.3
1RIG Exploit Kitthreat_category
2 AWS Critical VM Modifiedalert
3Multiple Successful Logins from Multiple Diff Src to Same Dest host.src and host.dst
4Multiple Successful Logins from Multiple Diff Src to Diff Dest host.src and host.dst
5Multiple Failed Logins from Multiple Diff Sources to Same Dest host.src and host.dst
6Multiple Failed Logins from Multiple Users to Same Destination host.src and host.dst
7User Login Baselinehost.src and host.dst
  1. If you:
    • Deployed these rules before version 11.3:
      1. Note any rule parameters that you have changed so you can adjust the rules for your environment.
      2. Download the updated rules from RSA Live.
      3. Reapply any changes to the default rule parameters and deploy the rules.

        (For instructions, see “Download RSA Live ESA Rules” in the Alerting with ESA Correlation Rules User Guide.)

    • Are deploying these rules for the first time in version 11.3, follow the customization directions with the ESA rule descriptions. Rules 3 to 7 in the above table require that the Context Hub lists for User_Whitelist, Host_Whitelist and IP_Whitelist to be added as enrichments to ESA. (See “Configure Context Hub List as an Enrichment Source” in the Alerting with ESA Correlation Rules User Guide.)
  2. Deploy the ESA rule deployment that contains these rules. (See “ESA Rule Deployment Steps” in the Alerting with ESA Correlation Rules User Guide.)

Task 13 (Conditional) - Verify ESA Rule Deployment

After you update to 11.3, verify your ESA rule deployments. For every ESA host, a new deployment is created in the format “<ESA Host name> – ESA Correlation”.

  1. Make sure that a new deployment was created.
  2. Make sure that the new deployment contains an ESA Correlation service, data sources, and rules for all previous deployments on that ESA host.
  3. Make sure that the ESA Correlation service has status of “Deployed”.

For a detailed example, see the ESA Configuration Guide for RSA NetWitness Platform 11.3. For Deployment information, see “ESA Rule Deployment Steps” in the Alerting with ESA Correlation Rules User Guide for RSA NetWitness Platform 11.3. For troubleshooting information, see the Alerting with ESA Correlation Rules User Guide for RSA NetWitness Platform 11.3.

Respond

Task 14 - Get the Latest Version of the Aggregation Rule Schema and Restore any Respond Service Custom Keys

Complete the following procedure to get the latest version of the Aggregation Rule Schema and restore any Respond service custom keys.

  1. Delete the /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json file.
  2. Restart the Respond server to get the latest version of the /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json file.
    systemctl restart rsa-nw-respond-server
  3. If you added custom keys in var/lib/netwitness/respond-server/data/aggregation_rule_schema.json file for use in the groupBy clause for 11.0, modify the /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json file and add the custom keys that you previously saved as an Update Preparation task.

Note: New Group By fields have been added to Respond. The new Group By fields will not be visible in the NetWitness Platform user interface if you do not get the latest version of the file from the server.

Task 15 - Get the Latest Version of the Respond Service Normalization Scripts and Restore any Customized Respond Service Normalization Scripts

RSA re-factored Respond service normalization scripts in the /var/lib/netwitness/respond-server/scripts directory in 11.3.0.0. You must replace the old versions.

Before the update to 11.3.0.0, you backed up the following files from the /var/lib/netwitness/respond-server/scripts directory.
data_privacy_map.js
normalize_alerts.js
normalize_core_alerts.js
normalize_ecat_alerts.js
normalize_ma_alerts.js
normalize_wtd_alerts.js
utils.js

Complete the following procedure to get the latest version of the normalization scripts.

  1. After backing up the files listed above, delete the /var/lib/netwitness/respond-server/scripts directory and its contents.
  2. Restart the Respond server.
    systemctl restart rsa-nw-respond-server
  3. (Conditional ) Edit the new files to include any custom logic from the 11.0 scripts that were backed up.

Note: The following files changed with the 11.3.0.0 release:
normalize_alerts.js
aggregation_rule_schema.json

Task 16 - Add Respond Notification Settings Permissions

Note: If you already configured these permissions in 11.1 or later, you can skip this task.

Respond Notification Setting permissions enable Respond Administrators, Data Privacy Officers, and SOC Managers to access Respond Notification Settings (CONFIGURE > Respond Notifications), which enable them to send email notifications when incidents are created or updated.

To access these settings, you will need to add additional permissions to your existing built-in NetWitness Platform user roles. You will also need to add permissions to your custom roles. See the “Respond Notification Settings Permissions” topic in the NetWitness Respond Configuration Guide. For detailed information about user permissions, see the System Security and User Management Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Task 17 - Update Default Incident Rule Group By Values

The following default incident rules now use “Source IP Address” as the Group By value.

  • High Risk Alerts: Reporting Engine
  • High Risk Alerts: Malware Analysis
  • High Risk Alerts: ESA

To update the above default rules, change the Group By value to “Source IP Address.”

Note: If you already updated the Group By values for the default rules listed above in 11.1 or later, you do not have to do it again.

The High Risk Alerts: NetWitness Endpoint default incident rule now uses Host Name as the Group By value. If you have NetWitness Endpoint you can use this rule. Change the Group By value of the default NetWitness Endpoint rule to "Host Name."

  1. In the NetWitness Platform menu, select CONFIGURE > Incident Rules and click on the rule that you want to update in the Name column. The Incident Rule Details view is displayed.
  2. In the GROUP BY field, select the new Group By value from the drop-down list.
  3. Click Save to update the rule.

To aggregate NetWitness Endpoint alerts based on the File Hash, complete the following steps to clone the default NetWitness Endpoint incident rule and change the Group By value.

  1. In the NetWitness Platform menu, select CONFIGURE > Incident Rules. The Incident Rules List view is displayed.
  2. Select the High Risk Alerts: NetWitness Endpoint default incident rule and click Clone. You will receive a message that you successfully cloned the selected rule.
  3. Change the Name of the rule to an appropriate name, such as High Risk Alerts: NetWitness Endpoint File hash.
  4. In the GROUP BY field, remove the previous Group By value and add File MD5 Hash. It is important that File MD5 Hash is the only Group By value listed.
  5. Click Save to create the rule.

For detailed information, see the Respond Configuration Guide for NetWitness Platform 11.3.

NetWitness UEBA

(Optional) Task 18 - Enable Endpoint Data Sources

If NetWitness Endpoint Server is configured in NetWitness Platform 11.3, you can enable the Endpoint data sources such as Process and Registry to generate alerts in UEBA.

To enable Endpoint data sources:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"add","path":"/dataPipeline/schemas/-","value":"PROCESS"},{"op":"add","path":"/dataPipeline/schemas/-","value":"REGISTRY"}]}'

Task 19 - Enable UEBA Indicator Forwarder

If NetWitness Respond server is configured in NetWitness Platform 11.3, you can transfer the NetWitness UEBA indicators to the NetWitness Respond server and to the correlation server to create an Incidents.

To enable the UEBA indicator forwarder:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'

Task 20 - Update Broker or Concentrator UUID

After you update to NetWitness Platform 11.3 the Broker or Concentrator UUID changes. You must update the NetWitness Platform core services, and update the Broker or Concentrator UUID.

To update the Broker or Concentrator UUID:

python /var/netwitness/presidio/airflow/venv/lib/python2.7/site-packages/presidio_workflows-1.0-py2.7.egg/presidio/resources/rerun_ueba_server_config.py

Task 21 - Update Airflow Configuration

After an update to NetWitness Platform 11.3, you must update Aiflow configurations. Perform the following:

  1. To access Airflow, go to https://<UEBA_host>/admin/, and the enter user name and password.

    Note: The Airflow web server UI username is admin and the password is same as deploy_admin password.

    You may see some task in red in the full flow DAG due to mismatch of tasks between the NetWitness Platform 11.2 and the NetWitness Platform 11.3.

  2. Click (Trigger Dag) on presidio_upgrade_dag_from_11.2.0.0_to_11.3.0.0 DAG.
    This will pause the full flow DAG and run reset_presidio DAG, to:
    • Create a new full flow DAG where the start date is 27 days ago.

    • Remove the old full flow DAG.

    • Start the new full flow DAG.
  3. Once the update DAG is successful, presidio_upgrade DAG task is marked in green with one task in the Recent Tasks Column as shown below.

Task 22 - Restart Airflow scheduler service

You must restart the Airflow scheduler service after the presidio_upgrade DAG is successful.

Note: A presidio_upgrade DAG with dark green circle in the resent tasks column indicates that the presidio_upgrade DAG is successful.

To restart the airflow scheduler service:

systemctl restart airflow-scheduler

Warehouse

Task 23 - Update Hive Version

After you update to 11.3, you must update to the Hive version that is compatible with the 11.3 Warehouse (either Hive version 0.12 or version 1.0).

  • Hive Version 0.12
    SSH to the NW Server and run the following command.
    rpm -ivh rsa-nw-hive-jdbc-0.12.0-1.x86_64.rpm
  • Hive Version 1.0
    SSH to the NW Server and run the following command.
    rpm -ivh rsa-nw-hive-jdbc-1.0.0-1.x86_64.rpm

You are here
Table of Contents > Post Update Tasks

Attachments

    Outcomes