The instructions in this guide apply to the upgrade of AWS for RSA NetWitness Platform 11.1 exclusively.For instructions on how to upgrade your 10.6.6.x physical hosts to 11.4. See the RSA NetWitness Platform Physical Host Upgrade Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.This document assumes that the appliances are in AWS cloud.
NetWitness Platform 11.4 is a major release that affects all products in the NetWitness Platform suite. The components of the suite are the NetWitness Server (NW Server), Archiver, Broker, Concentrator, Context Hub, Decoder, Endpoit Log Hybrid, Endpoint Broker, User Entity Behavior Analytics , Event Stream Analysis, Investigate, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, Response, and Workbench.
CentOS6 to CentOS7 Upgrade
NetWitness Platform 11.4 is a major release that involves upgrading to a newer version of the operating system (CentOS6 to CentOS7). In addition, the 11.4 platform environment is improved to accommodate current and future physical and virtual deployment types. These changes require an upgrade to the new environment and an upgrade of the functionality.
RSA NetWitness Platform 11.4 Upgrade Path
The supported upgrade path for RSA NetWitness Platform 11.4 is Security Analytics 10.6.6.x. If you are running a version of NetWitness Platform that is prior to 10.6.6.x, you must update to 10.6.6.x before you can upgrade to 11.4. For more information, see the RSA Security Analytics 10.6.6 Update Guide on RSA Link.
Hardware, Deployments, Services, and Features Not Supported in 11.4
RSA does not support upgrade of the following hardware, deployments, services, and features to 11.4.
- RSA All-in-One (AIO) Appliance
- Multiple NetWitness Server Deployment
- Malware Analysis service co-located on the SA Server (Upgrade of Malware Analysis Enterprise is supported in 11.0.)
Custom Health & Wellness policy in 10.6.x for the Context Hub Service
After you upgrade to NetWitness 11.4, your custom policy is not present. Instead for version 11.4, there is an OOTB Context hub Server Monitoring Policy in the user interface.
- Defense Information Strategic Agency-Security Technical Information Guide (DISA-STIG) hardened deployments.
Warehouse Analytics (Data Science)
Event Stream Analysis (ESA) Upgrade Considerations
In RSA NetWitness Platform 11.4, RSA changed how ESA Correlation Rules store and transmit the alerts the system generates. In 11.0, ESA sends all alerts to a central Alert system. The local mongo storage in ESA 10.6.4.x is removed.
The following guidelines help you determine whether or not to upgrade your ESA hosts to 11.4.
In your 10.6.4.x deployment, if you have:
- One ESA host, with or without Incident Management configured, upgrade to 11.0.
Multiple ESA hosts configured to use Incident Management – The system continues to aggregate alerts centrally. If the system is correctly sized and operating as intended in 10.6.4.x, you can upgrade to version 11.0.
Multiple ESA hosts without configuration to use Incident Management and you are connecting to individual ESA hosts to view alerts, do not upgrade to version 11.0.
User Attribute and Role Changes Affecting Investigate
The following changes affect how NetWitness Platform 11.3 handles user and role attributes in the Investigate component.
When you upgrade to 11.4, the user attributes (query prefix, session timeout, and query threshold) available in SA 10.6.6.x no longer exist. The same attributes are available at the role level for use.
User and Role Attributes (Query Prefix) is not applicable to Investigate Event Analysis. The user and role attributes, most importantly the query prefix, do not apply to the new Investigate Event Analysis. Any user can modify the URL in browser to access data that should be restricted from viewing even when query prefix is applied.
Contact Customer Support
Refer to the Contact RSA Customer Support page (https://community.rsa.com/docs/DOC-1294) in RSA Link for instructions on how to get help on RSA NetWitness Platform 11.4.