AWS Upgrade: Introduction

Document created by RSA Information Design and Development Employee on Apr 12, 2019Last modified by RSA Information Design and Development Employee on Jul 20, 2020
Version 11Show Document
  • View in full screen mode

The instructions in this guide apply to the upgrade of AWS for RSA NetWitness Platform 11.1 exclusively.For instructions on how to upgrade your 10.6.6.x physical hosts to 11.4. See the RSA NetWitness Platform Physical Host Upgrade Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.This document assumes that the appliances are in AWS cloud.

NetWitness Platform 11.4 is a major release that affects all products in the NetWitness Platform suite. The components of the suite are the NetWitness Server (NW Server), Archiver, Broker, Concentrator, Context Hub, Decoder, Endpoit Log Hybrid, Endpoint Broker, User Entity Behavior Analytics , Event Stream Analysis, Investigate, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, Response, and Workbench.

CentOS6 to CentOS7 Upgrade

NetWitness Platform 11.4 is a major release that involves upgrading to a newer version of the operating system (CentOS6 to CentOS7). In addition, the 11.4 platform environment is improved to accommodate current and future physical and virtual deployment types. These changes require an upgrade to the new environment and an upgrade of the functionality.

RSA NetWitness Platform 11.4 Upgrade Path

The supported upgrade path for RSA NetWitness Platform 11.4 is Security Analytics 10.6.6.x. If you are running a version of NetWitness Platform that is prior to 10.6.6.x, you must update to 10.6.6.x before you can upgrade to 11.4. For more information, see the RSA Security Analytics 10.6.6 Update Guide on RSA Link.

Caution: There is a known issue if you have Active Directory users configured in 10.6.6.x. You have two options to address this issue:
• Apply the patch before you back up your data for the 11.4 upgrade.

Note: If you are updating from 11.0 to 11.4, see Update Guide for Version 11.1 to 11.4 on RSA link.

Hardware, Deployments, Services, and Features Not Supported in 11.4

RSA does not support upgrade of the following hardware, deployments, services, and features to 11.4.

  • RSA All-in-One (AIO) Appliance
  • Multiple NetWitness Server Deployment
  • Malware Analysis service co-located on the SA Server (Upgrade of Malware Analysis Enterprise is supported in 11.0.)
  • Custom Health & Wellness policy in 10.6.x for the Context Hub Service
    After you upgrade to NetWitness 11.4, your custom policy is not present. Instead for version 11.4, there is an OOTB Context hub Server Monitoring Policy in the user interface.

  • Defense Information Strategic Agency-Security Technical Information Guide (DISA-STIG) hardened deployments.
  • Warehouse Analytics (Data Science)

Event Stream Analysis (ESA) Upgrade Considerations

In RSA NetWitness Platform 11.4, RSA changed how ESA Correlation Rules store and transmit the alerts the system generates. In 11.0, ESA sends all alerts to a central Alert system. The local mongo storage in ESA 10.6.4.x is removed.

Caution: If you have not used Incident Management in 10.6.4.x, carefully consider whether or not to upgrade to version 11.0.

The following guidelines help you determine whether or not to upgrade your ESA hosts to 11.4.

In your 10.6.4.x deployment, if you have:

  • One ESA host, with or without Incident Management configured, upgrade to 11.0.
    • Multiple ESA hosts configured to use Incident Management – The system continues to aggregate alerts centrally. If the system is correctly sized and operating as intended in 10.6.4.x, you can upgrade to version 11.0.

  • Multiple ESA hosts without configuration to use Incident Management and you are connecting to individual ESA hosts to view alerts, do not upgrade to version 11.0.

Note: If you have not used Incident Management in 10.6.4.x, you cannot view the 10.6.4.x ESA alerts in the 11.0 Respond component without running a migration script. Use the ESA Alert Migration script to migrate these alerts to the location in 11.0 that will allow Respond to view them. For more information for instructions on how to run the script, see the ESA Alert Migration Instructions for 10.6.4.x to 11.0 knowledge base article ( in RSA Link .

User Attribute and Role Changes Affecting Investigate

The following changes affect how NetWitness Platform 11.3 handles user and role attributes in the Investigate component.

  • User Attributes
    When you upgrade to 11.4, the user attributes (query prefix, session timeout, and query threshold) available in SA 10.6.6.x no longer exist. The same attributes are available at the role level for use.

  • User and Role Attributes (Query Prefix) is not applicable to Investigate Event Analysis. The user and role attributes, most importantly the query prefix, do not apply to the new Investigate Event Analysis. Any user can modify the URL in browser to access data that should be restricted from viewing even when query prefix is applied.

Contact Customer Support

Refer to the Contact RSA Customer Support page ( in RSA Link for instructions on how to get help on RSA NetWitness Platform 11.4.

You are here
Table of Contents > Introduction