Update 11.3.2: Instructions

Document created by RSA Information Design and Development Employee on Nov 21, 2019Last modified by RSA Information Design and Development Employee on Dec 9, 2019
Version 3Show Document
  • View in full screen mode

Task 1. (Conditional) Back Up Customized Respond Service Normalization Scripts

Respond service normalization scripts are stored in the /var/lib/netwitness/respond-server/scripts directory. Back them up before you upgrade to so you can restore your customizations in as described in the Respond Post Upgrade Tasks.

  1. Go to the /var/lib/netwitness/respond-server/scripts directory.
  2. Back up the following files:
    normalize_ueba_alerts.js (11.3 only)
  3. If you customized any of the above scripts, copy the customizations so that you can restore them in

Task 2. Record Any String Array Type Meta Keys on the Event Stream Analysis Service

Note: If you are upgrading directly from 11.1.x.x or 11.2.x.x, you must perform this task.

To record any string array type meta keys in the ArrayFieldNames parameter on the Event Stream Analysis service:

  1. Log into NetWitness Platform and go to ADMIN > Services.
  2. Select the Event Stream Analysis service and click (actions) > View > Explore.
  3. In the Explore view node list, select Workflow > Source > netgenAggregationSource.
  4. In the ArrayFieldNames list, make a note of the string array type meta keys listed so you can verify that they are on the ESA Correlation service after the upgrade (ESA Correlation service Explore view (correlation > stream > multi-valued).

These are the default string array types from versions 11.1.x.x to 11.2.x.x:

  • action
  • alias_host
  • alias_ip
  • alias_ipv6
  • analysis_file
  • analysis_service
  • analysis_session
  • boc,email
  • eoc
  • inv_category
  • inv_context
  • ioc
  • netname
  • username

Upgrade Tasks

Perform the following tasks to upgrade to

There are two methods you can use to upgrade the service pack:

Task 1. (Conditional - Offline Methods Only) Download the Service Pack


If you are upgrading from 11.1.x.x, 11.2.x.x or 11.3.x.x to, you must download the following file from RSA Link (https://community.rsa.com/) > Downloads > NetWitness Platform > Version 11.3:

For more information, see Offline Methods (No Connectivity to Live Services).


Task 2. (Conditional - CLI Offline Method Only) Upgrade the External Repository

Note: Perform this step only if you are using an external repository for

Upgrade the external repository with the latest upgrade content for NetWitness Platform by downloading the following file, if you are upgrading from 11.1.x.x, 11.2.x.x or 11.3.x.x to

For more information, see Appendix A. Offline Method (No Connectivity to Live Services) - Command Line Interface .

Task 3. Upgrade the Service Pack

You can choose one of the following upgrade methods based on your internet connectivity:

Online Method (Connectivity to Live Services)

You can use this method if the NW Server host is connected to Live Services and if you are able to obtain the package.

Note: If the NW Server host does not have access to Live Services, use Offline Methods (No Connectivity to Live Services) .


Make sure that:

  1. The Automatically download information about new upgrades every day option is selected and is applied in ADMIN > System > Updates.
  2. Go to ADMIN > Hosts > Update > Check for Updates to check for updates. The Host view displays the Update Available status.
  3. is available in the Update Version column.

Note: If you have custom certs, move them from the /etc/pki/nw/trust/import/ directory to /root/cert. Follow these steps to move the certs:
1. mkdir /root/cert
2. mv /etc/pki/nw/trust/import/* /root/cert


  1. Go to ADMIN > Hosts.
  2. Select the NW Server (nw-server) host.
  3. Check for the latest updates.

  4. Update Available is displayed in the Status column if you have a version update in your Local Update Repository for the selected host.
  5.  Select from the Update Version column. If you:
    • Want to view a dialog with the major features in the upgrade and information on the updates, click the information icon () to the right of the upgrade version number.
    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message "New updates are available" is displayed and the Status column updates automatically to show Update Available. By default, only supported updates for the selected host are displayed.
  6. Click Update > Update Host from the toolbar.
  7. Click Begin Update.
  8. Click Reboot Host.
  9. Repeat steps 6 to 8 for other hosts.

Note: You can select multiple hosts to upgrade at the same time only after updating and rebooting the NW Server host. All ESA, Endpoint, and Malware Analysis hosts should be upgraded to the same version as that of the NW Server host.

Offline Methods (No Connectivity to Live Services)

If your version of NetWitness Platform has no connection to the Internet and you want to upgrade to

  • From the User Interface, follow these instructions.

Caution: The offline User Interface method is only available if you are upgrading a host from or later to If you are upgrading a host on an earlier version, you must use the Offline Command Line Interface method.

The following rules apply when you apply version updates:

  • You must update the NW Server host first.
  • You can only apply a version that is compatible with the existing host version.

Note: Alternatively, you can upgrade using the Command Line Interface if you have no connectivity to Live Services. Refer toAppendix A. Offline Method (No Connectivity to Live Services) - Command Line Interface for instructions.

Task 1. Populate Staging Folder (/var/lib/netwitness/common/update-stage/) with Version Updates

  1. Download the netwitness- update package from RSA Link to a local directory.
  2. SSH to the NW Server host.
  1. Copy netwitness- from the local directory to the /var/lib/netwitness/common/update-stage/ staging folder. For example:
    sudo cp /tmp/netwitness- /var/lib/netwitness/common/update-stage/

    Note: NetWitness Platform unzips the file automatically.

Task 2. Apply Updates from the Staging Area to Each Host

Caution: You must update the NW Server host before updating any Non-NW Server host.

  1. Log in to NetWitness Platform.
  2. Go to ADMIN > HOSTS.
  3. Check for updates and wait for the update packages to be copied, validated, and ready to be initialized.

    "Ready to initialize packages" is displayed if:
    • NetWitness Platform can access the update package.
    • The package is complete and has no errors.

    Refer to Troubleshooting Version Installations and Updates for instructions on how to troubleshoot errors (for example, "Error deploying version <version-number>" and "Missing the following update package(s)," are displayed in the Initiate Update Package for RSA NetWitness Platform dialog.)

  4. Click Initialize Update.

    It takes some time to initialize the packages because the files are large and need to be unzipped.
    After the initialization is successful, the Status column displays Update Available and you complete the rest of the steps in this procedure to finish the update of the host.
  5. Click Update > Update Hosts from the toolbar.

  6. Click Begin Update from the Update Available dialog.
    After the host is updated, it prompts you to reboot the host.
  7. Click Reboot from the toolbar.

You are here
Table of Contents > Upgrade 11.3.2: Instructions