Upgrade Guide 11.4: UEBA Installation Tasks

Document created by RSA Information Design and Development Employee on Mar 17, 2020Last modified by RSA Information Design and Development Employee on Jun 25, 2020
Version 4Show Document
  • View in full screen mode
 

The following sections describe the tasks for installing and upgrading NetWitness UEBA.

(Optional) Add Packets Schema

If NetWitness Platform 11.4 is configured to perform packet capturing, you can add packet schemas to NetWitness UEBA.

To add packet schemas, run the command on the UEBA server:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"add","path":"/dataPipeline/schemas/-","value":"TLS"}]}'

To see the schemas that are processed by the UEBA, access the airflow main page (https://<ueba_host>/admin). You can see each processed schema appears on this page.

To change schema or data source, run the following script before you run the upgrade DAG.

/opt/rsa/saTools/bin/ueba-server-config

To see the data sources that are processed by the UEBA, run the following command on the UEBA server to get the NetWitness Platform data source.
curl http://localhost:8888/application-presidio-default.properties

You can also use the following command to get the NetWitness Platform data source.
curl http://localhost:8888/application-presidio-default.properties | grep 'dataPulling.source'

Add the Hunting Pack

In NetWitness Platform, add the hunting pack or verify it it’s available:

  1. Log in to NetWitness Platform
  2. Go to ADMIN and select Admin Server
  3. Click and select Configure > Live Content
    .
  4. In the Search criteria, select the following:
    1. Bundle under Resources Type.
    2. Packet under Medium.
  5. Click Search.
    A list of matching resources is displayed.
  6. Select Hunting Pack from the list and click Deploy.
    The hunting pack is added.

Add JA3 and JA3s

The JA3 and JA3s fields are supported by the Network Decoder in 11.3.1 and later. Verify that your Network Decoder is upgraded to one of these versions.

To add JA3 and Ja3s:

  1. Log in to NetWitness Platform.
  2. Go to ADMIN and select Decoder.
  3. Navigate to /decoder/parsers/config/parsers.options.
  4. Add HTTPS="ja3=true ja3s=true.
    The JA3 and JA3s fields are configured.

Update Airflow Configuration

After you upgrade to NetWitness Platform 11.4, make sure you update the Airflow Configurations.
To update the Airflow Configurations:

  1. Access Airflow web server UI (https://<UEBA_host>/admin/) and enter the username and password.

    Note: The Airflow web server UI username is admin, and the password is same as the deploy_Admin password.

    Note: The mismatched tasks between NetWitness Platform 11.3 and NetWitness Platform 11.4 in the full flow DAG can be marked in red.


  2. Click on presidio_upgrade_dag_from_11.3.0.0_to_11.4.0.0 DAG to pause the full flow DAG to:

    Note: This step creates a new full flow DAG where the start date is 27 days ago, removes the old full flow DAG and starts a new flow DAG.

    Note: To verify if the UEBA system has data, run the wget command on the UEBA Server. If the UEBA system does not contain data, contact RSA Customer Support.

  3. Once the DAG update is successful, the presidio_upgrade DAG task is marked with green circle in the Recent Tasks column.

Note: If you are upgrading from 11.2.x.x, perform the steps in Steps for Upgrading UEBA from 11.2.x.x now, and then restart the Airflow Schedule service as described below.

Restart Airflow Scheduler Service

After the presidio_upgrade DAG operation is successful, you must restart the Airflow scheduler service.

Note: When the presidio_upgrade DAG is successful, the DAG is indicated with a dark green circle under the Recent Tasks.

To restart the airflow scheduler service, run the following command on the UEBA server:
systemctl restart airflow-scheduler

Steps for Upgrading UEBA from 11.2.x.x

(Optional) Enable UEBA Indicator Forwarder

If NetWitness Respond server is configured in NetWitness Platform 11.4, you can transfer the NetWitness UEBA indicators to the NetWitness Respond server and to the correlation server to create an Incidents.

To enable the UEBA indicator forwarder:

curl -X PATCH http://localhost:8881/configuration -H ', content-type: application/json' -d '{"operations": [{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'

To view the incidents in Respond, please follow the below steps.

  1. Log in to NetWitness Platform.
  2. Go to ConfigureINCIDENT RULES
  3. Select the User Entity Behavior Analytics rule checkbox.
    Selecting UEBA Rules for Respond

(Optional) Enable Endpoint Data Sources

If NetWitness Endpoint Server is configured in NetWitness Platform 11.4, you can enable the Endpoint
data sources such as Process and Registry to generate alerts in UEBA.

To enable Endpoint data sources, run the following commands on the UEBA server :

curl -X PATCH http://localhost:8881/configuration -H 'content-type:

application/json' -d '{"operations":

[{"op":"add","path":"/dataPipeline/schemas/-","value":"PROCESS"},

{"op":"add","path":"/dataPipeline/schemas/-","value":"REGISTRY"}]}'

You are here
Table of Contents > UEBA Installation Tasks

Attachments

    Outcomes