Upgrade Guide 11.4.1: UEBA Installation Tasks

Document created by RSA Information Design and Development Employee on Apr 23, 2020Last modified by RSA Information Design and Development Employee on Apr 28, 2020
Version 2Show Document
  • View in full screen mode

The following sections describe the tasks for installing and upgrading NetWitness UEBA.

(Optional) – Update UEBA configuration

To get the UEBA configuration main parameters, run the following curl command from the UEBA machine:

curl http://localhost:8888/application-default.properties

The main parameters that will be returned are as follows:

  • uiIntegration.brokerId: Service ID of the NW data source (Broker / Concentrator).
  • dataPipeline.schemas: List of schemas processed by the UEBA.
  • dataPipeline.startTime: Date when UEBA started consuming data from the NetWitness data source.
  • outputForwarding.enableForwarding: UEBA Forwarder status.

(Optional) Add Packets Schema

If NetWitness Platform 11.4 is configured to perform packet capturing, you can add packet schemas to NetWitness UEBA.

To add packet schemas, run the following command on the UEBA server:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"add","path":"/dataPipeline/schemas/-","value":"TLS"}]}'

Add the Hunting Pack

In NetWitness Platform, add the hunting pack or verify if it is available:

  1. Log in to NetWitness Platform
  2. Go to ADMIN and select Admin Server
  3. Click and select Configure > Live Content
  4. In the Search Criteria, select the following:
    1. Bundle under Resources Type.
    2. Packet under Medium.
  5. Click Search.
    A list of matching resources is displayed.
  6. Select Hunting Pack from the list and click Deploy.
    The hunting pack is added.

Add JA3 and JA3s

The JA3 and JA3s fields are supported by the Network Decoder in 11.3.1 and later. Verify that your Network Decoder is upgraded to one of these versions.

To add JA3 and JA3s:

  1. Log in to NetWitness Platform.
  2. Go to ADMIN and select Decoder.
  3. Navigate to /decoder/parsers/config/parsers.options.
  4. Add HTTPS="ja3=true ja3s=true.
    The JA3 and JA3s fields are configured.

(Optional) Enable Endpoint Data Sources

If NetWitness Endpoint Server is configured in NetWitness Platform 11.4, you can enable the Endpoint data sources such as Process and Registry to generate alerts in UEBA.

To enable Endpoint data sources, run the following commands on the UEBA server :

curl -X PATCH http://localhost:8881/configuration -H 'content-type:

application/json' -d '{"operations":



(Optional) Enable UEBA Indicator Forwarder

If the NetWitness Respond Server is configured in NetWitness Platform 11.4, you can transfer the NetWitness UEBA indicators to the NetWitness Respond Server and to the correlation server to create incidents.

To enable the UEBA indicator forwarder, run the following command:

curl -X PATCH http://localhost:8881/configuration -H ', content-type: application/json' -d '{"operations": [{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'

To view the incidents in Respond:

  1. Log in to NetWitness Platform.
  2. Go to ConfigureINCIDENT RULES
  3. Select the User Entity Behavior Analytics rule checkbox.
    Selecting UEBA Rules for Respond

(Mandatory) Update Airflow Configuration

After you upgrade to NetWitness Platform 11.4.1, make sure you update the Airflow configurations. However before you update the Airflow configurations, you must perform the following mandatory steps:

  • Run the script as root user from the UEBA machine:
    python /var/netwitness/presidio/airflow/venv/lib/python2.7/site-packages/presidio_workflows-1.0-py2.7.egg/presidio/resources/rerun_ueba_server_config.py.

To update the Airflow Configurations:

  1. Access Airflow web server UI (https://<UEBA_host>/admin/) and enter the username and password.

    Note: The Airflow web server UI username is admin, and the password is same as the deploy_Admin password.

    Note: Mismatched tasks between NetWitness Platform 11.3 and NetWitness Platform 11.4 in the full flow DAG can be marked in red.

  2. Click on presidio_upgrade_dag_from_11.*_to_11.4.0.1 to pause the full flow DAG.

    Note: This step creates a new full flow DAG where the start date is 27 days ago, removes the old full flow DAG and starts a new flow DAG.

  3. Once the DAG update is successful, the presidio_upgrade DAG task is marked with green circle in the Recent Tasks column.

You are here
Table of Contents > UEBA Installation Tasks