000039172 - Post migration steps for importing configurations from RSA NetWitness Endpoint 4.4.x to RSA NetWitness Platform 11.4 or later

Document created by RSA Customer Support Employee on Aug 17, 2020Last modified by RSA Customer Support Employee on Oct 1, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000039172
Applies ToRSA Product Set: NetWitness
RSA Product/Service Type: Endpoint
RSA Version/Condition: 4.4.x, 11.4.x, 11.5.x
Platform: Windows, CentOS 7
TasksThis article provides instructions on the postmigration steps to import the required configurations if you are migrating from RSA NetWitness Endpoint 4.4.0.x to RSA NetWitness Platform 11.4 and later. These instructions are valid only if you have configuration settings available in RSA NetWitness Endpoint 4.4.0.x.

This article contains the following:

To configure RSA NetWitness Endpoint 4.4.0.x on RSA NetWitness Platform 11.4 and later, you must have an RSA NetWitness Platform deployment that consists of Endpoint Meta Forwarding, deploying ESA Rules and File Reputation (optional). For more information, see “Prerequisites” in Endpoint Agent Installation Guide.

NOTE: Endpoint scan and tracking data in the SQL database, users, IIOCs, custom queries, bad certificates, bad domains, bad IPs, and bad file hashes in RSA NetWitness Endpoint 4.4.0.x cannot be directly migrated.




Importing RSA NetWitness Endpoint 4.4.0.x Configurations to RSA NetWitness Platform


You can import file status, certificate status, and blocked hashes from RSA NetWitness Endpoint 4.4.0.x to RSA NetWitness Platform using the MigrationHelper python script. Which can be found at RSA NetWitness Endpoint 4.4 to 11.3 Migration Tool.

The MigrationHelper python script must be run only on a Windows host.



Prerequisites


To run the python script:  

  • Install Python 3.6.x or later on a Windows host that can connect to the RSA NetWitness Endpoint 4.4.0.x primary database.
  • Install pydoc by downloading the wheel file from https://pypi.org/project/pyodbc/#files, and run the following command:


pip install wheel-file.whl


  • If json and os.path libraries are not available on the Python installation, install these libraries by downloading the corresponding wheel file from https://pypi.org, and run the following command:


pip install wheel-file.whl

 

Import File and Certificate Status



NOTE: If the certificate is graylisted in RSA NetWitness Endpoint, the list will not be exported as graylisted certificates are not supported in RSA NetWitness Platform 11.4 or later.




NOTE: Ensure all Endpoint servers on RSA NetWitness Platform 11.4 and later are online while importing data.



STEP 1: Export blocked hashes, file status, and certificate status from SQL:



  1. Run the MigrationHelper python script downloaded from the Prerequisites section, making sure that it is run on a host that has access to the primary Endpoint database.
  2. Enter the following when requested by the script:

 



  • Database server hostname or IP address (for example, 10.40.40.10)
  • If there is no instance, press Enter to leave the field blank.
  • Database name (for example, ECAT$Primary)
  • Database credentials for the Endpoint database.

    NOTE: The credentials provided MUST have sysadmin privileges for the export to succeed)


  • Specify the path where the exported files will be stored and press Enter. The file and certificate status are exported using the JSON format.

  1. In the example below, SQL and NWE server are running on the local machine. In this case, you are not prompted for server hostname or IP.

json files are written to  specified directory

 

STEP 2: Import the json files using nw-shell



  1. Log into the Context Hub server, which is the ESA Primary host, and copy the exported files to the /var/netwitness/contexthub-server/data directory.
  2. On the NW Admin Server, run the nw-shell command from the command line.


# nw-shell
offline >>


  1. Run the login command and enter the administrator credentials.


offline >> login
user: admin
password: ********
admin@offline >>


  1. Connect to the Context Hub server using the following command:


admin@offline >> connect --service contexthub-server
INFO: Connected to contexthub-server (e8127f7-df21-3e32-aa12-abc12a233498f)
admin@contexthub-server:Folder:/rsa >>


  1. Run the following commands to import the file status:


admin@contexthub-server:Folder:/rsa >> cd contexthub/file/status/import
admin@contexthub-server:Folder:/rsa/contexthub/file/status/import >> invoke <file path>/CertificateStatus.json


NOTE: <file path> is the path in the Context Hub server where the file that was exported from the Endpoint server has been saved locally to the ESA Primary host.



  1. Run the following commands to import the certificate status:


admin@contexthub-server:Folder:/rsa >> cd contexthub/certificate/status/import
admin@contexthub-server:Folder:/rsa/contexthub/certificate/status/import >> invoke <file path>/CertificateStatus.json


NOTE: <file path> is the path in the Context Hub server where the file that was exported from the Endpoint server has been saved locally to the ESA Primary host.



  1. Check the progress of the import in the /var/log/netwitness/contexthub-server/contexthub-server.log. Once the import is complete, a message Imported File status successfully or Imported Certificate status successfully is displayed in the log file. 

User-added image



If there are any issues, please open a case with RSA NetWitness Support.
 

To Unblock any Imported 4.4.0.x Blocked Files




offline >> login
user: admin
password: ********
admin@offline >>admin@offline >> connect --service contexthub-server
INFO: Connected to contexthub-server (e8127f7-df21-3e32-aa12-abc12a233498f)
admin@contexthub-server:Folder:/rsa >>



admin@contexthub-server:Folder:/rsa >> cd contexthub/file/status/unblock
admin@contexthub-server:Folder:/rsa/contexthub/file/status/unblock >> invoke <checksum of blocked file>

 

Set Up Other RSA NetWitness Endpoint 4.4.0.x Configuration


The following configuration must be manually set up.

  • (Optional) Deploy Blacklisted IP addresses and other feeds that are relevant for your deployment from RSA Live through the RSA NetWitness Platform user interface.
  • (Optional) For any other external threat feeds, such as blacklisted IP address, domain, and checksum, that you may want to use to tag endpoint metadata, see the "Create a Custom Feed" topic in the Live Services Management Guide for RSA NetWitness Platform 11.x.
    For example, to notify an analyst about any communication from a host or file to a certain blacklisted IP address, domain, or hash, create a feed on the Log Decoder, and tag appropriate sessions for investigation and alerting. For more information, see the Decoder and Log Decoder Configuration Guide for RSA NetWitness Platform 11.x.
  • (Optional) Review custom IIOCs and write Endpoint rules. For more information, see the "Custom Endpoint Rule for Risk Scoring" topic in the RSA NetWitness Endpoint Configuration Guide.

Attachments

    Outcomes