This topic contains the tasks you complete after you install 11.4.

• General
• RSA NetWitness Endpoint
• RSA NetWitness UEBA
• Federal Information Processing Standard (FIPS) Enablement
• Deployment Options

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

​General

General tasks apply to all customers regardless of the NetWitness Components you deploy.

​(Optional) Task 1 - Re-Configure DNS Servers Post 11.4

On the NetWitness Server, complete the following steps to re-configure the DNS servers in NetWitness Platform 11.4.

1. Log in to the server host with your root credentials.

2. Edit the /etc/netwitness/platform/resolv.dnsmasq file:

   1. Replace the IP address corresponding to nameserver.
      If you need to replace both DNS servers , replace the IP entries for both the hosts with valid addresses.

      The following example shows both DNS entries.

      

      The following example shows the new DNS values.
      
      

   2. Save the /etc/netwitness/platform/resolv.dnsmasq file.
   3. Restart the internal DNS by running the following command:
      systemctl restart dnsmasq

Task 2 - Update HIVE Version

If you already installed customized HIVE RPMs in 11.2.1 or later, you can skip this task.

After you update to 11.4, you must update to the HIVE version that is compatible with the 11.4 Warehouse (either HIVE version 0.12 or version 1.0). To install the latest HIVE version, run the following commands on the NW Server and restart the Reporting Engine service.

Download the latest HIVE RPMs from https://community.rsa.com/docs/DOC-109473.

• To install HIVE version 0.12, run the following command:
  rpm -ivh rsa-nw-hive-jdbc-0.12.0-1.x86_64.rpm 2
• To Install HIVE version 1.0, run the following command:
  rpm -ivh rsa-nw-hive-jdbc-1.0.0-1.x86_64

​Install NetWitness Endpoint

The tasks in this section only apply to customers that use the RSA NetWitness Endpoint component of NetWitness Platform.

Install Endpoint Log Hybrid

Depending on the number of agents and the location of the agents, you can choose to deploy a single Endpoint Log Hybrid host or multiple Endpoint Log Hybrid hosts. To deploy a host, you provision it and install a category on it.

• Single Endpoint Log Hybrid host - Deploy NetWitness Server host, Endpoint Log Hybrid host, and ESA host or hosts.

• Multiple Endpoint Log Hybrid hosts - Deploy NetWitness Server host, ESA host or hosts, Endpoint Log Hybrid hosts. For a consolidated view of all endpoint data from multiple Endpoint Log Hybrid hosts, install the Endpoint Broker.

  RSA recommends that you co-locate the Endpoint Broker on the NetWitness Broker host. However, you can deploy the Endpoint Broker on a separate host or co-locate it on the Endpoint Log Hybrid.

  You must plan to scale your ESA deployment to support multiple Endpoint Log Hybrid hosts.

To deploy an Endpoint Log Hybrid host:

1. For:

   • A physical host, complete steps 1 - 14 under "Task 2 - Install 11.4 on Other Component Hosts" under "Installation Tasks" in the Physical Host Installation Guide for NetWitness Platform 11.4.
   • A virtual host, complete steps 1 - 15 under "Task 2 - Install 11.4 on Other Component Hosts" under "Step 4. Install RSA NetWitness Platform" in the Virtual Host Installation Guide for NetWitness Platform 11.4.

2. Log into NetWitness Platform and click ADMIN > Hosts.

   The New Hosts dialog is displayed with the Hosts view grayed out in the background.

   If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.
   

3. Select the host in the New Hosts dialog and click Enable.

   The New Hosts dialog closes and the host is displayed in the Hosts view.

4. Select that host in the Hosts view (for example, Endpoint) and click .

   The Install Services dialog is displayed.

5. Select Endpoint Log Hybrid category and click Install.

   

6. Make sure that the Endpoint Log Hybrid service is running.

7. Configure Endpoint Meta forwarding.

   See Endpoint Configuration Guide for instructions on how to configure Endpoint Meta forwarding.

8. Deploy the ESA Rules from the Endpoint Rule Bundle. For more information, see "Deploy Endpoint Risk Scoring Rules on ESA" section in the ESA Configuration Guide.

   The Endpoint IIOCs are available as OOTB Endpoint Application rules.
   

9. Review the default policies and create groups to manage your agents. See Endpoint Configuration Guide.

   In 11.3 or later, agents can operate in Insights or Advanced mode depending on the policy configuration. The default policy enables the agent in an advanced mode. If you want to continue to use the Insights agent, before updating, review the policy, and make sure that the Agent mode is set to Insights.
   

10. Install the Endpoint Agent. You can install an Insights (free version) or an Advanced agent (licensed). See Endpoint Agent Installation Guide for detailed instructions on how to install the agent.

    You can migrate the Endpoint Agent from 4.4.0.x to 11.4. For more information, see NetWitness Endpoint 4.4.0.x to NetWitness Platform 11.4 Migration Guide.

​Configure Multiple Endpoint Log Hybrid Hosts

To install another Endpoint Log Hybrid host: 

1. For:

   • A physical host, complete steps 1 - 14 under "Task 2 - Install 11.4 on Other Component Hosts" under "Installation Tasks" in the Physical Host Installation Guide for NetWitness Platform 11.4.
   • A virtual host, complete steps 1 - 15 under "Task 2 - Install 11.4 on Other Component Hosts" under "Step 4. Install RSA NetWitness Platform" in the Virtual Host Installation Guide for NetWitness Platform 11.4.
2. Create a directory mkdir -p /etc/pki/nw/nwe-ca.

3. Copy the following certificates from the first Endpoint Log Hybrid to the second Endpoint Log Hybrid:

   RSA recommends that you copy certificates from Endpoint Log Hybrid to secondary Endpoint Log Hybrid CentOS to Windows using the SCP command to avoid any corruption caused by Antivirus or third-party tools.

   /etc/pki/nw/nwe-ca/nwerootca-cert.pem

   /etc/pki/nw/nwe-ca/nwerootca-key.pem

4. Log into NetWitness Platform and click ADMIN > Hosts.
5. Repeat steps 1 - 5 under "Task 3 - Install Endpoint Log Hybrid" in the Virtual Host Installation Guide for NetWitness Platform 11.4. add more Endpoint Log Hybrids.

Configure an Endpoint Service on an Existing Log Decoder Host

You can install an Endpoint service category on an existing Log Decoder host. For an overview of installing service categories on hosts, see "Hosts and Services Set Up Procedures" in the Host and Services Getting Started Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

• If you have an existing Endpoint Log Hybrid, you must copy certificates from that Endpoint Hybrid host to the Log Decoder before you install the Endpoint service category on the Log Decoder.
• If you do not have an Endpoint Log Hybrid host, you do not need to copy over the certificates before you install the Endpoint service category on the Log Decoder.

Do You Need to Install an Endpoint Service onto Separate Hardware

If you are only using NW Platform for collecting and analyzing logs, you can co-locate your Endpoint Log Hybrid Server on the same physical hardware as your Log Decoder. However, please note the following guidelines for this configuration:

• RSA recommends a maximum number of Endpoint Agents of 10,000 (ten thousand).
• RSA recommends a maximum scan frequency of Weekly.

If you exceed either of these guidelines, the amount of disk space usage and CPU might become so high as to create alarms for your Endpoint Server in Health and Wellness. If you notice this, and are running both log collection and EDR scans, you can use Throttling to control the amount of data coming into the Log Decoder.

If that doesn't help, RSA recommends that you move your Endpoint Log Hybrid Server onto separate hardware from that used by your Log Decoder.

Install an Endpoint Service Category on an Existing Log Decoder

To install an Endpoint service category on an existing Log Decoder if you have an existing Endpoint Log Hybrid:

1. Create a directory mkdir -p /etc/pki/nw/nwe-ca.

2. Copy the following certificates from the first Endpoint Log Hybrid to the Log Decoder on which you are going to install the additional Endpoint service category.

   RSA recommends that you copy certificates from Endpoint Log Hybrid to secondary Endpoint Log Hybrid using the SCP command to avoid any corruption caused by Antivirus or third-party tools.

   /etc/pki/nw/nwe-ca/nwerootca-cert.pem

   /etc/pki/nw/nwe-ca/nwerootca-key.pem

3. Log into NetWitness Platform and click ADMIN > Hosts

4. Select the Log Decoder host in the Hosts view and click .

   The Install Services dialog is displayed.

5. Select Endpoint category and click Install.

   

To install an Endpoint service category on an existing Log Decoder if you do not have an existing Endpoint Log Hybrid:

1. Log into NetWitness Platform and click ADMIN > Hosts

2. Select the Log Decoder host in the Hosts view and click .

   The Install Services dialog is displayed.

3. Select Endpoint category and click Install.

   

​Install NetWitness UEBA

The tasks in this section only apply to customers that use the RSA UEBA component of NetWitness Platform.

Install UEBA

To set up NetWitness UEBA in NetWitness Platform 11.4, you must install and configure the NetWitness UEBA service.

The following procedure shows you how to install the NetWitness UEBA service on a NetWitness UEBA Host Type and configure the service.

1. For:
   • A physical host, complete steps 1 - 14 under "Task 2 - Install 11.4 on Other Component Hosts" under "Installation Tasks" in the Physical Host Installation Guide for NetWitness Platform 11.4.
   • A virtual host, complete steps 1 - 15 under "Task 2 - Install 11.4 on Other Component Hosts" under "Installation Tasks" in the Virtual Host Installation Guide for NetWitness Platform 11.4.

   The Kibana and Airflow webserver User Interface password is the same as the deploy admin password. Make sure that you record this password and store it in a safe location.

2. Log into NetWitness Platform and go to ADMIN > Hosts.
   The New Hosts dialog is displayed with the Hosts view grayed out in the background.

   If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.
   

3. Select the host in the New Hosts dialog and click Enable.
   The New Hosts dialog closes and the host is displayed in the Hosts view.
4. Select that host in the Hosts view (for example, UEBA) and click .
   The Install Services dialog is displayed.
5. Select the UEBA Host Type and click Install.
   
   

6. Make sure that the UEBA service is running.

7. Complete licensing requirements for NetWitness UEBA.
   See the Licensing Management Guide for more information.

   NetWitness Platform supports the User and Entity Behavior Analytics License (UEBA). This license is used based on the number of users. The Out-of-the-Box Trial License is a 90-day trial license. In case of UEBA licenses, the 90-day trial period begins from the time the UEBA service deployed on the NetWitness Platform product.

Configure UEBA

1. You must update the parallelism property value to 256 by running the following command on the UEBA instance:
   sed -i "s| parallelism = 32| parallelism = 256|g" /var/netwitness/presidio/airflow/airflow.cfg
2. You need to configure a data source (Broker or Concentrator), historical data collection start date, and data schemas.

   Important: If your deployment has multiple Concentrators, RSA recommends that you assign the Broker at the top of your deployment hierarchy for the NetWitness UEBA data source.

   1. Determine the earliest date in the NWDB of the data schema you plan to choose (AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY, and TLS, or any combination of these schemas) to specify in startTime in step c. If you plan to specify multiple schemas, use the earliest date among all the schemas. If you are not sure which data schema to choose, you can specify all five data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORY, PROCESS, REGISTRY and TLS) to have UEBA adjust the models it can support based on the Windows logs available. You can use one of the following methods to determine the data source date.
      • Use the Data Retention date (that is, if the Data Retention duration is 48 hours, startTime = <48 hours earlier than the current time>).
      • Search the NWDB for the earliest date.

   2. Create a user account for the data source (Broker or Concentrator) to authenticate to the data source.

      1. Log into NetWitness Platform.

      2. Go to Admin > Services.

      3. Locate the data source service (Broker or Concentrator).

         Select that service, and select (Actions) > View > Security.

      4. Create a new user and assign the “Analysts” role to that user.
         The following example shows a user account created for a Broker.
         

         If NetWitness Respond server is configured in NetWitness Platform 11.4, you can transfer the NetWitness UEBA indicators to the NetWitness Respond server and to the correlation server to create an Incidents.

         To enable the UEBA indicator forwarder, run the following command on the UEBA server as root or presidio user:

         curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"replace","path":
         "/outputForwarding/enableForwarding","value":true}]}'

         To view the incidents in Respond, please follow the below steps.

         1. Login to NetWitness Platform.
         2. Navigate to Configure > INCIDENT RULES
         3. Select the User Entity Behavior Analytics rule checkbox.
            

         
         

   3. SSH to the NetWitness UEBA server host.

   4. If you want to use UEBA for network (packet) analysis, do the following:

      Add the Hunting Pack

      In NetWitness Platform, add the hunting pack or verify it it’s available:

      1. Login to NetWitness Platform
      2. Navigate to ADMIN and select Admin Server
      3. Click and select Configure > Live Content
         

      

      1. On the left menu, select the following:
         1. Bundle under Resources Type.
         2. Packet under Medium
      2. Click Search.
         A list of matching resources is displayed.
      3. Select Hunting Pack from the list and click Deploy.
         The hunting pack is added.

      Add JA3 and JA3s

      The JA3 and JA3s fields are supported by the Network Decoder only from 11.3.1 you must verify that your network decoder upgraded to this version.

      To add JA3 and Ja3s:

      1. Login to NetWitness Platform
      2. Navigate to ADMIN and select Decoder.
      3. Navigate to /decoder/parsers/config/parsers.options.
      4. Add HTTPS="ja3=true ja3s=true.
         The JA3 and JA3s fields are configured.

      

   5. Submit the following commands.

      /opt/rsa/saTools/bin/ueba-server-config -u <user> -p <password> -h <host> -o <type> -t <startTime> -s <schemas> -v -e

      Where:

      Argument	Variable	Description
      -u	<user>	User name of the credentials for the Broker or Concentrator instance that you are using as a data source.
      -p	<password>	Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password. !"#$%&()*+,-:;<=>?@[\]^_`\{|} If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example: sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY TLS PROCESS REGISTRY' -o broker -v
      -h	<host>	IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.
      -o	<type>	Data source host type (broker or concentrator).
      -t	<startTime>	Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z). The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.
      -s	<schemas>	Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, 'AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY' and 'TLS'). If you specify all six data schemas (that is, AUTHENTICATION, FILE, ACTIVE_DIRECTORYPROCESS, REGISTRY, and TLS), UEBA adjusts the models it can support based on the Windows logs available.
      -v		verbose mode.
      -e	<argument>	Boolean Argument. This enables the UEBA indicator forwarder to Respond. If the Respond server is configured in NetWitness platform, you can transfer the NetWitness UEBA indicators to the respond server and to the correlation server to create an Incidents.

3. Complete NetWitness UEBA configuration according to the needs of your organization.
   See the NetWitness UEBA User Guide for more information.

If NetWitness Endpoint Server is configured, you can view the alerts associated with the Process and Registry data schemas.

Set up Permission

If you have installed UEBA, you need to assign the UEBA_Analysts and Analysts roles to the UEBA users. For more information, see System Security and User Management Guide.

After this configuration, UEBA users can access the Investigate > Users view.

​Federal Information Processing Standard (FIPS) Enablement

Task 9 - Enable FIPS Mode

Federal Information Processing Standard (FIPS) is enabled on all services except Log Collector, Log Decoder, and Decoder. FIPS cannot be disabled on any services except Log Collector, Log Decoder, and Decoder.

​Deployment Options

NetWitness Platform has the following deployment options. See the NetWitness Deployment Guide for detailed instructions on how to deploy these options.

• Analyst User Interface - gives you access to a subset of features in the NetWitness Platform UI that you can set up in individual locations when you deploy NetWitness Platform in multiple locations. It is designed to reduce latency and improve the performance that can occur when accessing all functionality from the Primary User Interface on the NW Server Host (Primary UI).
• Group Aggregation - configures multiple Archiver or Concentrator services as a group and share the aggregation tasks between them.
• Health & Wellness Search (Beta Version for Standalone Virtual Host Only) - deploys the Health & Wellness Search (Beta) version on a dedicated, virtual host. It includes Elasticsearch, Kibana, and Metrics Server and enables all hosts in your deployment to start sending metrics to Elasticsearch.
• Hybrid Categories on Series 6 (R640) Hardware - installs Hybrid Categories such as Log Hybrid and Network (Packet) Hybrid service categories on a Series 6 (R640) Physical host. This gives you the ability to attach multiple PowerVault external storage devices to the Series 6 (R640) Physical host.
• NW Server Deployment on ESA Hardware - installs the NW Server host on RSA Series 5 and Series 6 Analytics hardware. The Series 6 Analytics Hardware has more memory and storage capacity than the standard Core appliance on which NW Server has typically been deployed. This results in better overall responsiveness and larger retention capacity for Report Engine.
• Second Endpoint Server - deploys a second Endpoint Server.
• Warm Standby NW Server - duplicates the critical components and configurations of your active NW Server Host to increase reliability.