What are the planning considerations for the Cloud Link Service

Before you install the Cloud Link Service, you must plan for the following:

  • The NetWitness Platform (Log Decoder Host) is on version 11.5.2 or later
  • Ensure you have at least 8 GB of memory on your host
  • Ensure that the system clock is accurate. To fix the system clock,¬†configure the NTP server on the Admin server. For more information on how to configure NTP server, see Configure NTP Servers
  • Ensure you have the administrator access to the NetWitness Platform on the cloud user interface
  • If you have an existing on-premise UEBA host deployed in your environment, you must remove the host from the Admin server and stop the airflow-scheduler service on the UEBA host
  • The host on which the Cloud Link Service will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges
  • Open TCP port 443 to allow outbound network traffic
  • Ensure you have configured the Azure Monitor plugin in your deployment. This enables Detect AI to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide
  • If you have UEBA deployed on your on-premise NetWitness Platform, you can install Detect AI and can run them simultaneously. For more information, see How to Install Detect AI with an existing on-premise UEBA
  • (Optional) Ensure that you configure the proxy settings from NetWitness Platform version 11.5.3 or later, before installing the Cloud link Service. For more information, see How to configure the proxy for the Cloud Link Service

To understand the deployment of the Cloud Link Service, see How the Cloud Link Service works

Note: Data will be fetched from only the host (Example: Log Decoder) on which the Cloud Link Service is installed.

You can install Cloud Link Service on the following hosts:

Model Category
Cloud (AWS, Azure, GCP)
Log Hybrid
Log Decoder
Endpoint Log Hybrid
Log Hybrid Retention
Virtual Log Decoder
Virtual Log Hybrid

Submit Feedback
© 2020 RSA Security LLC or its affiliates. All Rights Reserved.