1 - Install Insight Sensor

Provides information about how to install Insight Sensor on Packet Decoder.

You must install the Insight sensor on every Packet Decoder host to capture the network metadata and transfer them to the NetWitness Cloud. If you have multiple hosts, you need to install and configure the Insight sensor on every Packet Decoder host.

Supported Hosts

  • Packet Decoder
  • Packet Hybrid

Prerequisities

  • Ensure that the NetWitness Platform and the host (Packet Decoder) are on version 12.3 or later.
  • Ensure to consider proxy and decryption requirements when setting up an Insight Sensor. For more information, see Planning Requirements.

Note

You need a separate Insight Sensor to be installed for each Packet Decoder host.

Step 1. Install the Insight Sensor on Packet Decoder
Step 2. Download the Activation Package
Step 3. Register the Insight Sensor

Step 1: Install the Insight Sensor on Packet Decoder

  1. Log in to the NetWitness Platform as an administrator and go to admin icon Admin > Hosts.

    The Hosts view is displayed.

  2. Select the Packet Hybrid and click install button.

    A dialog listing all the services already installed on this host is displayed and seeks your confirmation if you want to install a new service.

  3. Click Yes.

    The Install Services dialog is displayed.

  4. Select NetWitness Insight from the Category drop-down menu, and click Install.

    how to install Insight sensor on Packet Decoder

  5. Go to admin icon Admin > Services to verify successful Insight installation.

Step 2: Download the Activation Package

The activation package contains the credentials and configurations for the Insight sensor to register with NetWitness.

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors > Downloads.

  3. Click the Insight tab.

    how to download activation package for registering sensors

  4. Under Activation Package, click download icon to download the activation package.

Step 3: Register the Insight Sensor

Note

  • The same activation package can be used to register multiple sensors.
  • Ensure you use the most recently downloaded activation package.
  • If the activation package is not available, generate a new one.
  • The activation package contains sensitive information, you must handle it carefully and don’t share it with anyone.

  1. SSH to the Packet Decoder Host.
  2. Copy the device-activation-package.json file downloaded from the NetWitness Cloud Portal to the /etc/netwitness/ng directory on the Packet Decoder host.
  3. Navigate to the following directory by running the command:
    cd /etc/netwitness/ng
    
  4. Change the user and group of the device-activation-package.json file to netwitness by executing the following command:
    chown netwitness:netwitness device-activation-package.json
    
  5. To verify if the Insight Sensor is installed successfully, log in to the NetWitness Cloud Portal, and go to Sensor List and check if the sensor type appears as Insight with status Connected.

Important

There could be 10 minutes delay before the sensor status is updated correctly. For example, Registered to Connected or Connected to Disconnected.

  1. Log in to the NetWitness Platform.

  2. Navigate to admin icon Admin > Services view.

  3. In the Services list, select the decoder containing the NetWitness Insight service and then click Admin icon > View > System and check if the decoder is capturing the data:

    • If the decoder is not capturing data, you must start data capture if you want data collected by this decoder to be part of Insight.
  4. Navigate to the Explore view of the decoder containing the NetWitness Insight service. In the left panel, click cloud > config, set the parameter Aggregate Hours (aggregate.hours) from 0 to 24, and restart the NetWitness Insight service.

    This step ensures that only the latest network traffic from the past 24 hours is uploaded to NetWitness Cloud, avoiding unnecessary analytics processing delays.

    View network behavior panel for assets

Important

  • Asset information is collected throughout the day and uploaded every hour.
  • NetWitness recommends that you do not change the configuration for daily data upload intervals. Changing this setting can affect the performance of your system.

See also

2 - Install the Cloud Connector Sensor

Provides information about how to install the Cloud Connector Sensor.

Cloud Connector Sensor is a new on-premises service that is installed on the Admin Server and registers as a sensor that provides a gateway to fetch the data from the NetWitness Cloud and transfer the data to the on-premises NetWitness Platform for further analysis and investigation.

Prerequisites

Ensure that the NetWitness Platform and the host (Admin Server) are on version 12.3 or later.

Note

Every customer needs to install only one Cloud Connector Sensor in their environment.

Step 1. Install the Cloud Connector Sensor
Step 2. Download the Activation Package
Step 3. Register the Sensor

Step 1: Install the Cloud Connector Sensor

  1. Log in to the NetWitness Platform as an administrator and go to admin icon Admin > Hosts.

    The Hosts view is displayed.

  2. Select the host (Admin Server) and click install button.

    A dialog listing all the services already installed on this host is displayed and seeks your confirmation if you want to install a new service.

  3. Click Yes.

    The Install Services dialog is displayed.

  4. Select the Cloud Connector Service from the Category drop-down menu, and click Install.

    how to install the cloud connector sensor

  5. Go to admin icon Admin > Services to verify successful Cloud Connector Service installation.

Step 2: Download the Activation package

The activation package contains the credentials and configurations for the Cloud Connector sensor to register with NetWitness.

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors > Sensor Downloads.

  3. Click the Cloud Connector tab.

    how to download activation package for registering sensors

  4. Under Activation Package, click download icon to download the activation package.

Step 3: Register the Sensor

You need to copy the Activation Package to the Cloud Connector sensor directory to complete the registration of the sensor.

Note

  • The same activation package can be used to register multiple sensors.
  • Ensure you use the most recently downloaded activation package.
  • If the activation package is not available, generate a new one.
  • The activation package contains sensitive information, you must handle it carefully and don’t share it with anyone.

  1. SSH to the host on which the Cloud Connector Sensor is installed.

  2. Copy the device-activation-package.json file downloaded from the NetWitness Cloud Portal to the /var/lib/netwitness/cloud-connector-server directory on the Cloud Connector Service host.

  3. Navigate to the following directory, by running the command:

    cd /var/lib/netwitness/cloud-connector-server
    
  4. Change the user and group of the device-activation-package.json file to netwitness by executing the following command:

    chown netwitness:netwitness device-activation-package.json
    
  5. To verify if Cloud Connector Sensor is connected successfully, log in to the NetWitness Cloud Portal, and go to Sensor List and check if the sensor appears as Cloud Connector with connected status.

See also

Install Insight Sensor

3 - Uninstall Insight Sensor

Provides information about how to uninstall Insight Sensor.

If you have Insight Sensor installed and no longer want to use it, perform the following steps to uninstall it.

To uninstall the Insight Sensor, you must first remove the Insight Sensor from the NetWitness Cloud Portal and then uninstall the Insight Sensor on the NetWitness Platform.

Step 1: Remove the Insight Sensor from the NetWitness Cloud Portal

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors > Sensor List.

  3. Select the Insight Sensor that you want to delete using the Host Name and click Remove Sensor.

    A confirmation pop-up is displayed.

  4. Click Remove Sensor.

Note

In case if the Device ID is displayed instead of Host Name. You can find the device ID in the Explore view on the NetWitness Platform user interface. For more information, see Locate the Device ID for a Specific Insight sensor.

Step 2: Uninstall the Insight Sensor on the NetWitness Platform

  1. Log in to the NetWitness Platform.

  2. Navigate to admin icon Admin > Services.

  3. In the Services list, select the NetWitness Insight service and click Admin icon > View > Explore.

    The Explore view for the NetWitness Insight service is displayed.

  4. On the Explore view, in the left panel, click cloud > right-click Properties, select stop from the drop-down, and click Send.

    View network behavior panel for assets
  5. Navigate to the Services list view, select the NetWitness Insight service and click Admin icon > Delete.

    A confirmation pop-up is displayed.

  6. Click Yes.

  7. SSH to the Packet Decoder host on which the NetWitness Insight service is installed.

  8. Run the following command to stop the Insight service:

    systemctl stop nwcloud
    
  9. Run the following command to get the Insight RPM package name:

    rpm -qa | grep rsa-nw-cloud
    

    The rpm package name will be displayed. For example, rpm -e rsa-nw-cloud-12.3.0.0-12746.5.b9d72db10.el7.x86_64

  10. Run the following command to uninstall:

    rpm -e <rpm package name>
    

    Replace <rpm package name> with the actual rpm package name.

    For example, rpm -e rsa-nw-cloud-12.3.0.0-12746.5.b9d72db10.el7.x86_64

  11. Run the following command to remove the cloud config file:

    rm -f /etc/netwitness/ng/cloud-aws.json
    

See also

4 - Uninstall Cloud Connector Sensor

Provides information about how to uninstall Cloud Connector Sensor.

If you have a Cloud Connector Sensor installed and you no longer want to use it, perform the following steps to delete the Cloud Connector Sensor.

To delete the Cloud Connector Sensor, you must first remove the Cloud Connector Sensor from the NetWitness Cloud Portal and then uninstall the Cloud Connector Sensor on the NetWitness Platform.

Step 1: Remove the Cloud Connector Sensor from the NetWitness Cloud Portal

  1. Log in to the NetWitness Cloud Portal.

  2. Go to Admin icon Admin > Sensors > Sensor List.

  3. Select the Cloud Connector Sensor you want to delete and click Remove Sensor.

Step 2: Uninstall the Cloud Connector Sensor on the NetWitness Platform

  1. SSH to the Admin Server.

  2. Execute the following command:

    /var/lib/netwitness/cloud-connector-server/nwtools/uninstall-cloud-connector.sh
    
  3. Log in to the NetWitness Platform and go to admin icon Admin > Services to verify if the Cloud Connector Sensor is removed.

See also

Install the Cloud Connector Sensor

5 - Locate the Device ID for a Specific Insight Sensor

Provides information about how to locate the device ID for a specific Insight Sensor.

In case of multiple NetWitness Insight Sensor deployments, you will require the device ID if you want to delete or check the status of a specific Insight Sensor. You need to open the Insight Sensor host (Packet Decoder) on the Services page and find the device ID in Explore view on the NetWitness Cloud Portal user interface.

To locate the device ID for a specific Insight Sensor

  1. Log in to the NetWitness Platform.

  2. Go to admin icon Admin > Services.

  3. In the Services list, search NetWitness Insight in the Filter field.

    how to locate device ID for a specific insight sensor

  4. Select the NetWitness Insight service and click service action button > View > Explore.

    The Explore view for the NetWitness Insight service is displayed.

    how to locate device ID for a specific insight sensor
  5. On the left panel, click sys > stats. The UUID and other information are displayed on the right panel.

    The UUID value contains the complete 36-characters service ID of the Packet Decoder service.

    The last 12-characters of the UUID are the Device ID of that Insight sensor. For example, if the UUID of the Packet Decoder service is 399f9fa3-c100-4171-837f-d449c896d47b, the device ID of the sensor is d449c896d47b.

    how to find the UUID value for a specific insight sensor

See also

6 - Enable or Disable the Cloud Connector Sensor

Provides information on how to Enable and Disable the Cloud Connector Sensor.

The Cloud Connector Sensor is installed on the Admin Server, allowing it to obtain asset data from the NetWitness Cloud and transfer it to on-premises services like Springboard and Context Hub. If you need to perform maintenance on the Cloud Connector Sensor, you can temporarily disable it. Disabling the Cloud Connector sensor will prevent on-premises services from retrieving NetWitness Cloud analytics and receiving alerts generated by NetWitness Cloud.

Disabling the Cloud Connector Sensor

  • Users who have registered for NetWitness Cloud Portal will be notified by email whenever a sensor is disabled or enabled.
  • If the Cloud Connector sensor is disabled, the following on-premises services will be unable to retrieve data from the cloud:
    • Springboard
      • Assets Panel
    • Home Page
      • Top Discovered Assets Widget
    • Context Hub
      • Context Highlights – Network Exposure information will not be shown.
      • Network Behavior Panel
  • Insight cloud alerts will not be delivered until the Cloud Connector sensor is enabled again.

Procedure

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors List.

  3. Select the sensor and click Disable Sensor.

    A confirmation pop-up is displayed.

  4. Click Disable Sensor.

Enabling the Cloud Connector Sensor

Users who have registered for NetWitness Cloud Portal in an environment will be notified by email whenever a sensor is enabled.

Procedure

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors List.

  3. Select the sensor and click Enable Sensor.

    A confirmation pop-up is displayed.

  4. Click Enable Sensor.

See also

7 - Enable or Disable the Insight Sensor

Provides information on how to Enable and Disable the Insight Sensor.

The Insight Sensor is installed on the Packet Decoder, allowing it to capture and transfer the network metadata to the NetWitness Cloud. If you need to perform maintenance on the Insight Sensor, you can temporarily disable it. Disabling the Insight sensor will prevent it from metadata capture, and data transfer is paused.

Note

From NetWitness Platform version 12.4 or later, users who have registered for NetWitness Cloud Portal will be notified by email whenever a sensor is disabled or enabled.

Important

Before you begin, verify your Insight Sensor version. Navigate to the Sensor List tab and check the version listed within the Sensor Version column.

  • If your Insight sensor version is 12.3 or 12.3.1, you must perform steps 1-9 to disable or enable the sensor.
  • If your Insight sensor version is 12.4 or later, you can proceed directly to steps 5-9 to disable or enable the sensor.

To Disable the Insight Sensor

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors List.

  3. Select the sensor and click Disable Sensor.

    A confirmation pop-up is displayed.

  4. Click Disable Sensor.

  5. Log in to the NetWitness Platform.

  6. Navigate to admin icon Admin > Services.

  7. In the Services list, select the NetWitness Insight service and click Admin icon > View > Explore.

    The Explore view for the NetWitness Insight service is displayed.

  8. On the Explore view, in the left panel, click cloud > right-click Properties, select stop from the drop-down, and click Send.

    View network behavior panel for assets

  9. To stop the data auto aggregation, click cloud > config and set the parameter Aggregate Autostart (aggregate.autostart) to off.

    View network behavior panel for assets

To Enable the Insight sensor

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors List.

  3. Select the sensor and click Enable Sensor.

    A confirmation pop-up is displayed.

  4. Click Enable Sensor.

  5. Log in to the NetWitness Platform.

  6. Navigate to admin icon Admin > Services.

  7. In the Services list, select the NetWitness Insight service and click Admin icon > View > Explore.

    The Explore view for the NetWitness Insight service is displayed.

  8. On the Explore view, in the left panel, click cloud > right-click Properties, select start from the drop-down, and click Send.

    View network behavior panel for assets

  9. To start the data auto aggregation, click cloud > config and set the parameter Aggregate Autostart (aggregate.autostart) to on.

    View network behavior panel for assets

See also

8 - Configure Insight as a Data Source

Provides information about how to configure Insight data source

You can configure Insight as a data source for Context Hub and use the Context Hub server to fetch contextual information from NetWitness Insight. Use the following procedure in this topic to add Insight as a data source for Context Hub service and configure the settings for NetWitness Insight.

Prerequisities

Before you configure the Insight data source, ensure that:

  • NetWitness Platform is in version 12.3 or later.
  • Context Hub service is available in admin icon (Admin) > Services view of NetWitness Platform.
  • Insight Sensor is installed and configured.
  • Cloud Connector Sensor is installed and configured.

To add Insight as a data source for Context Hub

  1. Log in to the NetWitness Platform.

  2. Go to admin icon (Admin) > Services.

    The services view is displayed.

  3. Select the Context Hub service and click insight data source icon > View > Config.

    The Services Config View of Context Hub is displayed.

    add Insight data source

  4. In the Data Sources tab, click insight data source icon > Insight.
    The Add Data Source dialog is displayed.

    how to add Insight data source

    The required fields to configure the Insight data source are automatically updated.

  5. Provide the following information:

    • By default, the Enable checkbox is selected. If this option is unchecked, you cannot add the data source or view the contextual information.

    • (Optional) Name: The name that identifies the data source and is automatically taken as Cloud-Connector-server. You can change the name. NetWitness recommends keeping the default name which comes from the data source.

    • (Optional) Max. Concurrent Queries: You can configure the maximum number of concurrent queries to be run against the configured data sources. The default value is 10.

  6. Click Test Connection to test the connection between Context Hub and the NetWitness Insight.

  7. Click Save.

    Insight is added as a data source for Context Hub and is displayed in the Data Sources tab.

    how to add Insight data source

Next steps

After completing the configuration, you can view the contextual data in the Context Summary Panel for the Asset in the Respond or Investigate > Events view. For more information, see View Contextual Information for an Asset.

See also

9 - Enable Insight Incident Rules

Provides information on how to Enable the Insight Incident Rules.

By default, the NetWitness Insight Incident rules are disabled in your environment. You can enable them to generate the incident IDs for the alerts and customize the NetWitness Insight Incident Rules settings.

To Enable Insight Incident Rules

  1. Log in to the NetWitness Platform.

  2. Go to admin icon (Configure) > Incident Rules.

    how to enable Insight incident rules
  3. Select the NetWitness Insight rule and click Enable.

    A confirmation pop-up is displayed.

  4. Click OK.

See also

10 - Monitor the Health of the Insight Sensor

Provides information about how to monitor the health of the Insight Sensor

NetWitness Cloud Portal allows you to visualize the health of the sensors deployed in your environment using the new Health And Wellness dashboard. Health and Wellness helps monitor sensor health and visualize the historical analytics and performance trends for all Insight sensors. It also helps isolate the problematic sensors.

Keeping track of the following parameters from Insight Sensor allows you to monitor Sensor health:

  • Daily Decoder Throughput information of individual sensors and all sensors.

  • Data uploaded for individual sensors and all sensors.

    Health and Wellness Dashboard

To access the Insight Sensor Health And Wellness Dashboard:

Note

The displayed tenant name and region are based on the tenant deployment.

  1. Log in to the NetWitness Insight.

  2. Go to admin icon Admin > Health And Wellness.

    The Health and Wellness dashboard is displayed and consists of two widgets with different metrics.

  3. Select the Date Range from the drop-down list. The information displayed in each graph is updated accordingly. The last 7 days’ data is displayed by default. Using the Date Range drop-down list, you can view the metrics of the Last 7 Days, Last 2 Weeks, Last Month, Last 3 Months, or Last 6 months.

    Health and Wellness Dashboard

  4. You can also view the same data in a tabular format. Click admin icon (toggle) within each widget. When the tabular format is turned ON. You can perform the following operations on the widget:

    • You can navigate between pages using the page navigation options and view all the data seamlessly.
    • You can select the number of data entries per page using the drop-down list located at the bottom of each widget. By default, 10 rows are displayed per page. However, you can modify the number of rows displayed per page.
    • You can export the data in a .CSV format. To download the data, click Export.
      Health and Wellness Dashboard

Understand the Sensor Health and Wellness Dashboard Visualizations

Visualization Metrics Description
Decoder Throughput Daily amount of data captured and processed by the decoder where the sensor is installed within the date range. The Daily throughput trend line is shown. You can see the trends for all Insight Sensors simultaneously, select a particular Insight Sensor, and analyze the trend.
Data Uploaded Total file sizes uploaded to NetWitness Cloud in the selected date range. The Daily Data uploaded trend line is shown. You can see the trends for all Insight Sensors simultaneously, select a particular Insight Sensor, and analyze the trend.

See also

11 - Use Sensor Filters

Provides information on how to filter sensors in the Sensor List tab.

To better manage a large number of sensors, you can search and filter for specific sensors by any criteria in the list of sensors from the admin icon Admin > Sensor List page in the NetWitness Cloud Portal UI.

To filter the sensors

  1. Log in to NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors > Sensor List.

  3. Click Filter.

    The Filter panel is displayed.

  4. In the above panel, utilize one or more of the following options to filter the sensors:

    • Host Name: Specify the sensor’s host name to filter the sensor list. You can start typing the name of the host. Type one character and a list of sensors that contain that character is displayed, as you continue to type the list is filtered to match.

    • Status: Select one or more statuses from the drop-down menu. The available options are Connected, Disconnected, and Disabled.

    • Sensor Type: Select the type of sensor from the drop-down menu. For example, Insight Sensor.

      Only one sensor can be selected at a time for filtering.

    • Sensor Version: Select one or more versions from the drop-down menu. For example, when you type the two characters (12 versions), and a list of sensors that contain those characters are displayed.

  5. Click Apply Filter.

    The sensors are displayed in the right panel according to the filter you selected. To clear filters, at the bottom of the left panel, click Clear.

See also