This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Install and Setup
Provides information on how to install and setup the Cloud Link Service, Monitor the health, uninstall and Troubleshoot any issues.
1 - Cloud Link Service Overview
Introduction to Cloud Link Service and planning considerations for installing Cloud Link Service.
NetWitness Cloud Link Service enables you to use the NetWitness UEBA solution and its features by providing a secure transportation mechanism between existing NetWitness Platform hosts (Decoders) and the NetWitness UEBA service. Example: to perform analytics on the NetWitness UEBA, you must install and register the Cloud Link Service on at least one Decoder host.
Cloud Link service is a sensor that you must install and register on your on-premise host to:
- Transfers metadata from the host (such as Decoders) in your on-premises deployment to the NetWitness UEBA for analysis and investigation.
- Transfer alerts generated in NetWitness UEBA to your on-premises NetWitness Platform Respond server for incident management.
You can install Cloud Link Service on the following host types:
- Log Decoder
- Log Hybrid
- Endpoint Log Hybrid
- Log Hybrid Retention
Note
- Cloud Link Service and the hosts must be on version 11.5.2.0 or later.
- You need a separate Cloud Link Service to be installed for each host.
- To support endpoint-related queries, Cloud Link Service must be on version 11.7.1.0 or later.
Cloud Link Service Architecture
This section provides information on how data is transferred using Cloud Link Service:
Single Deployment: Data Transfer
- Cloud Link Service fetches all the metadata from the host. For example: Log Decoder.
- The Cloud Link Service filters metadata from the following data sources:
- Active Directory
- Authentication
- File
- Process
- Registry
- Cloud Link Service collects only matching metadata, compresses the matching metadata, and transfers it to NetWitness UEBA through a secure channel.
NoteCloud Link Service ensures that no data is lost during temporary network issues or outages. If the outage lasts for more than 7 days, then the data older than 7 days will not be considered.
Multiple Deployment: Data Transfer
Data Transfer from NetWitness UEBA
NetWitness platform transfers the alerts generated to the on-premises NetWitness Platform Respond server which can be viewed on the user interface for incident management.
See also
2 - Plan your Considerations to Install Cloud Link Service
Provides information about system requirements and various prerequisites.
Before you install the Cloud Link Service, you must plan for the following:
- The NetWitness Platform (Decoder Host) is on version 11.5.2 or later.
- Ensure you have at least 8 GB of memory on your host.
- Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on the Admin server. For more information on how to configure NTP server, see
Configure NTP Servers.
- Ensure that you have the administrator access to the NetWitness Cloud Portal user interface.
- If you have an existing UEBA (On-premises) host deployed in your environment and you plan to move to NetWitness UEBA (Cloud), you need to remove the host from the Admin server and stop the airflow-scheduler service on the UEBA (On-premises) host. If you plan to run UEBA (Cloud) and UEBA (On-premises) simultaneously, see Install NetWitness UEBA (Cloud) with an Existing UEBA (On-premises).
- The host on which the Cloud Link Service will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see
AWS IP address ranges.
- Open TCP port 443 to allow outbound network traffic.
- Ensure you have configured the Azure Monitor plugin in your deployment. This enables UEBA to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.
- (Optional) Ensure that you configure the proxy settings from NetWitness Platform version 11.5.3 or later, before installing the Cloud link Service. For more information, see Configure the Proxy for the Cloud Link Service.
Important
- From version 12.4 or later, NetWitness no longer supports CentOS 7 and only supports Alma OS. As a result, upgrading only the Cloud Link Sensor from a lower version (12.3.1 or older) to 12.4 is not possible. To resolve this issue, we recommend upgrading all NetWitness Platform services to version 12.4. This step ensures a successful upgrade for the sensors. For more information on upgrade, see NetWitness Upgrade Guide 12.4.
- For users onboarded on version 12.4, you must follow the installation procedure to deploy the sensors on the decoders. For more information, see Install Cloud Link Service.
To understand the deployment of the Cloud Link Service, see Cloud Link Service Architecture.
NoteData will be fetched from only the host (Example: Decoder) on which the Cloud Link Service is installed.
You can install Cloud Link Service on the following hosts:
Model |
Category |
S5/S6/S6E/Virtual Cloud (AWS, Azure, GCP) |
Log Hybrid Log Decoder Endpoint Log Hybrid Log Hybrid Retention Virtual Log Decoder Virtual Log Hybrid |
See also
3 - Install Cloud Link Service
Learn how to install and set up Cloud Link Service for UEBA.
The administrators can perform the following tasks to install the Cloud Link Service successfully:
Step 1. Install Cloud Link Service
Step 2. Download the Activation Package
Step 3. Register the Cloud Link Service
Step 4. Verify if the Cloud Link Service is working
Step 5. Transfer UEBA (Cloud) data to NetWitness Platform
Step 1: Install the Cloud Link Service
You can install the Cloud Link Service on the following host types:
- Log Decoder
- Log Hybrid
- Endpoint Log Hybrid
- Log Hybrid Retention
Prerequisites
Ensure that the NetWitness Platform and the host (Decoder) are on version 11.5.2.0 or later.
NoteData will be fetched from only the host (For Example: Log Decoder) on which the Cloud Link Service is installed.
To install the Cloud Link Service
-
Log in to the NetWitness Platform as an administrator and go to Admin > Hosts.
The Hosts view is displayed.
-
Select a host (Example: Log Decoder) and click .
A dialog listing all the services already installed on this host is displayed and seeks your confirmation if you want to install a new service.
-
Click Yes.
The Install Services dialog is displayed.
-
Select the Cloud Link Service from the Category drop-down menu, and click Install.
-
Go to Admin > Services to verify successful Cloud Link Service installation.
Step 2: Download the Activation Package
You need the activation package to register Cloud Link Service with the NetWitness UEBA. The activation package can be used on all hosts containing Cloud Link Service, which you want to register and you can download it from the NetWitness Cloud Portal.
To download the activation package
-
Log in to the NetWitness Cloud Portal.
-
Go to Admin > Sensors > Downloads.
-
Click the Cloud Link tab.
-
Under Activation Package, click to generate the activation package.
-
Click to download the activation package.
Step 3: Register the Cloud Link Service
Registration of Cloud Link Service requires copying the activation package to the Cloud Link Service directory, and setting up the required permissions. Once this is completed, the Cloud Link Service will be registered automatically.
Note
- The same activation package can be used for multiple registrations.
- Ensure you use the most recently downloaded activation package.
Prerequisites
Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on Admin server. For more information on how to configure NTP Sever, see
Configure NTP Servers.
To register the Cloud Link Service
-
SSH to the host on which the Cloud Link Service is installed.
-
Copy the device-activation-package.json
file downloaded from the NetWitness Cloud Portal to the /root
or /temp
directory on the Cloud Link Service host.
-
Change the user and group of the device-activation-package.json
file to netwitness
by executing the following command:
chown netwitness:netwitness device-activation-package.json
ImportantAvoid using cp
command to add files under /var/lib/netwitness/cloud-link-server
directory. The cp
command changes the user and group to root
, which can result in the Cloud Link Service registration failure.
-
Move the device-activation-package.json
file to the Cloud Link Service directory by executing the following command:
mv device-activation-package.json /var/lib/netwitness/cloud-link-server/
-
To verify if Cloud Link Service is registered successfully, log in to the NetWitness Cloud Portal, and check the status of the Cloud Link Service. For more information, see Verify if the Cloud Link Service is working.
NoteIf you want to re-register a Cloud Link Service with a different activation package, first remove the Cloud Link Service from the NetWitness Cloud Portal, and then uninstall Cloud Link Service on the NetWitness Platform. For more information about uninstalling the Cloud Link Service, see Uninstall the Cloud Link Service.
Step 4: Verify if the Cloud Link Service is Working
You can check the status on NetWitness Cloud Portal Sensor List to verify the successful registration of Cloud Link Service. The status must reflect as Connected for the Cloud Link Service to start transferring data. You can use this status to monitor the Cloud Link Service and troubleshoot registration failures.
To verify the status of the Cloud Link Service
- Log in to the NetWitness Cloud Portal.
- Go to Admin > Sensors > Sensor List.
The following information is displayed for every Cloud Link Service registered in your deployment:
Detail |
Description |
|
Hostname |
The host on which the Cloud Link Service is installed. Example: Endpoint Log Hybrid. |
|
Status |
Status of the Cloud Link Service: - Registered: The Cloud Link Service is registered successfully. - Connected: The Cloud Link Service is connected and operating normally. - Disconnected: The Cloud Link Service is not connected. - Disabled: The Cloud Link Service is stopped temporarily and data transfer is paused. - Enabled: The Cloud Link Service reconnects and resumes data transfer. |
|
Sensor Version |
The installed version of the sensor. Example: 12.5.0.0. |
|
Sensor Type |
Type of sensor that is installed and registered. Example: Cloud Link. |
|
Uptime and Downtime |
Displays the sensor’s uptime and downtime. |
|
If you want to view the UEBA data on your NetWitness Platform user interface you must configure the data transfer from the cloud to the Admin server. Perform the following steps:
ImportantThis step should be performed only once after you register the Cloud Link Service for the first time.
-
SSH to the Admin server.
-
Execute the following command:
See also
4 - Monitor the Health of the Cloud Link Service
Provides information about how to access the service dashboard and monitor the health of the service.
NetWitness Platform enables you to visualize the health of the Cloud Link Service similar to other NetWitness Platform services deployed in your environment. It helps you troubleshoot the problematic spikes, identify high resource usage, and gives a deep visibility into the source of problems before the service goes down.
Monitoring the health of the Cloud Link Service at all times enables you to keep track of the following parameters:
- Status of all the Cloud Link Services in your deployment (offline and online).
- For each Cloud Link Service, the sessions aggregation rate, sessions behind, and sessions collected.
- Status of the uploads such as the count of sessions uploaded, the rate at which upload took place, and outstanding sessions to be uploaded.
- CPU and memory usage of each service.
Prerequisites
- You must install the New Health and Wellness. For more information, see
New Health and Wellness
- You must ensure to download the Cloud Link Service dashboard from RSA Live and monitor the data transfer. For more information, see
Advanced Configurations.
The Cloud Link Service Dashboard provides key metrics as described in Understand Cloud Link Overview Dashboard Visualizations.
To access the Cloud Link Overview Dashboard
-
Log in to the NetWitness Platform.
-
Go to Admin > Health & Wellness.
-
Click New Health & Wellness.
-
Click Pivot to Dashboard.
The Deployment Health Overview dashboard is displayed.
NoteTo view dashboards, your browser must be configured to allow popups and redirects.
-
Click and then click Dashboard.
The Dashboards dialog is displayed.
-
Select the Cloud Link Overview Dashboard.
You can look at the visualizations (charts, tables, and so on) to view current CPU and memory of Cloud Link Service, Sessions behind and Upload rate per Cloud Link Service, and so on.
-
You can adjust the time range on the top right corner and also use the host filter to view the visualizations on each host.
See also
5 - Understand Cloud Link Overview Dashboard Visualizations
Provides information about Cloud Link Service Dashboard.
This topic provides information on the Cloud Link Overview dashboard. The dashboard contains information on Cloud Link Service key metrics such as the hosts the Cloud Link Service is running on, outstanding sessions to be uploaded, CPU, memory usage, and so on.
NoteThe metrics listed below are the default values. You can customize the visualizations based on your requirement. For example, you can customize a visualization to view the CPU utilization for all the Cloud Link Service.
Cloud Link Overview Dashboard
Visualization |
Metrics |
Objective |
Description |
Sessions Aggregation Rate Per CLS |
Sessions aggregated rate by all Cloud Link Service. |
Provides the sessions aggregated rate for all Cloud Link Service to take necessary actions when the session aggregation rate goes down. |
Displays the sessions aggregation rate for all Cloud Link Service. |
Sessions Behind Per CLS |
Sessions behind by each Cloud Link Service. |
Provides the sessions behind trend on each Cloud Link Service to take necessary actions when the session behind goes higher. |
Displays the sessions behind trend for each Cloud Link Service. |
Sessions Collected |
Sessions collected by each Cloud Link Service. |
Provides the sessions collected trend for each Cloud Link Service to take necessary actions when the session collection rate goes down. |
Displays the sessions collected trend for each Cloud Link Service. |
Sessions Uploaded |
Sessions uploaded by each Cloud Link Service. |
Provides the sessions uploaded trend for each Cloud Link Service to take necessary actions when the session uploaded rate goes down. |
Displays the sessions uploaded trend for each Cloud Link Service. |
Difference - Sessions Collected and Uploaded |
Difference in Sessions collected and sessions uploaded count by each Cloud Link Service. |
Provides the difference between the sessions collected count and sessions uploaded count for each Cloud Link Service to take necessary actions when the session value goes higher. |
Displays the difference between the sessions collection count and sessions uploaded count for each Cloud Link Service. |
Upload Rate per CLS |
- Host name - Upload rate |
Provides the rate at which the Cloud Link Service uploads the sessions to the UEBA (Cloud). |
Displays the upload rate of sessions from each Cloud Link Service to UEBA (Cloud). |
Outstanding Sessions to be uploaded to Cloud per CLS |
- Host name - Count of Outstanding Records |
Provides the outstanding session trend to identify any high values and take necessary action. |
Displays the total number of sessions that have not been uploaded to UEBA (Cloud) per Cloud Link Service. |
Cloud Link Service by CPU Percentage |
- Host name - CPU usage |
Identifies the CPU usage by Cloud Link Service to detect high use and take necessary action. |
Displays the CPU usage by Cloud Link Service. |
Cloud Link Service by Resident Memory Usage |
- Host name - Resident memory usage |
Identifies the resident memory usage by Cloud Link Service to detect high use and take necessary action. |
Displays the resident memory usage by Cloud Link Service. |
Cloud Link Service Status |
- Service name - Service Status - Status time |
Provides the status of Cloud Link Service. |
Displays the status of Cloud Link Service. |
Offline vs Total Cloud Link Services |
- Service name - Service Status |
Identifies the number of offline services with the total number of Cloud Link services in your deployment. |
Displays the total number of Cloud Link services and the number of services that are offline. |
See also
6 - Configure Email or Syslog Notifications to Monitor the Service
Provides information about configuring email or syslog notifications to monitor the service.
Notifications such as email or syslog can be configured to monitor the Cloud Link Service. You will be notified when the following events occur:
- Cloud Link Service goes offline.
- Offline Cloud Link Service is back online.
- Cloud Link Service CPU, memory, or disk storage thresholds are exceeded.
Note
You must install the New Health and Wellness to add the required notification.
For more information, see
New Health and Wellness.
Notifications can be set up on the NetWitness Platform user interface by configuring the output, server settings, and notification. This is the notification type, namely email and syslog. When you set up a notification, you must specify the notification output for an alert.
-
Go to Admin > System.
-
In the options panel, select Global Notifications.
The Notifications configuration panel is displayed with the Output tab open.
-
On the Output tab, from the drop-down menu, select Email or Syslog.
The following is an example of email notification:
-
In the Define Email Notification dialog, provide the required information and click Save.
This is the source of the notifications and must be configured to specify the email server or syslog server settings.
-
Go to Admin > System.
-
In the options panel, select Global Notifications.
The Notifications configuration panel is displayed with the Output tab open.
-
Click the Servers tab.
-
From the drop-down menu, select Email or Syslog.
The following is an example for email server:
-
In the Define Email Notification Server dialog, provide the required information and click Save.
Add a email or syslog notification
-
Go to Admin > Health & Wellness.
-
Click New Health & Wellness.
-
Click View Notifications Settings.
-
Specify the following:
- Output Type: Select the Notification type as Email or Syslog.
- Recipient: Select the recipient based on the output type selected.
- Notification Server: Select the notification server that will send the notification.
- Template: Notification template as Email or Syslog.
-
If you want to add another notification, click Add Condition and repeat step 4.
NoteYou can specify a maximum of four conditions in the notification settings.
- Click Save.
See also
7 - Uninstall the Cloud Link Service
Provides information about uninstalling the Cloud Link Service.
If you have Cloud Link Service installed and no longer want to use it, perform the following steps to delete the Cloud Link Service.
NoteWhen you uninstall the Cloud Link service, any data which are yet to be uploaded to the UEBA (Cloud) will be discarded.
To uninstall the Cloud Link Service completely, first remove the Cloud Link Service from NetWitness Cloud Portal, and then uninstall the Cloud Link Service on the NetWitness Platform.
Step 1: Remove the Cloud Link Service from the NetWitness Cloud Portal
-
Log in to the NetWitness Cloud Portal.
-
Go to Admin > Sensors > Sensor List.
-
Select the Cloud Link Service that you want to delete, and click Remove Sensor.
Step 2: Uninstall the Cloud Link Service on the NetWitness Platform
-
SSH to the host on which the Cloud Link Service is installed.
-
Execute the following command:
/var/lib/netwitness/cloud-link-server/nwtools/uninstall-cloud-link.sh
-
Log in to the NetWitness Platform and go to Admin > Services to verify if the Cloud Link Service is removed.
See also
8 - Update the Cloud Link Service Automatically
Learn how to update the Cloud Link Service manually as well as automatically and how to schedule your update based on the day and time
You can now easily keep all your Cloud Link Service up-to-date with the latest version. You can set up automatic updates or scheduled updates to save time and avoid manual tracking of the Cloud Link Service.
You can set up update options on the Configuration tab:
- Automatic update: Select to allow auto-update of sensors as and when a new version is available.
- Custom update: Select to schedule auto-update of the sensor for a specific day and time.
Prerequisites
- The NetWitness Platform (host) is on version 11.6.1 or later.
- Ensure that the Cloud Link Service is in a connected state in the UI to start the update.
Note
- The Sensor Update button will be enabled only when there is a new version available.
- During the update process, the Cloud Link Service will get disconnected and data transfer to the cloud will be paused. If the update fails, the Cloud Link Service will revert to the last installed version.
- Cloud Link Service will begin updating automatically within 10 minutes if the automatic update option is enabled.
Important
- From version 12.4 or later, NetWitness no longer supports CentOS 7 and only supports Alma OS. As a result, upgrading only the Cloud Link Sensor from a lower version (12.3.1 or older) to 12.4 is not possible. To resolve this issue, we recommend upgrading all NetWitness Platform services to version 12.4. This step ensures a successful upgrade for the sensors. For more information on upgrade, see NetWitness Upgrade Guide 12.4.
- For users onboarded on version 12.4, you must follow the installation procedure to deploy the sensor to the decoder. For more information, see Install Cloud Link Service.
To update the Cloud Link Service automatically
-
Log in to the NetWitness Cloud Portal.
-
Go to Admin > Sensors > Configuration.
-
Do one of the following:
- To setup the Automatic update: select the option Automatic and click Save.
- To setup the Schedule update: Select the option Custom.
- Specify the day from the Day field.
- Specify the time in Time field. For example, 07:03.
- Click Save.
NoteTo change the sensor Update settings at any point, select the preferred update option and click Save.
Update the Cloud Link Service Manually
You can update the Cloud Link Service manually on selected hosts.
NoteYou can update the Cloud Link Service individually on each host. You cannot update multiple Cloud Link Services.
To update the Cloud Link Service manually
-
Log in to the NetWitness Cloud Portal.
-
Go to Admin > Sensors > Configuration.
-
Select the option Manual and click Save.
-
Click the Sensor List tab.
-
Select the Cloud Link Service that needs to be updated and click Update Sensor.
A pop-up message is displayed to confirm the update.
-
Click Update.
NoteIf the update fails, the error for update failure is displayed, and you can troubleshoot the Cloud Link Service and resolve the issue. For more information, see Troubleshoot the Cloud Link Service.
Limitations for sensor update
Limitations associated with this version of the sensor are included below:
-
When a new version of the sensor update is available, for example, 11.6.1, the Sensor Update button is enabled and ready to update the sensor. When you click Sensor Update, the sensor update starts. However, at the same time if a new rpm for the sensor update is uploaded, for example, 11.7, there are high chances the sensor update will not be overridden, causing the sensor to not be updated with the latest version.
-
When a new version of sensor update is available, and you have configured for manual updates, the sensor update will not be triggered automatically. In this scenario, you need to update to the new version manually. However, if a new version of the sensor update is released after changing the setting to automatic, all sensor updates will be performed automatically from that moment.
See also
9 - Enable or Disable the Cloud Link Service
Provides information on how to Enable and Disable the Cloud Link Service.
Sensors (Cloud Link Service) are installed on a host and are enabled by default to transfer data to the UEBA. However, you can temporarily disable a sensor, if the data exceeds the processing capacity or perform a maintenance activity on the sensor. If you disable a sensor,the sensor will not be able to collect the data.
To disable a sensor
-
Log in to the NetWitness Cloud Portal.
-
Go to Admin > Sensors List.
-
Select the sensor and click Disable Sensor.
A confirmation pop-up is displayed.
-
Click Disable Sensor.
To enable a sensor
-
Log in to the NetWitness Cloud Portal.
-
Go to Admin > Sensors List.
-
Select the sensor and click Enable Sensor.
A confirmation pop-up is displayed.
-
Click Enable Sensor.
See also
10 - Use Sensor Filters
Provides information on how to filter sensors in the Sensor List tab.
To better manage a large number of sensors, you can search and filter for specific sensors by any criteria in the list of sensors from the Admin > Sensor List page in the NetWitness Cloud Portal UI.
To filter the sensors
-
Log in to NetWitness Cloud Portal.
-
Go to Admin > Sensors > Sensor List.
-
Click Filter.
The Filter panel is displayed.
-
In the above panel, utilize one or more of the following options to filter the sensors:
-
Host Name: Specify the sensor’s host name to filter the sensor list. You can start typing the name of the host. Type one character and a list of sensors that contain that character is displayed, as you continue to type the list is filtered to match.
-
Status: Select one or more statuses from the drop-down menu. The available options are Connected, Disconnected, and Disabled.
-
Sensor Type: Select the type of sensor from the drop-down menu. For example, Cloud Link Sensor.
Only one sensor can be selected at a time for filtering.
-
Sensor Version: Select one or more versions from the drop-down menu. For example, when you type the two characters (12 versions), and a list of sensors that contain those characters are displayed.
-
Click Apply Filter.
The sensors are displayed in the right panel according to the filter you selected. To clear filters, at the bottom of the left panel, click Clear.
See also
11 - Install NetWitness UEBA (Cloud) with an Existing UEBA (On-premises)
Provides information about installing NetWitness UEBA (Cloud) and UEBA (On-premises) together in an environment.
If you have UEBA (On-premises) deployed on your NetWitness Platform, you can install NetWitness UEBA (Cloud) and can run them simultaneously. This is because they are independent of each other. However, the User Interface can be connected to only one source at a time.
When you have both UEBA (On-premises) and UEBA (Cloud) running simultaneously, it can impact the performance as both consume data from the NetWitness Platform. UEBA (Cloud) receives data from the Cloud Link Service installed on the Decoder hosts, and the UEBA (On-premises) receives the data from the Concentrator or Broker.
NoteThis feature is supported from the 11.6.0.0 version or later.
Install and Setup NetWitness UEBA (Cloud)
-
Install the Cloud Link Service. For more information, see Install Cloud Link Service.
-
Download the Activation Package. For more information, see Download the Activation package.
-
Register the Cloud Link Service. For more information, see Register the Cloud Link Service.
-
Verify the Cloud Link Service is working. For more information, see Verify if the Cloud Link Service is working.
-
Enable UEBA (Cloud) data transfer by running the following command:
This command connects the UEBA (Cloud) to the Admin Server, and the data in the Users page is fetched from the UEBA (Cloud). For more information, see Transfer UEBA (Cloud) data to NetWitness platform.
NoteIf you want to receive the data from UEBA (On-premises), run the following command: nw-manage --disable-cba
This command connects the UEBA (On-premises) to the Admin Server and the data in the Users page is fetched from the UEBA (On-premises).
- Enable the UEBA (Cloud) incident rules. For more information, see
Step 1. Configure Alert Sources to Display Alerts in the Respond View.
Uninstall NetWitness UEBA (Cloud)
-
Uninstall the Cloud Link Services from the Decoders. For more information, see Uninstall the Cloud Link Service.
-
Contact the NetWitness Customer Support to uninstall all the related tenants and entitlements.
If you want to reconnect to the UEBA (On-premises), run the following command:
This command connects the UEBA (On-premises) to the Admin Server and fetch the data in the Users page
from the UEBA (On-premises).
See also
12 - Change the Default Service for Investigation
Provides information about changing preferred Broker Service ID for investigation.
By default, if you have a Broker installed on an Admin Server, then the service ID of a Broker will be automatically updated in Cloud Link Service as default service for investigation on the NetWitness Platform user interface for UEBA (Cloud). However, if there are no Brokers installed on an Admin server, then any one of the service ID of a Broker installed on another node will be automatically updated in Cloud Link Service. If you want to set a specific service ID for a Broker, you can configure in the Explore view of the Cloud Link Service on the NetWitness Platform user interface.
To locate the service ID for a Broker
-
Log in to the NetWitness Platform.
-
Go to Admin > Services.
-
In the Services list, search Broker in the Filter field.
-
Select a Broker, and click > View > Explore.
The Explore view for the Broker is displayed.
-
On the left panel, click sys > stats.
The service ID is displayed on the right panel.
To set the service ID for a Broker
-
Log in to the NetWitness Platform.
-
Go to Admin > Services.
-
In the Services list, search Cloud Link Server in the Filter field.
-
Select the Cloud Link Server and click > View > Explore.
The Explore view for the service is displayed.
-
On the left panel, click cloudlink/sync.
-
Edit and enter the required service ID of a broker in the default-service-for-investigation parameter field.
See also
13 - Configure the Proxy for Cloud Link Service
Provides information about configuring proxy support for Cloud Link Service.
If you are using a proxy network, you can configure the proxy for the Cloud Link Service under the NetWitness Platform, System > HTTP Proxy Settings page. This allows the Cloud Link Service to connect using a proxy and transfers data to the NetWitness Platform.
To configure proxy for Cloud Link Service
-
Log in to the NetWitness Cloud Portal.
-
Go to Admin > System.
-
In the options panel, select HTTP Proxy Settings.
The HTTP Proxy Settings panel is displayed.
-
Click the Enable checkbox.
The fields where you configure the proxy settings are activated.
-
Type the hostname for the proxy server and the port used for communications on the proxy server.
-
(Optional) Type the username and password that serve as credentials to access the proxy server if authentication is required.
-
(Optional) Enable Use NTLM Authentication and type the NTLM domain name.
-
(Optional) Enable Use SSL if communications use Secure Socket Layer.
-
To save and apply the configuration, click Apply.
The proxy is immediately available for use for the Cloud Link Service.
See also
14 - Configure Domains required to be Whitelisted for NetWitness UEBA
Provides information about Domains required to be whitelisted for NetWitness UEBA.
In case your organization uses a firewall to restrict network access to only specific websites or software, you need to whitelist the following domains to ensure that Cloud Link Service can communicate with AWS-related services and transfer the required metadata to UEBA for analytics.
-
These Domains/URLs will be region-specific for the deployment. The region can be found in the device activation package from the region section.
- sts.us-(region).amazonaws.com
- s3.us-(region).amazonaws.com
- kinesis.(region).amazonaws.com
- monitoring.us-(region).amazonaws.com
- ssm.us-(region).amazonaws.com
-
Besides the common domains you need to whitelist specific domains based on your deployment and are provided in the device activation package. Following are the names of domains/URLs:
- deviceApi
- controlApi
- iotApi
- iotHost
- detectaiApiGatewayUrl
In the following example, with this device activation package, the given deployment is in us-east-1 region, and the highlighted domains are the ones that must be whitelisted for this deployment.
The following table shows the list of domains/URLs that are whitelisted for the deployment in the above example:
SlNo |
Domain URL |
1 |
sts.us-east-1.amazonaws.com |
2 |
s3.us-east-1.amazonaws.com |
3 |
kinesis.us-east-1.amazonaws.com |
4 |
monitoring.us-east-1.amazonaws.com |
5 |
ssm.us-east-1.amazonaws.com |
6 |
abc8hgbvbk4.execute-api.us-east-1.amazonaws.com |
7 |
ghbcfjkbc.execute-api.us-east-1.amazonaws.com |
8 |
h7vcvkvjbhbb78.credentials.iot.us-east-1.amazonaws.com |
9 |
fhgodewbcimb-ats.iot.us-east-1.amazonaws.com |
10 |
xhhvbbej52.execute-api.us-east-1.amazonaws.com |
See also
15 - Troubleshoot the Cloud Link Service
Describes the common issues that you might encounter while installing, registering, deleting, and updating the sensors. It also contains workarounds for these issues.
Problem |
Cause |
Solution |
Cloud Link Service fails to register when you use an older activation package. |
If you have generated a new activation package but used an older activation package to register the Cloud Link Service, the registration fails and no error message is logged. |
To resolve the issue, perform the following steps: 1. Generate and download the new activation package from NetWitness Platform on the cloud. For more information, see Download the Activation Package. 2. Register the Cloud Link Service using the new activation package. For more information, see Register the Cloud Link Service. |
Cloud Link Service fails to register when the date and time are not in sync with NTP Server. |
If the date and time on the host containing the Cloud Link Service are not in sync with the NTP server, then invalid certificate exceptions are logged. |
Update the date and time to be in sync with the NTP Server. Execute the following commands to resolve the issue: 1. To display the default date and time on your system, execute the following command: timedatectl status 2. Execute the following command to turn off the NTP Server: timedatectl set-ntp 0 3. Execute the following command to correct the date and time: timedatectl set-time ‘date time’ Replace the default date and time with current date and time. Example: timedatectl set-time '2020-02-02 16:14:50' 4. Execute the following command to turn on the NTP Server: timedatectl set-ntp 1 5. Register the Cloud Link Service by using the recently downloaded activation package. For more information, see Register the Cloud Link Service. |
Deletion of the Cloud Link Service sensor failed |
If you have removed the Cloud Link Service sensor when the Cloud Link Service is offline, the logs show the Cloud Link Service sensor is deleted, however the Cloud Link service is not deleted and is back online. |
Ensure that you uninstall the Cloud Link Service on the NetWitness Platform soon after you remove it from the NetWitness Cloud Portal UI to delete the Cloud Link Service completely. For more information, see Uninstall the Cloud Link Service. |
Unable to update the Cloud Link Service due to RPM file download failure. |
During network outage, the RPM file download fails because there is no access to the RPM file URL. |
Check your network connection and try again. If the problem persists, try after some time. |
Unable to update the Cloud Link Service. |
One of the services might be down or offline. |
Ensure that all the services are up and running. For more details, check the following services log: - Check the orchestration log on the Admin server: /var/log/netwitness/orchestration-server/orchestration-server.log - Check the chef-solo.log on the Cloud Link servers: /var/log/netwitness/config-management/chef-solo.log |
Unable to update the Cloud Link Service due to RPM checksum validation failure. |
The checksum validation of the RPM file fails because of the following reasons: - The RPM file downloaded is corrupted. - The RPM file downloaded is incomplete or incorrect. |
Check your network connection and try again. If the problem persists, try after some time. |
Unable to update the Cloud Link Sensor due to a Timeout. |
If the sensor fails to update within a predefined 60-minute timeframe, an email notification will be sent to the administrators regarding the sensor update timeout failure. The timeout could occur due to network connectivity issues. |
If encountering an update timeout failure, try the following steps: 1. Wait for 30 minutes and then retry the sensor update. 2. Check the following services log: - Orchestration log on the admin server: /var/log/netwitness/orchestration-server/orchestration-server.log - Chef-solo.log on the Cloud Link Servers: /var/log/netwitness/config-management/chef-solo.log - Cloud Link service logs on the Cloud Link Servers: /var/log/netwitness/cloud-link-server/cloud-link-server.log For more information, refer to the Orchestration section in the Troubleshooting Installation and Upgrade Issues topic of the NetWitness Upgrade Guide for 12.4.2 version. |
Unable to update the Cloud Link Sensor due to Canceled operation. |
If the sensor fails to communicate for more than 24 hours after the sensor update is initiated, the system will automatically cancel the sensor update process and an email notification will be sent to the administrator. |
To address the issue, check if the Cloud Link Server is offline. Then try restarting the Cloud Link Server service from the Services page using the following steps: 1. Log in to the NetWitness Platform. 2. Go to (Admin) > Services. 3. In the Services list, select the Cloud Link Server service. 4. Click > Start. 5. Additionally, ensure that the internet connection on the Cloud Link Sensor is functioning properly by checking the firewall and network settings. |
See also