Cloud Link Service Overview

NetWitness Cloud Link Service enables you to use the NetWitness UEBA solution and its features by providing a secure transportation mechanism between existing NetWitness Platform hosts (Decoders) and the NetWitness UEBA service. Example: to perform analytics on the NetWitness UEBA, you must install and register the Cloud Link Service on at least one Decoder host.

Cloud Link service is a sensor that you must install and register on your on-premise host to:

• Transfers metadata from the host (such as Decoders) in your on-premises deployment to the NetWitness UEBA for analysis and investigation.
• Transfer alerts generated in NetWitness UEBA to your on-premises NetWitness Platform Respond server for incident management.

You can install Cloud Link Service on the following host types:

• Log Decoder
• Log Hybrid
• Endpoint Log Hybrid
• Log Hybrid Retention

Cloud Link Service Architecture

This section provides information on how data is transferred using Cloud Link Service:

Single Deployment: Data Transfer

1. Cloud Link Service fetches all the metadata from the host. For example: Log Decoder.
2. The Cloud Link Service filters metadata from the following data sources:
   • Active Directory
   • Authentication
   • File
   • Process
   • Registry
3. Cloud Link Service collects only matching metadata, compresses the matching metadata, and transfers it to NetWitness UEBA through a secure channel.

Multiple Deployment: Data Transfer

Data Transfer from NetWitness UEBA

NetWitness platform transfers the alerts generated to the on-premises NetWitness Platform Respond server which can be viewed on the user interface for incident management.

See also

• Install Cloud Link Service
• Plan your Considerations to Install Cloud Link Service