Plan your Considerations to Install Cloud Link Service

Before you install the Cloud Link Service, you must plan for the following:

  • The NetWitness Platform (Decoder Host) is on version 11.5.2 or later.
  • Ensure you have at least 8 GB of memory on your host.
  • Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on the Admin server. For more information on how to configure NTP server, see Configure NTP Servers.
  • Ensure that you have the administrator access to the NetWitness Cloud Portal user interface.
  • If you have an existing UEBA (On-premises) host deployed in your environment and you plan to move to NetWitness UEBA (Cloud), you need to remove the host from the Admin server and stop the airflow-scheduler service on the UEBA (On-premises) host. If you plan to run UEBA (Cloud) and UEBA (On-premises) simultaneously, see Install NetWitness UEBA (Cloud) with an Existing UEBA (On-premises).
  • The host on which the Cloud Link Service will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges.
  • Open TCP port 443 to allow outbound network traffic.
  • Ensure you have configured the Azure Monitor plugin in your deployment. This enables UEBA to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.
  • (Optional) Ensure that you configure the proxy settings from NetWitness Platform version 11.5.3 or later, before installing the Cloud link Service. For more information, see Configure the Proxy for the Cloud Link Service.

Important

  • From version 12.4 or later, NetWitness no longer supports CentOS 7 and only supports Alma OS. As a result, upgrading only the Cloud Link Sensor from a lower version (12.3.1 or older) to 12.4 is not possible. To resolve this issue, we recommend upgrading all NetWitness Platform services to version 12.4. This step ensures a successful upgrade for the sensors. For more information on upgrade, see NetWitness Upgrade Guide 12.4.
  • For users onboarded on version 12.4, you must follow the installation procedure to deploy the sensors on the decoders. For more information, see Install Cloud Link Service.

To understand the deployment of the Cloud Link Service, see Cloud Link Service Architecture.

Note

Data will be fetched from only the host (Example: Decoder) on which the Cloud Link Service is installed.

You can install Cloud Link Service on the following hosts:

Model Category
S5/S6/S6E/Virtual
Cloud (AWS, Azure, GCP)
Log Hybrid
Log Decoder
Endpoint Log Hybrid
Log Hybrid Retention
Virtual Log Decoder
Virtual Log Hybrid

See also