Install NetWitness UEBA (Cloud) with an Existing UEBA (On-premises)

If you have UEBA (On-premises) deployed on your NetWitness Platform, you can install NetWitness UEBA (Cloud) and can run them simultaneously. This is because they are independent of each other. However, the User Interface can be connected to only one source at a time.

When you have both UEBA (On-premises) and UEBA (Cloud) running simultaneously, it can impact the performance as both consume data from the NetWitness Platform. UEBA (Cloud) receives data from the Cloud Link Service installed on the Decoder hosts, and the UEBA (On-premises) receives the data from the Concentrator or Broker.

Note

This feature is supported from the 11.6.0.0 version or later.

Install and Setup NetWitness UEBA (Cloud)

  1. Install the Cloud Link Service. For more information, see Install Cloud Link Service.

  2. Download the Activation Package. For more information, see Download the Activation package.

  3. Register the Cloud Link Service. For more information, see Register the Cloud Link Service.

  4. Verify the Cloud Link Service is working. For more information, see Verify if the Cloud Link Service is working.

  5. Enable UEBA (Cloud) data transfer by running the following command:

    nw-manage --enable-cba

    This command connects the UEBA (Cloud) to the Admin Server, and the data in the Users page is fetched from the UEBA (Cloud). For more information, see Transfer UEBA (Cloud) data to NetWitness platform.

Note

If you want to receive the data from UEBA (On-premises), run the following command: nw-manage --disable-cba
This command connects the UEBA (On-premises) to the Admin Server and the data in the Users page is fetched from the UEBA (On-premises).

  1. Enable the UEBA (Cloud) incident rules. For more information, see Step 1. Configure Alert Sources to Display Alerts in the Respond View.

Uninstall NetWitness UEBA (Cloud)

  1. Uninstall the Cloud Link Services from the Decoders. For more information, see Uninstall the Cloud Link Service.

  2. Contact the NetWitness Customer Support to uninstall all the related tenants and entitlements.

    If you want to reconnect to the UEBA (On-premises), run the following command:

    nw-manage --disable-cba

    This command connects the UEBA (On-premises) to the Admin Server and fetch the data in the Users page from the UEBA (On-premises).

See also