The administrators can perform the following tasks to install the Cloud Link Service successfully:

  1. Install Cloud Link Service
  2. Download the Activation Package
  3. Register the Cloud Link Service
  4. Verify if the Cloud Link Service is working
  5. Transfer Detect AI data to NetWitness Platform XDR

You can install the Cloud Link Service on the following host types:

  • Log Decoder
  • Log Hybrid
  • Endpoint Log Hybrid
  • Log Hybrid Retention

Prerequisites

Ensure that the NetWitness Platform XDR and the host (Decoder) are on version 11.5.2.0 or later.

NOTE: Data will be fetched from only the host (For Example: Log Decoder) on which the Cloud Link Service is installed.

To install the Cloud Link Service

  1. Log in to the NetWitness Platform XDR as an administrator and go to admin icon Admin > Hosts.

    The Hosts view is displayed.

  2. Select a host (Example: Log Decoder) and click install button.

    The Install Services dialog is displayed.

  3. Select the Cloud Link Service from the Category drop-down menu, and click Install.

    Cloud Link Service Installation

  4. Log in to the NetWitness Platform XDR, and go to download icon Admin > Services to verify successful Cloud Link Service installation.

Download the Activation Package

You need the activation package to register Cloud Link Service with the NetWitness Detect AI. The activation package can be used on all hosts containing Cloud Link Service, which you want to register and you can download it from the NetWitness Detect AI.

To download the activation package

  1. Log in to the NetWitness Detect AI.
  2. Go to admin icon Admin > Sensors > Sensor Configuration.
  3. Under Download Activation Package, click generate icon to generate the activation package.
  4. Click download icon to download the activation package.

Registration of Cloud Link Service requires copying the activation package to the Cloud Link Service directory, and setting up the required permissions. Once this is completed, the Cloud Link Service will be registered automatically.

NOTE:

  • The same activation package can be used for multiple registrations.
  • Ensure you use the most recently downloaded activation package.

Prerequisites

Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on Admin server. For more information on how to configure NTP Sever, see Configure NTP Servers.

To register the Cloud Link Service

  1. SSH to the host on which the Cloud Link Service is installed.

  2. Copy the device-activation-package.json file downloaded from the NetWitness Platform on the cloud to the /root or /temp directory on the Cloud Link Service host.

  3. Change the user and group of the device-activation-package.json file to netwitness by executing the following command:

          chown netwitness:netwitness device-activation-package.json

IMPORTANT: Avoid using cp command to add files under /var/lib/netwitness/cloud-link-server directory. The cp command changes the user and group to root , which can result in the Cloud Link Service registration failure.

  1. Move the device-activation-package.json file to the Cloud Link Service directory by executing the following command:

          mv device-activation-package.json /var/lib/netwitness/cloud-link-server/

  2. To verify if Cloud Link Service is registered successfully, log in to the NetWitness Platform on the cloud, and check the status of the Cloud Link Service. For more information, see Verify if the Cloud Link Service is working.

NOTE: If you want to re-register a Cloud Link Service with a different activation package, first remove the Cloud Link Service from the NetWitness Platform sensor list on the cloud, and then uninstall Cloud Link Service on the NetWitness Platform. For more information about deleting the Cloud Link Service, see Delete Cloud Link Service.

You can check the status of NetWitness Platform Sensor List on the cloud to verify the successful registration of Cloud Link Service. The status must reflect as Connected for the Cloud Link Service to start transferring data. You can use this status to monitor the Cloud Link Service and troubleshoot registration failures.

To verify the status of the Cloud Link Service

  1. Log in to the NetWitness Detect AI.
  2. Go to admin icon Admin > Sensors > Sensor List.
    The following information is displayed for every Cloud Link Service registered in your deployment:
Detail Description
Hostname The host on which the Cloud Link Service is installed. Example: Endpoint Log Hybrid.
Status Status of the Cloud Link Service:
- Registered: The Cloud Link Service is registered successfully.
- Connected: The Cloud Link Service is connected and operating normally.
- Disconnected: The Cloud Link Service is not connected.
- Connecting: The Cloud Link Service starts connecting.
Sensor Version The installed version of the sensor. Example: 11.7.0.
Device Type Type of sensor that is installed and registered. Example: CLOUD_LINK.
Uptime Displays the sensor’s uptime and downtime.

Transfer Detect AI data to NetWitness Platform XDR

If you want to view the Detect AI data on your NetWitness Platform user interface you must configure the data transfer from the cloud to the Admin server. Perform the following steps:

IMPORTANT: This step should be performed only once after you register the Cloud Link Service for the first time.

  1. SSH to the Admin server.

  2. Execute the following command:

     
nw-manage --enable-cba