Cloud Link Service Overview
NetWitness Cloud Link Service enables you to use the NetWitness Detect AI solution and its features by providing a secure transportation mechanism between existing NetWitness Platform hosts (Decoders) and the NetWitness Detect AI service. Example: to perform analytics on the NetWitness Detect AI, you must install and register the Cloud Link Service on at least one Log Decoder host.
Cloud Link service is a sensor that you must install and register on your on-premise host to:
- Transfers metadata from the host (such as Decoders) in your on-premises deployment to the NetWitness Detect AI for analysis and investigation.
- Transfer alerts generated in NetWitness Detect AI to your on-premises NetWitness Platform Respond server for incident management.
You can install Cloud Link Service on the following host types:
- Log Decoder
- Log Hybrid
- Endpoint Log Hybrid
- Log Hybrid Retention
- Cloud Link Service and the hosts must be on version 18.104.22.168 or later.
- You need a separate Cloud Link Service to be installed for each host.
- To support endpoint-related queries, Cloud Link Service must be on version 22.214.171.124 or later.
Cloud Link Service Architecture
This section provides information on how data is transferred using Cloud Link Service:
Single Deployment: Data Transfer
- Cloud Link Service fetches all the metadata from the host. For example: Log Decoder.
- The Cloud Link Service filters metadata from the following data sources:
- Active Directory
- Cloud Link Service collects only matching metadata, compresses the matching metadata, and transfers it to NetWitness Detect AI through a secure channel.
NOTE: Cloud Link Service ensures that no data is lost during temporary network issues or outages. If the outage lasts for more than 7 days, then the data older than 7 days will not be considered.
Multiple Deployment: Data Transfer
Data Transfer from NetWitness Detect AI
NetWitness Detect AI transfers the alerts generated to the on-premises NetWitness Platform Respond server which can be viewed on the user interface for incident management.