Planning Considerations for Installing Cloud Link Service
Before you install the Cloud Link Service, you must plan for the following:
- The NetWitness Platform XDR (Log Decoder Host) is on version 11.5.2 or later.
- Ensure you have at least 8 GB of memory on your host.
- Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on the Admin server. For more information on how to configure NTP server, see Configure NTP Servers.
- Ensure you have the administrator access to the NetWitness Detect AI user interface.
- If you have an existing on-premises UEBA host deployed in your environment and you plan to move to Detect AI, you need to remove the host from the Admin server and stop the airflow-scheduler service on the UEBA host. If you plan to run UEBA and Detect AI simultaneously, see Install Detect AI with an existing on-premises UEBA.
- The host on which the Cloud Link Service will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges.
- Open TCP port 443 to allow outbound network traffic.
- Ensure you have configured the Azure Monitor plugin in your deployment. This enables Detect AI to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.
- (Optional) Ensure that you configure the proxy settings from NetWitness Platform version 11.5.3 or later, before installing the Cloud link Service. For more information, see Configure the proxy for the Cloud Link Service.
To understand the deployment of the Cloud Link Service, see Cloud Link Service Architecture.
NOTE: Data will be fetched from only the host (Example: Log Decoder) on which the Cloud Link Service is installed.
You can install Cloud Link Service on the following hosts:
Cloud (AWS, Azure, GCP)
Endpoint Log Hybrid
Log Hybrid Retention
Virtual Log Decoder
Virtual Log Hybrid