What are the planning considerations for the Cloud Link Service
Before you install the Cloud Link Service, you must plan for the following:
- The NetWitness Platform (Log Decoder Host) is on version 11.5.2 or later
- Ensure you have at least 8 GB of memory on your host
- Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on the Admin server. For more information on how to configure NTP server, see Configure NTP Servers
- Ensure you have the administrator access to the NetWitness Platform on the cloud user interface
- If you have an existing on-premise UEBA host deployed in your environment, you must remove the host from the Admin server and stop the airflow-scheduler service on the UEBA host
- The host on which the Cloud Link Service will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges
- Open TCP port 443 to allow outbound network traffic
- Ensure you have configured the Azure Monitor plugin in your deployment. This enables Detect AI to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.
- (Optional) Ensure that you configure the proxy settings from NetWitness Platform version 11.5.3 or later, before installing the Cloud link Service. For more information, see How to configure the proxy for the Cloud Link Service
To understand the deployment of the Cloud Link Service, see How the Cloud Link Service works.
Note: Data will be fetched from only the host (Example: Log Decoder) on which the Cloud Link Service is installed.
You can install Cloud Link Service on the following hosts:
Cloud (AWS, Azure, GCP)
Endpoint Log Hybrid
Log Hybrid Retention
Virtual Log Decoder
Virtual Log Hybrid