How to Install Detect AI with an existing on-premise UEBA

If you have UEBA deployed on your on-premise NetWitness Platform, you can install Detect AI and can run them simultaneously. This is because they are independent of each other. However, the User Interface can be connected to only one source at a time.

When you have both UEBA on-premise and Detect AI running simultaneously, it can impact the performance as both consume data from the NetWitness Platform. Detect AI receives data from the Cloud Link Service installed on Log Decoder hosts, and the on-premise UEBA receives the data from the Concentrator or Broker.

Note: This feature is supported from the 11.6.0.0 version or later.

Install and Setup Detect AI:

  1. Install the Cloud Link Service. For more information, see How to install Cloud Link Service.

  2. Download the Activation Package. For more information, see How to download the activation package.

  3. Register the Cloud Link Service. For more information, see How to register the Cloud Link Service.

  4. Verify the Cloud Link Service is working. For more information, see How to verify if the Cloud Link Service is working.

  5. Enable Detect AI data transfer by running the following command:

    nw-manage --enable-cba

    This command connects the Detect AI to the on-premise Admin Server, and the data in the Users page is fetched from the Detect AI. For more information, see How to transfer Detect AI data to RSA NetWitness platform.

    Note: If you want to receive the data from on-premise UEBA, run the following command:

    nw-manage --disable-cba

    This command connects the UEBA to the Admin Server and the data in the Users page is fetched from the on-premise UEBA.

  6. Enable the Detect AI incident rules. For more information, see Step 1. Configure Alert Sources to Display Alerts in the Respond View.

Uninstall Detect AI:

  1. Uninstall the Cloud Link Services from the Log Decoders. For more information, see How to delete Cloud Link Service.

  2. Contact the NetWitness Support team to uninstall all the related tenants and entitlements.

    If you want to reconnect to the on-premises UEBA, run the following command:

    nw-manage --disable-cba

    This command connects the UEBA to the Admin Server and fetch the data in the Users page from the on-premise UEBA.


Submit Feedback
© 2020 RSA Security LLC or its affiliates. All Rights Reserved.