Skip to main content
Version: 2.12.1

Before You Begin

Before installing the Threat Hunting module, ensure you have the necessary infrastructure, gather required configuration details, and review any version-specific requirements. This preparation will help ensure a smooth installation process.

Additional VM for Threat Hunting

An additional VM is required to install our new Threat Hunting feature.

Prerequisites

  • ECA and Eyeglass system

    ECA Setup

    Working ECA and Eyeglass with configured nodes. See ECA VM Guide for setup help.

  • ML Module server

    Important

    The Threat Hunting module is currently distributed as an OVA package and is supported only on VMware-based virtualization platforms.

    Support for additional hypervisors is planned and will be introduced in future releases as part of our product roadmap.

    ML Server Specs

    Server with 8 CPU cores, 48GB RAM, 200GB storage. See the ML VM setup instructions section.

    For detailed system requirements and network latency considerations, refer to the Machine Learning VM section in the ECA VM Guide.

Important Note for Eyeglass Version 2.12

If you are installing the Threat Hunting module for Eyeglass version 2.12, you must comment out the following block in the Eyeglass SCA config files conf/sync.xml and data/sync.xml, then restart the SCA:

<THEventRetriever IsEnabled="true" IsConfigurable="true" Label="Threat Hunting Task" combine.self="OVERRIDABLE">1 23 * */12 *</THEventRetriever>

To restart the SCA service after making these changes:

  1. SSH to the Eyeglass appliance as the admin user
  2. Switch to root user: sudo -s (enter admin password when prompted)
  3. Restart the SCA service: systemctl restart sca
  4. Verify the service status: systemctl status sca.service

Required Configuration Details

Before starting the installation, gather these essential connection and authentication parameters:

Required InformationDescriptionHow to Obtain
ML module IP address and portConnection details for ML serverRun ip addr show to get the IP address. The port is specified during installation.
ECA node IP addressesAll ECA server IPsSee ECA management guide - run ecactl cluster exec hostname -I to list all node IPs
Eyeglass server IPEyeglass management server addressCheck your Eyeglass deployment documentation or run hostname -I on the Eyeglass VM
Kafka connection infoStreaming data service detailsRun ecactl cluster exec docker exec kafka cat ./config/server.properties | grep listeners= on ECA master to get Kafka node hostnames
Appliance IDPlatform identifier for EyeglassRun igls admin appid on the Eyeglass server to obtain the appliance ID

System Requirements and ML VM Installation

warning

Ensure your system meets all requirements before beginning the automated installation. Insufficient resources may cause installation failure or performance issues.

Minimum Version: Version 1.1.1 or higher

Hardware Requirements:

  • CPU: 8 cores minimum
  • RAM: 48 GB minimum
  • Storage: 200 GB minimum

Software Prerequisites:

  • Operating System: OpenSUSE Linux
    • You need to deploy an OpenSUSE VM downloaded from the Superna software downloads page: https://support.superna.net/
    • Name: Superna Kubernetes OVF
    • Version: latest
  • Eyeglass: Version 2.12.1 or higher with ECA cluster configured
  • Administrative Access: Root/sudo privileges on the installation server

Download Requirements

You have to download the following components from the Superna software downloads page: https://support.superna.net/.

  • Threat Hunting installer: Required for module deployment and automation
  • Version: latest