Before You Begin
Before installing the Threat Hunting module, ensure you have the necessary infrastructure, gather required configuration details, and review any version-specific requirements. This preparation will help ensure a smooth installation process.
An additional VM is required to install our new Threat Hunting feature.
Prerequisites
-
ECA and Eyeglass system
ECA SetupWorking ECA and Eyeglass with configured nodes. See ECA VM Guide for setup help.
-
ML Module server
ImportantThe Threat Hunting module is currently distributed as an OVA package and is supported only on VMware-based virtualization platforms.
Support for additional hypervisors is planned and will be introduced in future releases as part of our product roadmap.
ML Server SpecsServer with 8 CPU cores, 48GB RAM, 200GB storage. See the ML VM setup instructions section.
For detailed system requirements and network latency considerations, refer to the Machine Learning VM section in the ECA VM Guide.
If you are installing the Threat Hunting module for Eyeglass version 2.12, you must comment out any lines that start with the <THEventRetriever> XML tag in the Eyeglass SCA configuration files conf/sync.xml and data/sync.xml, which are located under the parent path /opt/superna/sca.
Note that the cron expression values inside this tag may vary depending on your environment configuration.
After commenting out the appropriate line(s), restart the SCA service.
Example:
<THEventRetriever IsEnabled="true" IsConfigurable="true" Label="Threat Hunting Task" combine.self="OVERRIDABLE">1 23 * */12 *</THEventRetriever>
To restart the SCA service after making these changes:
- SSH to the Eyeglass appliance as the
adminuser - Switch to root user:
sudo -s(enter admin password when prompted) - Restart the SCA service:
systemctl restart sca - Verify the service status:
systemctl status sca.service
Required Configuration Details
Before starting the installation, gather these essential connection and authentication parameters:
Commands to run on the Threat Hunting VM
| Required Information | Description | How to Obtain |
|---|---|---|
| ML module IP address and port | Connection details for ML server | Run ip addr show to get the IP address. The port is specified during installation. |
Commands to run on ECA node1
| Required Information | Description | How to Obtain |
|---|---|---|
| ECA node IP addresses | All ECA server IPs | See ECA management guide - run ecactl cluster exec hostname -I to list all node IPs |
| Kafka connection info | Streaming data service details | Run ecactl cluster exec docker exec kafka cat ./config/server.properties | grep listeners= on ECA master to get Kafka node hostnames |
Commands to run on Eyeglass/SCA VM�
| Required Information | Description | How to Obtain |
|---|---|---|
| Eyeglass server IP | Eyeglass management server address | Check your Eyeglass deployment documentation or run hostname -I on the Eyeglass VM |
| Appliance ID | Platform identifier for Eyeglass | Run igls admin appid on the Eyeglass server to obtain the appliance ID |
System Requirements and ML VM Installation
Ensure your system meets all requirements before beginning the automated installation. Insufficient resources may cause installation failure or performance issues.
Minimum Version: Version 1.1.1 or higher
Hardware Requirements:
- CPU: 8 cores minimum
- RAM: 48 GB minimum
- Storage: 200 GB minimum
Software Prerequisites:
- Operating System: OpenSUSE Linux
- You need to deploy an OpenSUSE VM downloaded from the Superna software downloads page: https://support.superna.net/
- Name: Superna Kubernetes OVF
- Version: latest
- Eyeglass: Version 2.12.1 or higher with ECA cluster configured
- Administrative Access: Root/sudo privileges on the installation server
Download Requirements
You have to download the following components from the Superna software downloads page: https://support.superna.net/.
- Threat Hunting installer: Required for module deployment and automation
- Version: latest