Before You Begin
Before installing the Threat Hunting module, ensure you have the necessary infrastructure, gather required configuration details, and review any version-specific requirements. This preparation will help ensure a smooth installation process.
An additional VM is required to install our new Threat Hunting feature.
Prerequisites
-
ECA and Eyeglass system
ECA SetupWorking ECA and Eyeglass with configured nodes. See ECA VM Guide for setup help.
-
ML Module server
ML Server SpecsServer with 4 CPU cores, 16GB RAM, 100GB storage. See ECA VM Guide for VM setup instructions.
For detailed system requirements and network latency considerations, refer to the Machine Learning VM section in the ECA VM Guide.
If you are installing the Threat Hunting module for Eyeglass version 2.12, you must comment out the following block in the Eyeglass SCA config files conf/sync.xml
and data/sync.xml
, then restart the SCA:
<THEventRetriever IsEnabled="true" IsConfigurable="true" Label="Threat Hunting Task" combine.self="OVERRIDABLE">1 23 * */12 *</THEventRetriever>
To restart the SCA service after making these changes:
- SSH to the Eyeglass appliance as the
admin
user - Switch to root user:
sudo -s
(enter admin password when prompted) - Restart the SCA service:
systemctl restart sca
- Verify the service status:
systemctl status sca.service
Required Configuration Details
Before starting the installation, gather these essential connection and authentication parameters:
Required Information | Description | How to Obtain |
---|---|---|
ML module IP address and port | Connection details for ML server | Run ip addr show to get the IP address. The port is specified during installation. |
ECA node IP addresses | All ECA server IPs | See ECA management guide - run ecactl cluster exec hostname -I to list all node IPs |
Eyeglass server IP | Eyeglass management server address | Check your Eyeglass deployment documentation or run hostname -I on the Eyeglass VM |
Kafka connection info | Streaming data service details | Run ecactl cluster exec hostname on ECA master to get Kafka node hostnames |
System Requirements for Automated Installation
These requirements are specific to the automated installation method available in version 1.1.0 and higher. For manual installation requirements, see the ML Module server specifications above.
Ensure your system meets all requirements before beginning the automated installation. Insufficient resources may cause installation failure or performance issues.
Minimum Version: Version 1.1.0 or higher
Hardware Requirements:
- CPU: 8 cores minimum
- RAM: 32 GB minimum
- Storage: 200 GB minimum
Software Prerequisites:
- Operating System: OpenSUSE Linux (recommended distribution)
- Eyeglass: Version 2.12.1 or higher with ECA cluster configured
- Network Access: Outbound internet connectivity for Docker image downloads and AWS ECR access
- Administrative Access: Root/sudo privileges on the installation server