Skip to main content
Version: 2.12.1

Before You Begin

Before installing the Threat Hunting module, ensure you have the necessary infrastructure, gather required configuration details, and review any version-specific requirements. This preparation will help ensure a smooth installation process.

Additional VM for Threat Hunting

An additional VM is required to install our new Threat Hunting feature.

Prerequisites

  • ECA and Eyeglass system

    ECA Setup

    Working ECA and Eyeglass with configured nodes. See ECA VM Guide for setup help.

  • ML Module server

    ML Server Specs

    Server with 4 CPU cores, 16GB RAM, 100GB storage. See ECA VM Guide for VM setup instructions.

    For detailed system requirements and network latency considerations, refer to the Machine Learning VM section in the ECA VM Guide.

Important Note for Eyeglass Version 2.12

If you are installing the Threat Hunting module for Eyeglass version 2.12, you must comment out the following block in the Eyeglass SCA config files conf/sync.xml and data/sync.xml, then restart the SCA:

<THEventRetriever IsEnabled="true" IsConfigurable="true" Label="Threat Hunting Task" combine.self="OVERRIDABLE">1 23 * */12 *</THEventRetriever>

To restart the SCA service after making these changes:

  1. SSH to the Eyeglass appliance as the admin user
  2. Switch to root user: sudo -s (enter admin password when prompted)
  3. Restart the SCA service: systemctl restart sca
  4. Verify the service status: systemctl status sca.service

Required Configuration Details

Before starting the installation, gather these essential connection and authentication parameters:

Required InformationDescriptionHow to Obtain
ML module IP address and portConnection details for ML serverRun ip addr show to get the IP address. The port is specified during installation.
ECA node IP addressesAll ECA server IPsSee ECA management guide - run ecactl cluster exec hostname -I to list all node IPs
Eyeglass server IPEyeglass management server addressCheck your Eyeglass deployment documentation or run hostname -I on the Eyeglass VM
Kafka connection infoStreaming data service detailsRun ecactl cluster exec hostname on ECA master to get Kafka node hostnames

System Requirements for Automated Installation

info

These requirements are specific to the automated installation method available in version 1.1.0 and higher. For manual installation requirements, see the ML Module server specifications above.

warning

Ensure your system meets all requirements before beginning the automated installation. Insufficient resources may cause installation failure or performance issues.

Minimum Version: Version 1.1.0 or higher

Hardware Requirements:

  • CPU: 8 cores minimum
  • RAM: 32 GB minimum
  • Storage: 200 GB minimum

Software Prerequisites:

  • Operating System: OpenSUSE Linux (recommended distribution)
  • Eyeglass: Version 2.12.1 or higher with ECA cluster configured
  • Network Access: Outbound internet connectivity for Docker image downloads and AWS ECR access
  • Administrative Access: Root/sudo privileges on the installation server