Before You Begin
Before installing the Threat Hunting module, ensure you have the necessary infrastructure, gather required configuration details, and review any version-specific requirements. This preparation will help ensure a smooth installation process.
An additional VM is required to install our new Threat Hunting feature.
Prerequisites
-
ECA and Eyeglass system
ECA SetupWorking ECA and Eyeglass with configured nodes. See ECA VM Guide for setup help.
-
ML Module server
ML Server SpecsServer with 4 CPU cores, 16GB RAM, 100GB storage. See ECA VM Guide for VM setup instructions.
For detailed system requirements and network latency considerations, refer to the Machine Learning VM section in the ECA VM Guide.
If you are installing the Threat Hunting module for Eyeglass version 2.12, you must comment out the following block in the Eyeglass SCA config files conf/sync.xml and data/sync.xml, then restart the SCA:
<THEventRetriever IsEnabled="true" IsConfigurable="true" Label="Threat Hunting Task" combine.self="OVERRIDABLE">1 23 * */12 *</THEventRetriever>
To restart the SCA service after making these changes:
- SSH to the Eyeglass appliance as the
adminuser - Switch to root user:
sudo -s(enter admin password when prompted) - Restart the SCA service:
systemctl restart sca - Verify the service status:
systemctl status sca.service
Required Configuration Details
Before starting the installation, gather these essential connection and authentication parameters:
| Required Information | Description | How to Obtain |
|---|---|---|
| ML module IP address and port | Connection details for ML server | Run kubectl -n haproxy-controller get services |
| ECA node IP addresses | All ECA server IPs | See ECA management guide - run ecactl cluster exec hostname -I to list all node IPs |
| Eyeglass server IP | Eyeglass management server address | Check your Eyeglass deployment documentation or run hostname -I on the Eyeglass VM |
| Eyeglass token | Authentication token for API access | Generate through Eyeglass Integrations section |
| Eyeglass public key | RSA public key for secure communication | Run cat /opt/superna/eca/data/common/.secure/rsa/isilon.pub on any ECA node |
| Kafka connection info | Streaming data service details | Run ecactl cluster exec hostname on ECA master to get Kafka node hostnames |