The initial setup is complex. It requires some knowledge in order to set it up. If one is the most difficult and ten is the easiest, I would rate it a three out of ten. It's quite complex. Initially, we need to prepare the hardware boxes, whether they are physical or virtual or offered as a service. This involves imaging them with the appropriate functions for the module. Then, for network packet capture, the mirror ports must be connected to the packet capture box. Regarding logs, the configuration process involves making NetWitness boxes communicate with each other through the appropriate protocols and ports. Following this, the next step involves configuring the log sources to send logs to the log box. This process requires the appropriate rules to be configured to initiate log transmission and generate metadata by appropriate parsers on NetWitness. After the setup, the focus shifts to building correlation rules, alerts, and other monitoring activities. These rules and alerts are crucial components for effective monitoring. The deployment process can vary based on the specific environment and requirements, but typically it takes about one to two weeks to complete. Maintaining the solution doesn't require a large number of resources. Typically, one or two capable resources are sufficient to maintain the solution effectively. It's important to continuously monitor and ensure the health and proper functioning of the solution. This involves regularly checking the log sources to ensure that the logs are being ingested correctly and there are no issues such as overutilization or spikes in network traffic.
