NetWitness Community

ChrisIchelson · ‎2021-03-21

Looks like RSA still does not have an easy way of grouping entities in the UEBA platform and I had my fingers crossed this would happen in 11.5.3 when I saw some more adjustments to the UEBA in the post upgrade path. Has anyone in the community come up with a way to both group these alerts and also grab the event data over the API. We see the alert data, but it is limited.

JoshRandall · ‎2021-03-23

While there is not currently a method to extract non-aggregated (i.e.: not in an incident) alert data via API, I can say that work on this need is underway and should be included in an upcoming release.

As for UEBA alert grouping, I have a few modifications I've made to the Respond normalization and and aggregation schema files. Some docs and guides for this process here:

In my custom_normalize_ueba_alerts.js file, I have:

exports.normalizeAlert = function(headers, rawAlert, normalizedAlert) {

    // normalizedAlert is the copy of ootb normalizer alert, make sure you use
    // normalizedAlert object to update/set the values in your scripts
    var normalized = Object.assign(normalizedAlert);

    // Add custom logic below
    var event = new Object();
    normalized.custom_events = new Array();
    for (var i = 0; i < rawAlert.events.length; i++) {
        event = generateEventInfo(headers, rawAlert, normalizedAlert.events[i]);
    normalized.custom_events.push(event);
    }

    return normalized;
};

generateEventInfo = function(headers, rawAlert, event) {
    var normalizedEvent = {
        entity_name: Utils.stringValue(rawAlert.entityName),
        ueba_schema: Utils.stringValue(rawAlert.schema)
    };
    return normalizedEvent;
};

In my custom_normalize_alerts.js file, I have:

function normalizeAlert(headers, alert, normalizedAlert) {
    var transformer = null;

    ...snip....

        // Normalize
        var normalized = transformer.normalizeAlert(headers, alert, normalizedAlert);

        // Add custom logic below

        normalized.groupby_entity_name = Utils.generateFlattenedColumnValue(normalized.custom_events, "entity_name");
        normalized.groupby_ueba_schema = Utils.generateFlattenedColumnValue(normalized.custom_events, "ueba_schema");
        return normalized;
    }
}

And in my aggregation_rule_schema.json file, I have:

...snip...
  {
    "value": "alert.groupby_entity_name",
    "name": "UEBA Entity Name",
    "type": "textfield",
    "operators": [0, 1, 8, 9, 10, 11, 12, 13],
    "groupBy": true,
    "groupByField": "alert.groupby_entity_name"
  },
  {
    "value": "alert.groupby_ueba_schema",
    "name": "UEBA Schema Type",
    "type": "textfield",
    "operators": [0, 1, 8, 9, 10, 11, 12, 13],
    "groupBy": true,
    "groupByField": "alert.groupby_ueba_schema"
  }
...snip...

Once you make these changes, you'll need to restart the respond-server on your Node0 for them to take effect:

[root@nwadmin ~]# systemctl restart rsa-nw-respond-server

Lastly, in the UI at Configure/Incident Rules, I have different aggregation rules for each schema category (Network: TLS; Users: AUTHENTICATION & FILE & ACTIVE_DIRECTORY; Endpoint: PROCESS & REGISTRY )

USER

NETWORK

ENDPOINT

All this gets me incidents like this:

Mr. Mongo

ChrisIchelson · ‎2021-03-29

Thanks Josh.

I will review your comments and implement them. I tried to put the new modeling in when I upgraded and it failed. I will look at that and update the blog feed with status later today or tomorrow.

NetWitness Community

Departmental Grouping in UEBA