This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How UEBA, SOAR, Threat Connect and ESA work together!

MdMahimBinFiroj
Beginner
Beginner

‎2020-10-09 01:37 PM

Some point I need to know, we need to create rules on ESA, and based on that alert will be generated. But how UEBA will help ESA? I mean do we need to see UEBA for anomaly behavior/deviations then write rules on SIEM again for fine-tuning the rules or else UEBA will generate alert separately that we also need to look for..!!! Another thing is, how UEBA, SOAR, Threat intel will work together to triage alert, removing false positive, can you please explain? I am giving you the scenario for example. Say some brute force attempt, password cracking, and DDOS attempt is done in our network. Whatever the malicious activity is done, our SIEM receive the logs. Now how ESA rules, UEBA, SOAR and Threat intel will work together with those logs and give us the best result as alert on the screen !! please explain me. I want to know step by step process. Thanks in advance and sorry for the long question.

0 Likes
4 REPLIES 4

PrashantMishra
Beginner
Beginner

‎2020-10-15 07:48 AM

Dear Md. Mahim Bin Firoj,

Both UEBA and ESA are alert sources for NW's Incident management. ESA uses a rule driven approach where as UEBA uses unsupervised machine learning to detect threats. You can do any customization in how various ML models detect threat. With ESA you can use rules to detect specific patterns. You cant put your own machine learning models unless you involve  RSA PS as its code driven work. Using both in your infra helps you get best of both worlds. Both can consume network, log and endpoint data for their own detection logics. Hope that makes sense now. To improve alert fidelity, organizations also uses threat intelligence and to automate response, they use SOAR. TC provides both capabilities in a single product. Once you have TC in your infra you can:

  1. Improve threat intelligence quality by aggregating multiple sources of TI in your organization and using TC as single source of truth.
  2. Investigate any indicator that was detected as part of alert to investigate further using TC's workbench that uses community analytics and other functions to help you decide if this particular indicator is really a threat or not.
  3. Use the case management on TC not Netwitness Respond to manage all your alerts
  4. Automate response using TC's playbooks

Hope this helps

Thanks

Prashant

MdMahimBinFiroj
Beginner
Beginner

‎2020-10-17 03:06 AM

Thank you dear Prashant Mishra‌ for the reply. I am clear now. One more thing, where do we need to integrate threat intel? With UEBA or with Log collector?

0 Likes

PrashantMishra
Beginner
Beginner
In response to MdMahimBinFiroj

‎2020-10-20 09:03 AM

You will push the intelligence into log collectors. UEBA doesnt consumer TI. 

MdMahimBinFiroj
Beginner
Beginner
In response to PrashantMishra

‎2020-10-29 07:05 AM

thank you dear and sorry for the late response...ok that means, UEBA analysis the logs from the SIEM and compare it with threat intelligence. correct me if i am wrong.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.