Monitor Health and Wellness of UEBA

You can view the status of UEBA host in the Users > OVERVIEW tab.

The UEBA system should generate at least one alert weekly. If the system stops generating the alerts for a period of seven days or more, advanced monitoring is required to monitor statistics about the total number of events versus successful events, total number of alerts generated, and so on.

Advanced monitoring is enabled through a third-party tools prepackaged in NetWitness: Kibana and Airflow.

Access KibanaAccess Kibana

To access kibana, go to https://<UEBA_host>/kibana/app/kibana#/, enter user name and password and the Dashboard is displayed.

netwitness_kibana_dashboard_1378x872.png

Access Airflow

To access Airflow, go to https://<UEBA_host>/admin/, enter user name and password and the DAGs view is displayed.

1241_AirFlow_0424.png

Note: The Kibana and Airflow web server user interface password is the same as the deploy_admin password. Make sure that you record this password and store it in a safe location.

Kibana

Kibana is an open source analytics and visualization platform. You can monitor the health of UEBA through various dashboards:

Overview Dashboard

The Overview dashboard provides the statistics over the analytics about the users, entities, alerts, and indicators, such as:

  • The alerts type that are generated, and the alert severity distribution with the severity types (Low, Medium, High, Critical).
  • Total number of active entities and how many alerts are generated for those entities.
  • The number of indicators and events processed.
  • The pie chart for entity score severity and distribution for the alerts classification.
  • Alert daily histogram, which is the total number of alert per each severity triggered over time.

Configure Select Entity Type drop-down Filter

You can view the data for a specific entity after configuring and applying the Select Entity Type drop-down filter in Kibana Dashboard > Overview.

To configure Select Entity Type drop-down Filter:

  1. Remove Invalid visualization type "dropdownpicker" panel. Do the following.

    • Go to Kibana, click Dashboards > Overview.

      netwitness_kibana_overview_dashboard_1476x692.png

    • Click Edit and then click netwitness_settings_icon_kibana.png on the Invalid visualization type "dropdownpicker" panel.

    • Click More > Delete from dashboard > Save.

      netwitness_click_more_kibana.png

      netwitness_delete_from_dashboard_kibana.png

  1. Go to Kibana, click Dashboards > Alerts & Indicators Status.

    The Alerts & Indicators Status dashboard is displayed.

    netwitness_alerts_and_indicators_status_dashboard_kib_1775x984.png

  2. Click Edit > All types > Controls > Options List > netwitness_add_button_options_list_kibana_86x30.png.

  3. Enter Select Entity Type in the Control Label field.

  4. Select presidio-output-entity option in the Index Pattern field.

  5. Select entityType from the Field drop-down list.

    netwitness_select_entity_type_kibana.png

  6. Click Update.

  7. Click Save and return.

    netwitness_save_and_return_select_entity_type_panel.png

  8. The newly configured Select Entity Type drop-down panel is displayed at the bottom of the Dashboard > Editing Alerts and Indicators Status view. Drag and drop the panel to the top of the page. You can also maximize the panel.

    netwitness_editing_alerts_indicators_view_select_entity_type.png

  9. Click Save.

  10. Click Switch to view mode.

    netwitness_switch_to_view_mode_kibana.png

To access the overview dashboard:

  1. Go to Kibana, click Dashboards > Overview.
    The Overview dashboard is displayed with the aggregate results for all entities.

netwitness_overview_dashboard_kib_1476x692.png

  1. To view the data for a specific entity, select a value from the Select Entity Type drop-down. For example, ja3, sslSubject, or userid.
  2. Adjust the time range on the top-right corner of the page based on your requirement to view the statistics.

netwitness_time_range_kibana_771x203.png

System Host overview

The System Host overview dashboard monitors the performance and health of UEBA hosts, such as:

  • CPU usage.
  • Memory consumption, and network.
  • Process consuming CPU and Memory, for example MongoDB.
  • Statistics over the disk usage.

  • Inbound data is the amount of data transferred by user to view the UEBA UI.

  • Outbound data is the amount of data fetched by UEBA from Broker or Concentrator.

 

To access System Host overview dashboard

  1. Go to Kibana, click Dashboards > System host overview.
    The System host overview dashboard is displayed.

netwitness_system_overview_dashboard_kibana_1414x522.png

netwitness_swap_usage_over_time_kibana_1401x528.png

  1. Adjust the time range on the top-right corner of the page based on your requirement to view the statistics.

netwitness_time_range_kibana_771x203.png

 

Note: During historical load, the system works in high parallelism. Due to that IO, CPU, and Memory is in high utilization. The pace would be 30 logical days four wall clock time. Once the UEBA server is online, the resource utilization reduces.

Adapter Dashboard

The Adapter dashboard is used to monitor the following:

  • The failed events distribution.
  • Total number of events versus successful events.
  • Saved events per schema.

To access the entities, alerts and indicators:

  1. Go to Kibana, click Dashboards > Entities,alerts,indicators.
    The Entities,alerts,indicators Dashboard is displayed with an aggregate data for all entities.

    netwitness_dashboard_entities_alerts_indicators_1494x709.png
  2. To view the data for a specific entity, select a value from the Select Entity Type drop-down. For example, ja3, sslSubject, or userid.

To access the adapter dashboard system Time:

  1. Go to Kibana, click Dashboards > Adapter.
    The Adapter Dashboard is displayed.

netwitness_adapter_dashboard_1570x693.png

  1. Adjust the time range on the top-right corner of the page based on your requirement to view the statistics.

netwitness_time_range_kibana_771x203.png

Support Dashboard Logical Time

The Support Dashboard Logical Time provides the capability to detect events processed time, which is different from the system time, such as:

  • The amount of filtered events over time per schema
  • The total number of alerts generated
  • The alert types distribution
  • The events that are related to an alert

To access support dashboard logical time:

  1. Go to Kibana, click Dashboards > Support Dashboard logical time.
    The Support Dashboard logical time is displayed.

netwitness_support_dashboard_logical_time_kibana_1282x569.png

  1. Adjust the time range on the top-right corner of the page based on your requirement to view the statistics.

netwitness_time_range_kibana_771x203.png

 

 

 

 

Support Dashboard System TimeSupport Dashboard System Time

The support dashboard system time allows you to monitor the system time when events are processed.

  • The amount of filtered events over time per schema.
  • The total number of alerts generated.
  • The alert types distribution.
  • The events that are related to an alert.

To access support dashboard system Time:

  1. Go to Kibana, click Dashboards > Support Dashboard system Time.

netwitness_support_dashboard_system_time_1452x647.png

  1. Adjust the time range on the top-right corner of the page to view the statistics.

netwitness_time_range_kibana_771x203.png

Scoring and Model Cache

The Scoring and Model cache dashboard provides the capability to view events being scored.

To access scoring and model cache dashboard:

  1. Go to Kibana, click Dashboards > Scoring and model Cache.
    The Scoring and model cache dashboard is displayed.

netwitness_scoring_and_model_cache_dashboard_kibana_1595x691.png

netwitness_model_cache_kibana.png

netwitness_model_cache_hit_kibana_1592x589.png

netwitness_model_cache_empty_model_kibana.png

  1. Adjust the time range on the top-right corner of the page to view the statistics.

netwitness_time_range_kibana_771x203.png

Airflow

Airflow is a tool for describing, executing, and monitoring the UEBA tasks. In Airflow, a DAG is a collection of all tasks you want to run, organized based on the schemas that reflects their relationships and dependencies. For example, schemas such as Active Directory, Authentication, File, Process, TLS and Registry. Each schema is divided into two:

  • Indicator DAG which is responsible to read events from broker and score the events based on the models.
  • Model DAG which is responsible in building the models.

You can monitor the scheduled task by seeing how many tasks are successful, failed, or currently running.

There are several DAGs and each DAG is a workflow.

To monitor UEBA service tasks, perform the following:

  1. Go to Airflow.
    The DAGs view is displayed.
    1241_AirFlow_0424.png
  2. In the DAG Runs section, see the status of the tasks. For example, how many tasks are successful, failed or currently running.
  3. To view the different tasks associated with the DAG, click Tree view.
    The Tree view of the DAG is displayed.
    netwitness_airflowtrevie.png
  4. To view the DAG’s dependencies and the current status of a specific task, in the DAG, click Graph view.
    netwitness_airfflowgravie.png
    In the Graph view, hover over the task to see the status of the specific task.
    netwitness_airflowgravietassta.png
    For detailed information about the specific task, click Task and click Task Instance Details.
    netwitness_airflowtasins.png
    The Task Instance Details view is displayed.
    netwitness_airflowtasinsdet.png
    To view the logs of the specific task, click Log.
    netwitness_airflowlogs.png

Note: After you begin to run a DAG, schemas cannot be removed from UEBA, otherwise the process will stop. For more information see, 'Troubleshooting UEBA Configurations' topic in the UEBA Configuration Guide..