What is NetWitness UEBA?
NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. NetWitness UEBA is used for following reasons:
- Detecting malicious and rogue users
- Pinpointing high-risk behaviors
- Discovering attacks
- Investigating emerging security threats
- Identify potential attacker activity
About this Guide
This guide provides end-to-end instructions to configure NetWitness UEBA and to use UEBA features.
Getting Started
The following tasks can be performed in any sequence.
| Description | References |
|---|---|
|
|
|
|
View information about product updates, improvements, and known issues. |
|
|
Understand NetWitness UEBA |
|
Setup and Installation
You can setup and install NetWitness UEBA by performing Standalone Installation and Fresh Installation.
Standalone Installation
The following tasks must be performed in the following sequence.
| Description | References |
|---|---|
|
|
|
| Review the supported hardware. | "System Requirement" topic in UEBA Standalone Installation Guide |
| Review the UEBA deployment. | "NetWitness UEBA Standalone Installation " topic in UEBA Standalone Installation Guide |
| Configure the ports on your firewall. | "NetWitness UEBA Standalone Installation " topic in UEBA Standalone Installation Guide |
|
Install NetWitness Server host. |
"Installation Tasks" topic in UEBA Standalone Installation Guide |
|
Install 12.5 Log Hybrid Host. |
"Installation Tasks" topic in UEBA Standalone Installation Guide |
| Install and Configure NetWitness UEBA. | "Installation Tasks" topic in UEBA Standalone Installation Guide |
|
Assign the UEBA_Analysts and Analysts roles to the UEBA users. |
"Role Permissions" in the System Security and User Management Guide |
Fresh Installation
The following tasks needs to be performed in the following sequence.
| Description | References |
|---|---|
|
|
|
|
Review the supported hardware. |
"Supported Hardware" in the Physical Host Installation Guide |
|
Review the UEBA architecture. |
"NetWitness Platform Network Architecture Diagram" topic in the Deployment Guide |
|
Configure the ports on your firewall. |
"Network Architecture and Ports" topic in the Deployment Guide |
|
Install NetWitness Server host and other components. |
"Task 1 - Install 12.5 on the NetWitness Server (NW Server) Host" and "Task 2 - Install 12.5 on Other Component Hosts" in Physical Host Installation Guide "Install NetWitness Platform Virtual Host in Virtual Environment" in the Virtual Host Installation Guide |
|
Install UEBA. |
"NetWitness® UEBA" in Physical Host Installation Guide |
|
Assign the UEBA_Analysts and Analysts roles to the UEBA users. |
"Role Permissions" in the System Security and User Management Guide |
Update
The following tasks must be performed in the following sequence.
| Description | References |
|---|---|
|
|
|
|
Deploy the Endpoint Pack from Live, which contains File Category Lua Parser for the UEBA integration with Endpoint. |
During deployment, you must specify Endpoint Log Hybrid Log Decoder service. In case of multiple Endpoint servers, select all the Endpoint Log Hybrid Log Decoder services |
|
Enable Endpoint data sources such as Process and Registry to generate alerts in UEBA. |
"ueba-server-config script" in the UEBA Configuration Guide |
| Enable UEBA indicator forwarder to transfer the UEBA indicators to the NetWitness Respond server and to the correlation server to create an incidents. |
"ueba-server-config script" in the UEBA Configuration Guide |
|
After you update to NetWitness Platform 12.4 the Broker or Concentrator UUID changes. You must update the NetWitness Platform core services, and update the Broker or Concentrator UUID. |
"ueba-server-config script" in the UEBA Configuration Guide |
| Update Airflow Configuration. |
"ueba-server-config script" in the UEBA Configuration Guide |
|
Restart the Airflow scheduler service after the presidio_upgrade DAG is successful. |
"reset-presidio script" in the UEBA Configuration Guide |
Investigation
The following tasks can be performed in any sequence.
| Description | References |
|---|---|
|
|
|
| Investigate high risk users. | "Investigate High-Risk Users" topic in the NetWitness UEBA User Guide |
| Investigate top alerts. | "Investigate Top Alerts" topic in the NetWitness UEBA User Guide |
Monitoring
The following tasks can be performed in any sequence.
| Description | References |
|---|---|
|
|
|
| Review NetWitness UEBA metrics in Health and Wellness. | "View NetWitness UEBA Metrics in Health and Wellness" topic in the NetWitness UEBA User Guide |
| Monitor Health and Wellness of UEBA. | "Monitor Health and Wellness of UEBA" topic in the NetWitness UEBA User Guide |
