UEBA Configuration
This topic provides the high-level tasks required to configure UEBA.
IMPORTANT: Changing the UEBA start-date or the UEBA processed schemas requires a re-run of the UEBA system as well as cleanup of the UEBA databases. In order to avoid deleting the information in the UI, you can use the reset_presidio.py script as described in reset-presidio script, it will keep the data in the UI (e.g. Alerts, Indicators, Entities and Scores).
Note: To configure a single UEBA server, see "Task 3. Install and Configure NetWitness UEBA" under Installation Tasks topic in the UEBA Standalone Installation Guide.
Configure Multiple UEBA Servers
NetWitness Platform XDR now supports installing multiple servers of UEBA in your environment.
Before using this feature, ensure that you meet the following requirements:
The multiple UEBA deployments are independent, with one supporting Logs & Endpoint models and the other dedicated exclusively to Network (TLS) models. Customers with a different use case will need to contact the NetWitness Customer Support team.
Multi-UEBA can use used for the following scenario:
-
Multi-UEBA can only be used if there is no need for correlation between the data consumed by both UEBA servers, such as one server for Logs and Endpoint and one server for Network.
IMPORTANT: NetWitness recommends that you configure Authentication, File, Active Directory, Process, and Registry schemas on one UEBA server and TLS schema on another UEBA server for better data processing.
Prerequisites
Ensure that the NetWitness Platform XDR and Hosts (UEBA) are in version 12.3 or later.
Procedure
-
Follow the install instructions for installing multiple UEBA servers. For example, UEBA-Server-1 and UEBA-Server-2. For more information, see "Task 3. Install and Configure NetWitness UEBA" under Installation Tasks topic in the UEBA Standalone Installation Guide.
Note: You can configure multiple UEBA servers in your environment. NetWitness has installed and verified up to three UEBA servers.
-
Follow the ueba-server-config script to set up data schemas on the installed UEBA server 1 and UEBA server 2. For more information, see ueba-server-config script.
Best Practices to Add and Remove Schemas for Multiple UEBA Servers
If you are planning to install multiple UEBA servers in your environment. Consider that you have all six schemas configured in the 12.2 or an earlier version of the UEBA server.
NetWitness recommends that the TLS schema (Network data) must be configured on the new UEBA Server first, and then the existing UEBA server containing all schemas must be reset and re-configured with the five schemas Authentication, File, Active Directory, Process, and Registry (Logs and Endpoint data). For more information on configuration, see ueba-server-config script. You need to reset the start date as well and ensure you set the start date one month back from the current date. For more information, see reset-presidio script.
ueba-server-config script ueba-server-config script
The ueba-server-config script is usually used to configure and run the UEBA component after the deployment. Also, it can be used to update the UEBA configuration during run time.
IMPORTANT: If you change the start-time or the processing schemas, you must re-run UEBA. All script arguments (except the boolean arguments) are mandatory and must be filled.
For more information on the script parameters, see the UEBA Standalone Installation Guide for NetWitness Platform XDR 12.2.
To run the script use the following command /opt/rsa/saTools/bin/ueba-server-config --help
| Argument | Variable | Description |
|---|---|---|
| -u | <user> |
User name of the credentials for the Broker or Concentrator instance that you are using as a data source. |
| -p | <password> |
Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password. !"#$%&()*+,-:;<=>?@[\]^_`\{|} If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example: |
| -h | <host> |
IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported. |
| -o | <type> |
Data source host type (broker or concentrator). |
| -t | <startTime> |
Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z). Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone. |
| -s | <schemas> |
Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS). |
| -v |
verbose mode. |
|
| -e | <argument> |
Boolean Argument. This enables the UEBA indicator forwarder to Respond. Note: If your NetWitness deployment includes an active Respond server, you can transfer NetWitness UEBA indicators to the Respond server and create incidents by enabling the indicator forwarder, from this data. For more information on how to enable the NetWitness UEBA incidents aggregation, see Enable User Entity Behavior Analytics Incident Rule. |
Note: The TLS packet requires adding the hunting package and enabling the JA3 features. For more information, see Add Features for UEBA Packet Schema.
reset-presidio script reset-presidio script
IMPORTANT: The reset_presidio.py script deletes the UEBA back-end databases and can also delete the front-end database that is present in the UI.
The reset_presidio.py script is used to re-run the UEBA system as well as to update the UEBA start-date and the processing schemas easily without having to provide all the other parameters required by the ueba-server-config script. This script re-runs the UEBA while it deletes the backed data (models, aggregations, etc.). To delete the front-end data (UI entities and alerts, etc.) use the clean option. If you don’t specify a date, the script will set the default start date, a 28 days earlier than the current date. NetWitness recommends that the UEBA start date is set to 28 days earlier than the current date. For UEBA systems that intend to process TLS data, you must verify that the start date is set to no later than 14 days earlier than the current date.
Note: UEBA requires to process 28 days of data before the alerts can be created.
• If you choose a start date that is less than 28 days before the current date, for example 10 days earlier from the current date, you will have to wait for another 18 days from the current date to see alerts in your UEBA system (if created).
• If you choose a start date that is greater than 27 days, it's recommended to delete the front-end database as well (use the -c) to avoid duplicate alerts.
To run the script, load the Airflow virtual environment variables as follows:
source /etc/sysconfig/airflow
source $AIRFLOW_VENV/bin/activate
OWB_ALLOW_NON_FIPS=on python /var/netwitness/presidio/airflow/venv/lib/python2.7/site-packages/presidio_workflows-1.0-py2.7.egg/presidio/utils/airflow/reset_presidio.py --help
deactivate
|
Argument |
Variable |
Description |
|---|---|---|
| -h, --help | Script Help | |
| -c, --clean | <argument> | If true, clean any existing data in Elasticsearch DB (as Alerts, Indicators, Entities, etc), all data will be deleted form the UEBA UI |
| -s | <schema> | Reconfigure the UEBA engine array of schemas (e.g. [AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS]) |
| -d | <date> | Reconfigure the UEBA engine to start from midnight UTC of this date. If not set, by default reset the start date to 27 days before the current system day, at midnight UTC, to avoid duplicate alerts in the UEBA UI, in case you didn't cleaned the elasticsearch data (-c) (e.g. 2010-12-31) |
UEBA Indicator ForwarderUEBA Indicator Forwarder
Note: The UEBA Indicator Forwarder is supported by the UEBA from version 11.3 and later.
If your NetWitness environment includes an active respond server, you can transfer the UEBA indicators to the respond server and to the correlation server in order to create Incidents. For more information, see Enable User Entity Behavior Analytics Incident Rule.
Run the following command to activate the UEBA Indicator Forwarder:
curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'
To deactivate the UEBA indicator forwarder, change the “value":true at the request body to be “value":false.
Update Data Source DetailsUpdate Data Source Details
In order to update the details of the data source you must use the ueba-server-config script. For more information, see ueba-server-config script.
Note: From 12.3 version or later, if you change the data source using the ueba-server-config script, UEBA will use the previously configured start date by default. To change the UEBA start date, use the reset-presidio script.
The data sources details are:
The data sources details are:
- Data Source type (Broker / Concentrator).
- Data Source username.
- Data Source password.
- Data Source host.
Add Features for UEBA Packet Schema Add Features for UEBA Packet Schema
Add the Hunting Pack:Add the Hunting Pack:
In NetWitness Platform XDR, add the hunting pack or verify if it’s available:
- Log in to the NetWitness Platform XDR.
- Navigate to
(Admin) and select Admin Server.
- Click
and select Configure > Live Content.
- On the left menu, select the following:
- Bundle under Resources Type.
- Packet under Medium
- Click Search.
A list of matching resources is displayed. - Select Hunting Pack from the list and click Deploy.
The hunting pack is added.
Add JA3 and JA3s:Add JA3 and JA3s:
The JA3 and JA3s fields are supported by the Network Decoder in 11.3.1 and later. Verify that your Network Decoder is upgraded to one of these versions.
To add JA3 and Ja3s:
1. Log in to NetWitness Platform XDR.
2. Go to
3. Navigate to /decoder/parsers/config/parsers.options.
4. Add HTTPS="ja3=true ja3s=true.
The JA3 and JA3s fields are configured.
Assign User Access to UEBA
To create a user with privileges to access the UEBA pages (Users tab) on the NetWitness UI do the following:
- Navigate to
- Create a new UEBA_Analysts and Analysts user roles.
For more information, see the "Manage Users with Roles and Permissions" topic in the System Security and User Management Guide.
Create an Analysts Role Create an Analysts Role
In order to fetch data from the data source (Broker / Concentrator), you need to create a user using the analyst role in the data source service.
- Navigate to the security tab on the data source service page.
- Go to
(Admin) > Services > Security.
- Create an analyst user and assign it to the any of supported special characters.
Enable User Entity Behavior Analytics Incident RuleEnable User Entity Behavior Analytics Incident Rule
In order to aggregate the UEBA indicators under Incident rule, follow the instructions below:
Enable the UEBA Forwarding process as described in Enable UEBA Indicator Forwarder.
- Go to
(Configure) > Incident Rules.
- Select the User Entity Behavior Analytics rule.
- Select the enable check box and click Save.
Removal of Packetbeat Service
From the 12.3 version or later, the Packbeat service has been removed from UEBA to improve memory usage and performance. This allows other services in UEBA to utilize the resources more efficiently, reducing the load on the system.
Learning Period Per Scale
Learning Period Per Scale for 12.3
Note: The displayed numbers are with the following enhancement enabled. Ensure that you enable the configuration in the application.properties file to improve the processing time. For more information, see "The TLS model is taking too long to complete tasks" section in the Troubleshooting UEBA Configurations.
Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)
| Supported Scale |
Existing NetWitness customer (historical data available)
|
Learning Period Alerts will be generated when the learning period is complete |
|---|---|---|
|
100,000 users with 30 million Log and Endpoint events + 60 million Network events per day
|
Yes |
Fresh Installation of 12.3 |
| Yes |
Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 UEBA reset is not required.
|
|
| Yes |
Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA) UEBA reset is required. Historical data is available for N days:
Historical data is not available 28 days to complete the learning period before generating alerts.
|
|
|
100,000 users with 30 million Log and Endpoint events + 60 million Network events per day |
No |
Fresh installation of 12.3 28 days to complete the learning period before generating alerts.
|
Virtual Machine
| CPU | Memory | Reserved Memory Allocation | Disk Requirements for /var/netwitness Partition | Read IOPS | Write IOPS |
|---|---|---|---|---|---|
| 32 cores | 128GB |
64GB |
|
500MB |
500MB |
IMPORTANT: The /var/netwitness partition must be mounted on a 1.5 TB Thick-provisioned disk for storage usage.
Note: NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the "NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact NetWitness Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.
| Supported Scale | Existing NetWitness customer (historical data available) |
Learning Period Alerts will be generated when the learning period is complete |
|---|---|---|
|
100,000 users with 30 million Log and Endpoint events + 20 million Network events per day |
Yes |
Fresh Installation of 12.3 |
| Yes |
Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 UEBA reset is not required.
|
|
| Yes |
Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA) UEBA reset is required. Historical data is available for N days:
Historical data is not available 28 days to complete the learning period before generating alerts. |
|
|
100,000 users with 30 million Log and Endpoint events + 20 million Network events per day |
No |
Fresh installation of 12.3 28 days to complete the learning period before generating alerts. |
Note: Network events per day refers to number of events consumed by UEBA per day.
Learning Period Per Scale for 12.3 Multiple UEBA Servers
Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)
Note: There are two UEBA servers, one is configured with Log and Endpoint data, while the other is configured with Network (TLS) data.
| Supported Scale | Existing NetWitness customer (historical data available) | Learning Period Alerts will be generated when the learning period is complete |
|---|---|---|
|
UEBA Server 1: 100,000 users with 100 million Log and Endpoint events per day UEBA Server 2: 100 million Network events per day
|
Yes |
Fresh Installation of 12.3 |
| Yes |
Note: An additional UEBA server must be installed to configure TLS schema on a separate UEBA server. Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA) UEBA reset is required. |
|
| Yes |
Historical data is available for N days:
Historical data is not available 28 days to complete the learning period before generating alerts.
|
|
| No |
Fresh installation of 12.3 28 days to complete the learning period before generating alerts.
|
Learning Period Per Scale (from 11.5.1 version to 12.2.0.1)
Note: For all supported scales, when historical data is not available, the learning period is 28 days.
Physical Machine
SERIES 5 (RSA R630) SPECIFICATIONS
| Supported Scale for existing NetWitness customers (historical data is available) | Learning Period Alerts will be generated when the learning period is complete |
|---|---|
| Logs and Endpoint data for 100,000 users + 20 million network events per day.
|
11.5.1 Installation |
| 11.5.1 Upgrade from 11.4.x No learning period.
|
|
|
11.5.1 Upgrade from 11.3.x or prior versions
|
|
|
11.5.1 Upgrade with schema removal Up to 4 days with 28 days of historical data.
|
|
| Logs and Endpoint data for 100,000 users + 60 million network events per day. | 11.5.1 Installation Up to 14 days with 14 days of historical data. |
|
11.5.1 Upgrade from 11.4.x
|
|
|
11.5.1 Upgrade from 11.3.x or prior versions
Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5. |
|
|
11.5.1 Upgrade with schema removal
Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5. |
Virtual Machine
If there is not historical data, then the learning period will be 28 days.
| CPU | Memory | Read IOPS | Write IOPS |
|---|---|---|---|
| 16 cores | 64GB | 500MB |
500MB |
Note: NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the " NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.
| Supported Scale for existing NetWitness customers (historical data is available) | Learning Period Alerts will be generated when the learning period is complete |
|---|---|
| Logs and Endpoint data for up to 100,000 users with 30 million events per day (no network data). |
11.5.1 Installation Up to 4 days with 28 days of historical data. |
| 11.5.1 Upgrade from 11.4.x
No learning period.
|
|
| 11.5.1 Upgrade from 11.3.x or prior versions Up to 4 days with 28 days of historical data.
|
|
|
11.5.1 Upgrade with schema removal
|
|
| Logs and Endpoint data for up to 100,000 users with 30 million events per day + 20 million network events per day. |
11.5.1 Installation Up to 14 days with 14 days of historical data. |
|
11.5.1 Upgrade from 11.4.x No learning period.
|
|
|
11.5.1 Upgrade from 11.3.x or prior versions
Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5. |
|
|
11.5.1 Upgrade with schema removal
Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5. |
Note: Network events per day refers to number of events consumed by UEBA per day. To determine the scale of network events for existing customers, see Troubleshooting UEBA Configurations.
