UEBA Configuration

This topic provides the high-level tasks required to configure UEBA.

IMPORTANT: Changing the UEBA start-date or the UEBA processed schemas requires a re-run of the UEBA system as well as cleanup of the UEBA databases. In order to avoid deleting the information in the UI, you can use the reset_presidio.py script as described in reset-presidio script, it will keep the data in the UI (e.g. Alerts, Indicators, Entities and Scores).

Note: To configure a single UEBA server, see "Task 3. Install and Configure NetWitness UEBA" under Installation Tasks topic in the UEBA Standalone Installation Guide.

Configure Multiple UEBA Servers

NetWitness Platform now supports installing multiple servers of UEBA in your environment.

Before using this feature, ensure that you meet the following requirements:

The multiple UEBA deployments are independent, with one supporting Logs & Endpoint models and the other dedicated exclusively to Network (TLS) models. Customers with a different use case will need to contact the NetWitness Customer Support team.

Multi-UEBA can use used for the following scenario:

  • Multi-UEBA can only be used if there is no need for correlation between the data consumed by both UEBA servers, such as one server for Logs and Endpoint and one server for Network.

IMPORTANT: NetWitness recommends that you configure Authentication, File, Active Directory, Process, and Registry schemas on one UEBA server and TLS schema on another UEBA server for better data processing.

Prerequisites

Ensure that the NetWitness Platform and Hosts (UEBA) are in version 12.3 or later.

Procedure

  1. Follow the install instructions for installing multiple UEBA servers. For example, UEBA-Server-1 and UEBA-Server-2. For more information, see "Task 3. Install and Configure NetWitness UEBA" under Installation Tasks topic in the UEBA Standalone Installation Guide.

    Note: You can configure multiple UEBA servers in your environment. NetWitness has installed and verified up to three UEBA servers.

  2. Follow the ueba-server-config script to set up data schemas on the installed UEBA server 1 and UEBA server 2. For more information, see ueba-server-config script.

Best Practices to Add and Remove Schemas for Multiple UEBA Servers

If you are planning to install multiple UEBA servers in your environment. Consider that you have all six schemas configured in the 12.2 or an earlier version of the UEBA server.

NetWitness recommends that the TLS schema (Network data) must be configured on the new UEBA Server first, and then the existing UEBA server containing all schemas must be reset and re-configured with the five schemas Authentication, File, Active Directory, Process, and Registry (Logs and Endpoint data). For more information on configuration, see ueba-server-config script. You need to reset the start date as well and ensure you set the start date one month back from the current date. For more information, see reset-presidio script.

ueba-server-config script

The ueba-server-config script is usually used to configure and run the UEBA component after the deployment. Also, it can be used to update the UEBA configuration during run time.

IMPORTANT: If you change the start-time or the processing schemas, you must re-run UEBA. All script arguments (except the boolean arguments) are mandatory and must be filled.

For more information on the script parameters, see the UEBA Standalone Installation Guide for NetWitness Platform  12.3.

To run the script use the following command /opt/rsa/saTools/bin/ueba-server-config --help

Argument Variable Description
-u <user>

User name of the credentials for the Broker or Concentrator instance that you are using as a data source.

-p <password>

Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password.

!"#$%&()*+,-:;<=>?@[\]^_`\{|}

If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example:
sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY TLS PROCESS REGISTRY' -o broker -v

-h <host>

IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.

-o <type>

Data source host type (broker or concentrator).

-t <startTime>

Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z).

Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.

-s <schemas>

Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS).

-v  

verbose mode.

-e <argument>

Boolean Argument. This enables the UEBA indicator forwarder to Respond.

Note: If your NetWitness deployment includes an active Respond server, you can transfer NetWitness UEBA indicators to the Respond server and create incidents by enabling the indicator forwarder, from this data. For more information on how to enable the NetWitness UEBA incidents aggregation, see Enable User Entity Behavior Analytics Incident Rule.

Note: The TLS packet requires adding the hunting package and enabling the JA3 features. For more information, see Add Features for UEBA Packet Schema.

reset-presidio script

IMPORTANT: The reset_presidio.py script deletes the UEBA back-end databases and can also delete the front-end database that is present in the UI.

The reset_presidio.py script is used to re-run the UEBA system as well as to update the UEBA start-date and the processing schemas easily without having to provide all the other parameters required by the ueba-server-config script. This script re-runs the UEBA while it deletes the backed data (models, aggregations, etc.). To delete the front-end data (UI entities and alerts, etc.) use the clean option. If you don’t specify a date, the script will set the default start date, a 28 days earlier than the current date. NetWitness recommends that the UEBA start date is set to 28 days earlier than the current date. For UEBA systems that intend to process TLS data, you must verify that the start date is set to no later than 14 days earlier than the current date.

Note: UEBA requires to process 28 days of data before the alerts can be created.
• If you choose a start date that is less than 28 days before the current date, for example 10 days earlier from the current date, you will have to wait for another 18 days from the current date to see alerts in your UEBA system (if created).
• If you choose a start date that is greater than 27 days, it's recommended to delete the front-end database as well (use the -c) to avoid duplicate alerts.

To run the script, load the Airflow virtual environment variables as follows:

  1. source /etc/sysconfig/airflow
  2. source $AIRFLOW_VENV/bin/activate
  3. OWB_ALLOW_NON_FIPS=on python /var/netwitness/presidio/airflow/venv/lib/python2.7/site-packages/presidio_workflows-1.0-py2.7.egg/presidio/utils/airflow/reset_presidio.py --help
  4. deactivate

Argument

Variable

Description

-h, --help   Script Help
-c, --clean <argument> Clean any existing data in Elasticsearch DB (as Alerts, Indicators, Entities, etc), all data will be deleted form the UEBA UI
-s <schema> Reconfigure the UEBA engine array of schemas (e.g. [AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS])
-d <date> Reconfigure the UEBA engine to start from midnight UTC of this date. If not set, by default reset the start date to 27 days before the current system day, at midnight UTC, to avoid duplicate alerts in the UEBA UI, in case you didn't cleaned the elasticsearch data (-c) (e.g. 2010-12-31)
Please refer to the above table for the required arguments to pass along with the reset command. For more information, refer to the example command below.
For example
OWB_ALLOW_NON_FIPS=on python /var/netwitness/presidio/airflow/venv/lib/python2.7/site-packages/presidio_workflows-1.0-py2.7.egg/presidio/utils/airflow/reset_presidio.py -c -d 2023-11-16 -s AUTHENTICATION ACTIVE_DIRECTORY FILE PROCESS REGISTRY TLS​

UEBA Indicator Forwarder

Note: The UEBA Indicator Forwarder is supported by the UEBA from version 11.3 and later.
If your NetWitness environment includes an active respond server, you can transfer the UEBA indicators to the respond server and to the correlation server in order to create Incidents. For more information, see Enable User Entity Behavior Analytics Incident Rule.

Run the following command to activate the UEBA Indicator Forwarder:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'

To deactivate the UEBA indicator forwarder, change the “value":true at the request body to be “value":false.

Update Data Source Details

In order to update the details of the data source you must use the ueba-server-config script. For more information, see ueba-server-config script.

Note: From 12.3 version or later, if you change the data source using the ueba-server-config script, UEBA will use the previously configured start date by default. To change the UEBA start date, use the reset-presidio script.

The data sources details are:

The data sources details are:

  • Data Source type (Broker / Concentrator).
  • Data Source username.
  • Data Source password.
  • Data Source host.

Add Features for UEBA Packet Schema

Add the Hunting Pack:

In NetWitness Platform, add the hunting pack or verify if it’s available:

  1. Log in to the NetWitness Platform.
  2. Navigate to netwitness_adminicon_25x22.png (Admin) and select Admin Server.
  3. Click netwitness_actiondd.png and select Configure > Live Content.

huntpack1.png

  1. On the left menu, select the following:
    1. Bundle under Resources Type.
    2. Packet under Medium
  2. Click Search.
    A list of matching resources is displayed.
  3. Select Hunting Pack from the list and click Deploy.
    The hunting pack is added.

Add JA3 and JA3s:

The JA3 and JA3s fields are supported by the Network Decoder in 11.3.1 and later. Verify that your Network Decoder is upgraded to one of these versions.

To add JA3 and Ja3s:

1. Log in to NetWitness Platform.

2. Go to netwitness_adminicon_25x22.png (Admin) > Services  and select Decoder.

3. Navigate to /decoder/parsers/config/parsers.options.

4. Add HTTPS="ja3=true ja3s=true.


Ja3&Ja3s.png

The JA3 and JA3s fields are configured.

Assign User Access to UEBA

To create a user with privileges to access the UEBA pages (Users tab) on the NetWitness UI do the following:

  1. Navigate to netwitness_adminicon_25x22.png (Admin) > Security.
  2. Create a new UEBA_Analysts and Analysts user roles.
    ueba_role.png

For more information, see the "Manage Users with Roles and Permissions" topic in the System Security and User Management Guide.

Create an Analysts Role

In order to fetch data from the data source (Broker / Concentrator), you need to create a user using the analyst role in the data source service.

  1. Navigate to the security tab on the data source service page.
  2. Go to netwitness_adminicon_25x22.png (Admin) > Services > Security.
  3. Create an analyst user and assign it to the any of supported special characters.12.1_DSSrv_1122.png

Enable User Entity Behavior Analytics Incident Rule

In order to aggregate the UEBA indicators under Incident rule, follow the instructions below:

Enable the UEBA Forwarding process as described in UEBA Indicator Forwarder.

Note: By default, the NetWitness UEBA (On-premises) rules are disabled in your environment. You can enable them to generate the incident IDs for the alerts and customize the NetWitness UEBA (On-premises) rules settings.

  1. Go to netwitness_configureicon_24x21.png (Configure) > Incident Rules.

              rule1.png

  1. Select the NetWitness UEBA (On-premises) rule and click Enable.

              A confirmation pop-up is displayed.

  1. Click OK.

 

Removal of Packetbeat Service

From the 12.3 version or later, the Packbeat service has been removed from UEBA to improve memory usage and performance. This allows other services in UEBA to utilize the resources more efficiently, reducing the load on the system.

Learning Period Per Scale

Learning Period Per Scale for 12.3.1

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Supported Scale

Existing NetWitness customer (historical data available)

 

Learning Period
Alerts will be generated when the learning period is complete

125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

 

 

 

Yes

Fresh Installation of 12.3.1
Up to 12 days with 28 days of historical data

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3  to 12.3.1

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.

 

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x , 12.3  to 12.3.1 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 12 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

 

125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

No

Fresh installation of 12.3.1

28 days to complete the learning period before generating alerts.

 

Virtual Machine

The recommended vCPU specification for UEBA is Intel Xeon CPU @2.59 Ghz.

CPU Memory Reserved Memory Allocation Disk Requirements for /var/netwitness Partition Read IOPS Write IOPS
32 cores 256GB

192GB

  • Storage: 1.5 TB

  • Provisioning: Thick

500

500

 

IMPORTANT:
- You must reserve all the resources allocated to UEBA on the VM server. For example, if a user has a 2.1GHz CPU, then 32CPUs * 2.1GHz = 67.2GHz or 67200MHz must be reserved.
- The /var/netwitness partition must be mounted on a 1.5 TB Thick-provisioned disk for storage usage.

To determine the scale limits for Virtual Machine deployments, refer to the Scaling Limitation Issue section in the Troubleshooting UEBA Configurations.

Note: NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the "NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact NetWitness Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.

Supported Scale Existing NetWitness customer
(historical data available)
Learning Period
Alerts will be generated when the learning period is complete

125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

Yes

Fresh Installation of 12.3.1
Up to 10 days with 28 days of historical data

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts .

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 10 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

No

Fresh installation of 12.3.1

28 days to complete the learning period before generating alerts.

Note: Network events per day refers to number of events consumed by UEBA per day.

Learning Period Per Scale for 12.3.1 Multiple UEBA Servers

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Note: There are two UEBA servers, one is configured with Log and Endpoint data, while the other is configured with Network (TLS) data.

Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day
UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

 

 

 

Yes

Fresh Installation of 12.3.1
Up to 12 days with 28 days of historical data

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1
UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.
  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.
Yes

Note: An additional UEBA server must be installed to configure TLS schema on a separate UEBA server.
For example, if you are planning to upgrade from 11.7.1:
Before upgrade: UEBA Server 1 is configured with Log, Endpoint, and TLS data.
After upgrade:
• Add another UEBA Server 2 and configure it with TLS schema.
• Reconfigure UEBA Server 1 with only Log and Endpoint data followed by UEBA reset.
For more information, see Best Practices to Add and Remove Schemas for Multiple UEBA Servers.

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3  to 12.3.1 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 12 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day
UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

No

Fresh installation of 12.3.1
28 days to complete the learning period before generating alerts.

Learning Period Per Scale for 12.3

Note: The displayed numbers are with the following enhancement enabled. Ensure that you enable the configuration in the application.properties file to improve the processing time. For more information, see "The TLS model is taking too long to complete tasks" section in the Troubleshooting UEBA Configurations.

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

 

Supported Scale

Existing NetWitness customer (historical data available)

 

Learning Period
Alerts will be generated when the learning period is complete

100,000 users with 30 million Log and Endpoint events + 60 million Network events per day

 

 

 

Yes

Fresh Installation of 12.3
Up to 10 days with 28 days of historical data

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.

 

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 10 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

 

100,000 users with 30 million Log and Endpoint events + 60 million Network events per day

No

Fresh installation of 12.3

28 days to complete the learning period before generating alerts.

 

Virtual Machine

The recommended vCPU specification for UEBA is Intel Xeon CPU @2.59 Ghz.

CPU Memory Reserved Memory Allocation Disk Requirements for /var/netwitness Partition Read IOPS Write IOPS
32 cores 128GB

64GB

  • Storage: 1.5 TB

  • Provisioning: Thick

500

500

 

IMPORTANT: The /var/netwitness partition must be mounted on a 1.5 TB Thick-provisioned disk for storage usage.

To determine the scale limits for Virtual Machine deployments, refer to the Scaling Limitation Issue section in the Troubleshooting UEBA Configurations.

Note: NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the "NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact NetWitness Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.

Supported Scale Existing NetWitness customer
(historical data available)
Learning Period
Alerts will be generated when the learning period is complete

100,000 users with 30 million Log and Endpoint events + 20 million Network events per day

Yes

Fresh Installation of 12.3
Up to 8 days with 28 days of historical data

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts .

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 8 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

100,000 users with 30 million Log and Endpoint events + 20 million Network events per day

No

Fresh installation of 12.3

28 days to complete the learning period before generating alerts.

Note: Network events per day refers to number of events consumed by UEBA per day.

Learning Period Per Scale for 12.3 Multiple UEBA Servers

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Note: There are two UEBA servers, one is configured with Log and Endpoint data, while the other is configured with Network (TLS) data.

Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

UEBA Server 1: 100,000 users with 100 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events per day

 

 

 

Yes

Fresh Installation of 12.3 
Up to 10 days with 28 days of historical data

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3
UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.
  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.
Yes

Note: An additional UEBA server must be installed to configure TLS schema on a separate UEBA server.
For example, if you are planning to upgrade from 11.7.1:
Before upgrade: UEBA Server 1 is configured with Log, Endpoint, and TLS data.
After upgrade:
• Add another UEBA Server 2 and configure it with TLS schema.
• Reconfigure UEBA Server 1 with only Log and Endpoint data followed by UEBA reset.
For more information, see Best Practices to Add and Remove Schemas for Multiple UEBA Servers.

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 or 12.3.1 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 10 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

No

Fresh installation of 12.3

28 days to complete the learning period before generating alerts.

 

Learning Period Per Scale (from 11.5.1 version to 12.2.0.1)

Note: For all supported scales, when historical data is not available, the learning period is 28 days.

Physical Machine

SERIES 5 (RSA R630) SPECIFICATIONS

Supported Scale for existing NetWitness customers (historical data is available) Learning Period
Alerts will be generated when the learning period is complete
Logs and Endpoint data for 100,000 users + 20 million network events per day.

 

11.5.1 Installation
Up to 4 days with 28 days of historical data.

11.5.1 Upgrade from 11.4.x
No learning period.
  • UEBA rerun is not required.

11.5.1 Upgrade from 11.3.x or prior versions
Up to 4 days with 28 days of historical data.

  • UEBA rerun is required.

11.5.1 Upgrade with schema removal

Up to 4 days with 28 days of historical data.

  • UEBA rerun is required
Logs and Endpoint data for 100,000 users + 60 million network events per day. 11.5.1 Installation
Up to 14 days with 14 days of historical data.

11.5.1 Upgrade from 11.4.x
No learning period.

  • UEBA rerun is not required.

11.5.1 Upgrade from 11.3.x or prior versions
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

11.5.1 Upgrade with schema removal
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

Virtual Machine

If there is not historical data, then the learning period will be 28 days.

CPU Memory Read IOPS Write IOPS
16 cores 64GB 500

500

Note: NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the " NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.

Supported Scale for existing NetWitness customers (historical data is available) Learning Period
Alerts will be generated when the learning period is complete
Logs and Endpoint data for up to 100,000 users with 30 million events per day (no network data).

11.5.1 Installation

Up to 4 days with 28 days of historical data.

11.5.1 Upgrade from 11.4.x

No learning period.

  • UEBA rerun is not required.
11.5.1 Upgrade from 11.3.x or prior versions
Up to 4 days with 28 days of historical data.
  • UEBA rerun is required.

11.5.1 Upgrade with schema removal
Up to 4 days with 28 days of historical data.

  • UEBA rerun is required
Logs and Endpoint data for up to 100,000 users with 30 million events per day + 20 million network events per day.

11.5.1 Installation

Up to 14 days with 14 days of historical data.

11.5.1 Upgrade from 11.4.x

No learning period.

  • UEBA rerun is not required.

11.5.1 Upgrade from 11.3.x or prior versions
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

11.5.1 Upgrade with schema removal
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

Note: Network events per day refers to number of events consumed by UEBA per day. To determine the scale of network events for existing customers, see Troubleshooting UEBA Configurations.