This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Online Documentation
Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Table of Contents

Product Resources

 

 

UEBA Configuration

This topic provides the high-level tasks required to configure UEBA.

Changing the UEBA start-date or the UEBA processed schemas requires a re-run of the UEBA system as well as cleanup of the UEBA databases. In order to avoid deleting the information in the UI, you can use the reset_presidio.py script as described in reset-presidio script, it will keep the data in the UI (e.g. Alerts, Indicators, Entities and Scores).

To configure a single UEBA server, see "Task 3. Install and Configure NetWitness UEBA" under Installation Tasks topic in the UEBA Standalone Installation Guide.

Configure Multiple UEBA Servers

NetWitness Platform now supports installing multiple servers of UEBA in your environment.

Before using this feature, ensure that you meet the following requirements:

The multiple UEBA deployments are independent, with one supporting Logs & Endpoint models and the other dedicated exclusively to Network (TLS) models. Customers with a different use case will need to contact the NetWitness Customer Support team.

Multi-UEBA can use used for the following scenario:

  • Multi-UEBA can only be used if there is no need for correlation between the data consumed by both UEBA servers, such as one server for Logs and Endpoint and one server for Network.

NetWitness recommends that you configure Authentication, File, Active Directory, Process, and Registry schemas on one UEBA server and TLS schema on another UEBA server for better data processing.

Prerequisites

Ensure that the NetWitness Platform and Hosts (UEBA) are in version 12.3 or later.

Procedure

  1. Follow the install instructions for installing multiple UEBA servers. For example, UEBA-Server-1 and UEBA-Server-2. For more information, see "Task 3. Install and Configure NetWitness UEBA" under Installation Tasks topic in the UEBA Standalone Installation Guide.

    You can configure multiple UEBA servers in your environment. NetWitness has installed and verified up to three UEBA servers.

  2. Follow the ueba-server-config script to set up data schemas on the installed UEBA server 1 and UEBA server 2. For more information, see ueba-server-config script.

Best Practices to Add and Remove Schemas for Multiple UEBA Servers

If you are planning to install multiple UEBA servers in your environment. Consider that you have all six schemas configured in the 12.2 or an earlier version of the UEBA server.

NetWitness recommends that the TLS schema (Network data) must be configured on the new UEBA Server first, and then the existing UEBA server containing all schemas must be reset and re-configured with the five schemas Authentication, File, Active Directory, Process, and Registry (Logs and Endpoint data). For more information on configuration, see ueba-server-config script. You need to reset the start date as well and ensure you set the start date one month back from the current date. For more information, see reset-presidio script.

ueba-server-config script

The ueba-server-config script is usually used to configure and run the UEBA component after the deployment. Also, it can be used to update the UEBA configuration during run time.

If you change the start-time or the processing schemas, you must re-run UEBA. All script arguments (except the boolean arguments) are mandatory and must be filled.

For more information on the script parameters, see the NetWitness Standalone Installation Guide for Version 12.4.

To run the script use the following command /opt/rsa/saTools/bin/ueba-server-config --help

Argument Variable Description
-u <user>

User name of the credentials for the Broker or Concentrator instance that you are using as a data source.
-p <password>

Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password.

!"#$%&()*+,-:;<=>?@[\]^_`\{|}

If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example:

sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY TLS PROCESS REGISTRY' -o broker -v
-h <host>

IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.
-o <type>

Data source host type (broker or concentrator).
-t <startTime>

Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z).

The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.
-s <schemas>

Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS).
-v  

verbose mode.
-e <argument>

Boolean Argument. This enables the UEBA indicator forwarder to Respond.

If your NetWitness deployment includes an active Respond server, you can transfer NetWitness UEBA indicators to the Respond server and create incidents by enabling the indicator forwarder, from this data. For more information on how to enable the NetWitness UEBA incidents aggregation, see Enable User Entity Behavior Analytics Incident Rule.

The TLS packet requires adding the hunting package. For more information, see Add Features for UEBA Packet Schema.

reset-presidio script

The reset_presidio.py script deletes the UEBA back-end databases and can also delete the front-end database that is present in the UI.

The reset_presidio.py script is used to re-run the UEBA system as well as to update the UEBA start-date and the processing schemas easily without having to provide all the other parameters required by the ueba-server-config script. This script re-runs the UEBA while it deletes the backed data (models, aggregations, etc.). To delete the front-end data (UI entities and alerts, etc.) use the clean option. If you don’t specify a date, the script will set the default start date, a 28 days earlier than the current date. recommends that the UEBA start date is set to 28 days earlier than the current date. For UEBA systems that intend to process TLS data, you must verify that the start date is set to no later than 14 days earlier than the current date.

UEBA requires to process 28 days of data before the alerts can be created.
• If you choose a start date that is less than 28 days before the current date, for example 10 days earlier from the current date, you will have to wait for another 18 days from the current date to see alerts in your UEBA system (if created).
• If you choose a start date that is greater than 27 days, it's recommended to delete the front-end database as well (use the -c) to avoid duplicate alerts.

To run the script, load the Airflow virtual environment variables as follows:

  1. source /etc/sysconfig/airflow

  2. source $AIRFLOW_VENV/bin/activate

  3. python /var/netwitness/presidio/airflow/venv39/lib/python3.9/site-packages/presidio_workflows-1.0-py3.9.egg/presidio/utils/airflow/reset_presidio.py --help

  4. deactivate

Argument

Variable

Description
-h, --help   Script Help
-c, --clean <argument> Clean any existing data in Elasticsearch DB (as Alerts, Indicators, Entities, etc), all data will be deleted form the UEBA UI
-s <schema> Reconfigure the UEBA engine array of schemas (e.g. [AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS])
-d <date> Reconfigure the UEBA engine to start from midnight UTC of this date. If not set, by default reset the start date to 27 days before the current system day, at midnight UTC, to avoid duplicate alerts in the UEBA UI, in case you didn't cleaned the elasticsearch data (-c) (e.g. 2010-12-31)

Please refer to the above table for the required arguments to pass along with the reset command. For more information, refer to the example command below.

 

 

python /var/netwitness/presidio/airflow/venv39/lib/python3.9/site-packages/presidio_workflows-1.0-py3.9.egg/presidio/utils/airflow/reset_presidio.py -c -d 2023-11-16 -s AUTHENTICATION ACTIVE_DIRECTORY FILE PROCESS REGISTRY TLS

 

 

Add a Schema without Rerunning the UEBA

Adding a schema without rerunning the UEBA system is supported on NetWitness Platform.

To add a new UEBA schema without rerunning the UEBA system, run the following command on the UEBA host.

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"add","path":"/dataPipeline/schemas/-","value":"<SCHEMA>"}]}'

Where <SCHEMA> string can be replaced with any one of the following schemas:

  • AUTHENTICATION
  • FILE
  • ACTIVE_DIRECTORY
  • PROCESS
  • REGISTRY
  • TLS

UEBA Indicator Forwarder

The UEBA Indicator Forwarder is supported by the NetWitness UEBA.
If your NetWitness environment includes an active respond server, you can transfer the UEBA indicators to the respond server and to the correlation server in order to create Incidents. For more information, see Enable User Entity Behavior Analytics Incident Rule.

Run the following command to activate the UEBA Indicator Forwarder:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'

To deactivate the UEBA indicator forwarder, change the “value":true at the request body to be “value":false.

Update Data Source Details

In order to update the details of the data source you must use the ueba-server-config script. For more information, see ueba-server-config script.

From 12.3 version or later, if you change the data source using the ueba-server-config script, UEBA will use the previously configured start date by default. To change the UEBA start date, use the reset-presidio script.

The data sources details are:

  • Data Source type (Broker / Concentrator).
  • Data Source username.
  • Data Source password.
  • Data Source host.

Add Features for UEBA Packet Schema

Add the Hunting Pack:

In NetWitness Platform, add the hunting pack or verify it it’s available:

  1. Log in to the NetWitness Platform.
  2. Navigate to AdminIcon.png  (Admin) and select Admin Server.
  3. Click actions_button.png and select Configure > Live Content.

    huntpack2_1971x879.png

  4. On the left menu, select the following:
    1. Bundle under Resources Type.
    2. Packet under Medium
  5. Click Search.
    A list of matching resources is displayed.
  6. Select Hunting Pack from the list and click Deploy.
    The hunting pack is added.

Add JA4

The JA4 fields are supported by the Packet Decoder in 12.5 and later. Verify that your Packet Decoder is upgraded to one of these versions.

To add JA4

1. Log in to the NetWitness Platform.

2. Go to AdminIcon.png (Admin) > Services and select Decoder.

3. Navigate to /decoder/parsers/config/parsers.options.

4. Add HTTPS="ja4=true.

    

Assign User Access to UEBA

To create a user with privileges to access the UEBA pages (Users tab) on the Netwitness UI do the following:

  1. Navigate to AdminIcon.png (Admin) > Security.
  2. Create a new UEBA_Analysts and Analysts user roles.
    125_Assign_User_Access_0624_1657x725.png

For more information, see the "Manage Users with Roles and Permissions" topic in the System Security and User Management Guide.

Create an Analysts Role

In order to fetch data from the data source (Broker / Concentrator), you need to create a user using the Analysts role in the data source service.

  1. Navigate to the security tab at the data source service page.
  2. Go to the AdminIcon.png (Admin) > Services > Security.
  3. Create an analyst user and assign it to the any of supported special characters.125_Assign_User_Access1_0624_2113x929.png

Enable User Entity Behavior Analytics Incident Rule

In order to aggregate the UEBA indicators under Incident rule, follow the instructions below:

Enable the UEBA Forwarding process as described in Enable UEBA Indicator Forwarder.

By default, the NetWitness UEBA (On-premises) rules are disabled in your environment. You can enable them to generate the incident IDs for the alerts and customize the NetWitness UEBA (On-premises) rules settings.

  1. Go to > Incident Rules.

    125_Enable_UEBA_Incident_Rules_0624_2001x844.png

  2. Select the NetWitness UEBA (On-premises) rule and click Enable.

    A confirmation pop-up is displayed.

  3. Click OK.

Enable or Disable Modeled Behaviors for Users

The UEBA Modeled Behaviors functionality is enabled by default.

To disable perform the following:

  1. SSH to the UEBA server.

    Edit and add the parameter entity.profile.enabled=false in the file/etc/netwitness/presidio/configserver/configurations/presidio-uiconf.properties .

  2. Run the command to restart the presidio-ui.

    systemctl restart presidio-ui

    To enable, remove the parameter entity.profile.enabled=false from the file and restart the presidio-ui using the step 2.

    Once you have enabled or disabled the Modeled Behaviors, you can verify from NetWitness Platform UI.

    To verify, perform the following:

    1. Log in to the NetWitness Platform and click Users.
    2. In the Overview tab, under Top Risky Users panel, click on a username.
    3. Click the Modeled Behaviors tab.

      For more information, see "View Modeled Behaviors" topic in the UEBA User Guide for NetWitness Platform 12.3.

Update UEBA Queries using nw-shell Utility

This topic describes the steps required to update the queries for UEBA schemas using nw-shell Utility.

Prior to version 12.5, queries for schemas were stored and accessed from the schemas.json file. Starting with version 12.5, these queries have been migrated to the UEBA server database instead of the schemas.json file. If the queries for schemas were modified in the schemas.json file before version 12.5, they will be transferred to the UEBA server database as part of the post-upgrade process.

Users can update queries for schema in UEBA server database using nw-shell utility.

Note:
- If users have added new meta fields using custom parsers, those meta fields will not be included in the default queries defined for the schema. Users must update the query using the nw-shell utility.
- Only administrators can update schema queries using specific commands within the nw-shell utility.

To Update UEBA Queries using nw-shell Utility

  1. SSH into the Admin server.

  2. Enter the following command: nw-shell

    The console window is displayed.

  3. Connect to ueba-server using the following command:

    connect --service ueba-server

  4. Enter the login command: login

  5. Enter the admin username and password.

  6. Navigate to ueba/mapping using the following command: cd ueba/mapping

  7. Run the following command to list available options/commands: ls

    125_UEBA_nwshell.png

  8. Navigate to the following available commands and invoke them. cd <command>

    Refer to the following table for the command and its usage.

Command

Description

Example
get-mapping Get details/mappings of all schemas cd get-mapping invoke

125_UEBA_get_mapping.png
Command      

Description

 Example

update-mapping 

 

 Updating details/queries/mapping of schema

cd update-mapping invoke --file <json-input-file-path>

Example of the Json file:

{

"id":"662a21d8dfcc3b23d78b25d7",

"selectClause":"select ueba.schema,sessionid,event.source.id,agent.id,event.time,device.type,user.src,action,alias.host,owner,directory.src,filename.src,ec.subject,registry.key,cert.common,dir.path.src,nwe.callback_id,file.cat.src ",

"query":"where category='Registry Event' AND device.type='nwendpoint'",

"metaMapping":{

"time":"event.time"

},

"multiValue":"action,alias.host,dir.path.src,file.cat.src"

}

Note: You can modify only the values of the following fields: selectClause, query, metaMapping, and multiValue.

125_UEBA_update_mapping.png

125_UEBA_update_mapping1.png

Removal of Packetbeat Service

From the 12.3 version or later, the Packbeat service has been removed from UEBA to improve memory usage and performance. This allows other services in UEBA to utilize the resources more efficiently, reducing the load on the system.

Learning Period Per Scale

Learning Period Per Scale for 12.5

Note: The Learning Period Per Scale numbers for the Physical Machine, Virtual Machine, and Multi-UEBA deployments remain the same in versions 12.5 and 12.5.1.

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Supported Scale

Existing NetWitness customer (historical data available)

 

 Learning Period
Alerts will be generated when the learning period is complete

150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA4 entities per day

 

 

 Yes

Fresh Installation of 12.5

Up to 8 days with 28 days of historical data

150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA4 entities per day

 Yes

Upgrade from 12.2.x, 12.3, 12.3.1, 12.4, 12.4.1, and 12.4.2 to 12.5

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.

150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA4 entities per day

 Yes

Upgrade from 12.2.x, 12.3, 12.3.1, 12.4, 12.4.1, and 12.4.2 to 12.5 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days : Up to 8 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

 

150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA4 entities per day

 No

Fresh installation of 12.5

28 days to complete the learning period before generating alerts.

 

Virtual Machine

The recommended vCPU specification for UEBA is Intel Xeon CPU @2.59 Ghz.

CPU Memory Reserved Memory Allocation Disk Requirements for /var/netwitness Partition Read IOPS Write IOPS
32 cores 256GB

192GB

  • Storage: 1.5 TB

  • Provisioning: Thick

 500

500

To determine the scale limits for Virtual Machine deployments, refer to the Scaling Limitation Issue section in the Troubleshooting UEBA Configurations.

IMPORTANT:
- You must reserve all the resources allocated to UEBA on the VM server. For example, if a user has a 2.1GHz CPU, then 32CPUs * 2.1GHz = 67.2GHz or 67200MHz must be reserved.
- The /var/netwitness partition must be mounted on a 1.5 TB Thick-provisioned disk for storage usage.

Note: NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the "NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact NetWitness Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.

Supported Scale Existing NetWitness customer
(historical data available)		 Learning Period
Alerts will be generated when the learning period is complete

150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA4 entities per day

 Yes

Fresh Installation of 12.5

Up to 8 days with 28 days of historical data

150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA4 entities per day

 Yes Upgrade from 12.2.x, 12.3, 12.3.1, 12.4, 12.4.1, and 12.4.2 to 12.5

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.

150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA4 entities per day

 Yes

Upgrade from 12.2.x, 12.3, 12.3.1, 12.4, 12.4.1, and 12.4.2 to 12.5 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 8 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.
150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA4 entities per day

 

 No

Fresh installation of 12.5

28 days to complete the learning period before generating alerts.

Note: Network events per day refers to number of events consumed by UEBA per day.

Learning Period Per Scale for 12.5 Multiple UEBA Servers

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Note: There are two UEBA servers, one is configured with Log and Endpoint data, while the other is configured with Network (TLS) data.

Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

UEBA Server 2: 110 million Network events with 150,000 JA4 entities per day

 Yes

Fresh Installation of 12.5

Up to 12 days with 28 days of historical data

UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

UEBA Server 2: 110 million Network events with 150,000 JA4 entities per day

 Yes Upgrade from 12.2.x, 12.3, 12.3.1, 12.4, 12.4.1, and 12.4.2 to 12.5

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.

UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

UEBA Server 2: 110 million Network events with 150,000 JA4 entities per day

 Yes

Note: An additional UEBA server must be installed to configure TLS schema on a separate UEBA server.
For example, if you are planning to upgrade from 12.4:
Before upgrade: UEBA Server 1 is configured with Log, Endpoint, and TLS data.
After upgrade:
• Add another UEBA Server 2 and configure it with TLS schema.
• Reconfigure UEBA Server 1 with only Log and Endpoint data followed by UEBA reset.
For more information, see Best Practices to Add and Remove Schemas for Multiple UEBA Servers.

Upgrade from 12.2.x, 12.3, 12.3.1, 12.4, 12.4.1, and 12.4.2 to 12.5 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.
Historical data is available for N days:

  • N > 28 days: Up to 12 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

UEBA Server 2: 110 million Network events with 150,000 JA4 entities per day

 

 No

Fresh installation of 12.5

28 days to complete the learning period before generating alerts.

Learning Period Per Scale for 12.4

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Supported Scale

Existing NetWitness customer (historical data available)

 

 Learning Period
Alerts will be generated when the learning period is complete

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA3 entities per day

     

 

 Yes

Fresh Installation of 12.4

  • Scale 1: Up to 6.5 days with 28 days of historical data

  • Scale 2: Up to 9 days with 28 days of historical data

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA3 entities per day

 Yes

Upgrade from 12.2.x, 12.3, 12.3.1 to 12.4

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA3 entities per day

 

 Yes

Upgrade from 12.2.x, 12.3, 12.3.1 to 12.4 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • Scale 1 with N > 28 days : Up to 6.5 days with 28 days of historical data.

  • Scale 2 with N > 28 days: Up to 9 days with 28 days of historical data

  • Scale 1 and Scale 2 with N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

 

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 70 million Network events with 150,000 JA3 entities per day

 

 No

Fresh installation of 12.4

28 days to complete the learning period before generating alerts.

 

Virtual Machine

The recommended vCPU specification for UEBA is Intel Xeon CPU @2.59 Ghz.

CPU Memory Reserved Memory Allocation Disk Requirements for /var/netwitness Partition Read IOPS Write IOPS
32 cores 256GB

192GB

  • Storage: 1.5 TB

  • Provisioning: Thick

 500

500

To determine the scale limits for Virtual Machine deployments, refer to the Scaling Limitation Issue section in the Troubleshooting UEBA Configurations.


- You must reserve all the resources allocated to UEBA on the VM server. For example, if a user has a 2.1GHz CPU, then 32CPUs * 2.1GHz = 67.2GHz or 67200MHz must be reserved.
- The /var/netwitness partition must be mounted on a 1.5 TB Thick-provisioned disk for storage usage.

NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the "NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact NetWitness Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.

Supported Scale Existing NetWitness customer
(historical data available)		 Learning Period
Alerts will be generated when the learning period is complete

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA3 entities per day

 Yes

Fresh Installation of 12.4

  • Scale 1: Up to 6.5 days with 28 days of historical data

  • Scale 2: Up to 7.5 days with 28 days of historical data

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA3 entities per day

 Yes Upgrade from 12.2.x, 12.3, 12.3.1 to 12.4

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts .

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA3 entities per day

 

 Yes

Upgrade from 12.2.x, 12.3, 12.3.1 to 12.4 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • Scale 1 with N > 28 days: Up to 6.5 days with 28 days of historical data.

  • Scale 2 with N > 28 days: Up to 7.5 days with 28 days of historical data.

  • Scale 1 and Scale 2 with N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

  • Scale 1: 125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

  • Scale 2: 150,000 users with 50 million Log and Endpoint events + 25 million Network events with 150,000 JA3 entities per day

 

 No

Fresh installation of 12.4

28 days to complete the learning period before generating alerts.

Network events per day refers to number of events consumed by UEBA per day.

Learning Period Per Scale for 12.4 Multiple UEBA Servers

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

There are two UEBA servers, one is configured with Log and Endpoint data, while the other is configured with Network (TLS) data.

Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

Scale 1 for Multi-UEBA:

  • UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

  • UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

Scale 2 for Multi-UEBA:

  • UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

  • UEBA Server 2: 110 million Network events with 150,000 JA3 entities per day

 Yes

Fresh Installation of 12.4

  • Scale 1: Up to 8.5 days with 28 days of historical data

  • Scale 2: Up to 12 days with 28 days of historical data
Scale 1 for Multi-UEBA:

  • UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

  • UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

Scale 2 for Multi-UEBA:

  • UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

  • UEBA Server 2: 110 million Network events with 150,000 JA3 entities per day

 Yes Upgrade from 12.2.x, 12.3, 12.3.1 to 12.4

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.
Scale 1 for Multi-UEBA:

  • UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

  • UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

Scale 2 for Multi-UEBA:

  • UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

  • UEBA Server 2: 110 million Network events with 150,000 JA3 entities per day

 Yes

An additional UEBA server must be installed to configure TLS schema on a separate UEBA server.
For example, if you are planning to upgrade from 12.2:
Before upgrade: UEBA Server 1 is configured with Log, Endpoint, and TLS data.
After upgrade:
• Add another UEBA Server 2 and configure it with TLS schema.
• Reconfigure UEBA Server 1 with only Log and Endpoint data followed by UEBA reset.
For more information, see Best Practices to Add and Remove Schemas for Multiple UEBA Servers.

Upgrade from 12.2.x, 12.3, 12.3.1 to 12.4 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.
Historical data is available for N days:

  • Scale 1 with N > 28 days: Up to 8.5 days with 28 days of historical data.

  • Scale 2 with N > 28 days: Up to 12 days with 28 days of historical data.

  • Scale 1 and Scale 2 with N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.
Scale 1 for Multi-UEBA:

  • UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

  • UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

Scale 2 for Multi-UEBA:

  • UEBA Server 1: 200,000 users with 150 million Log and Endpoint events per day

  • UEBA Server 2: 110 million Network events with 150,000 JA3 entities per day

 No

Fresh installation of 12.4

28 days to complete the learning period before generating alerts.

Learning Period Per Scale for 12.3.1

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Supported Scale

Existing NetWitness customer (historical data available)

 

 Learning Period
Alerts will be generated when the learning period is complete

125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

 

 Yes

Fresh Installation of 12.3.1
Up to 12 days with 28 days of historical data
125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.
Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 12 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

125,000 users with 40 million Log and Endpoint events + 60 million Network events with 100,000 JA3 entities per day

No

Fresh installation of 12.3.1

28 days to complete the learning period before generating alerts.

Virtual Machine

The recommended vCPU specification for UEBA is Intel Xeon CPU @2.59 Ghz.

CPU Memory Reserved Memory Allocation Disk Requirements for /var/netwitness Partition Read IOPS Write IOPS
32 cores 256GB

192GB

  • Storage: 1.5 TB

  • Provisioning: Thick

 500

500

To determine the scale limits for Virtual Machine deployments, refer to the Scaling Limitation Issue section in the Troubleshooting UEBA Configurations.


- You must reserve all the resources allocated to UEBA on the VM server. For example, if a user has a 2.1GHz CPU, then 32CPUs * 2.1GHz = 67.2GHz or 67200MHz must be reserved.
- The /var/netwitness partition must be mounted on a 1.5 TB Thick-provisoned disk for storage usage.

NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the "NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact NetWitness Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.

Supported Scale Existing NetWitness customer
(historical data available)		 Learning Period
Alerts will be generated when the learning period is complete

125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

 Yes

Fresh Installation of 12.3.1
Up to 10 days with 28 days of historical data
125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day Yes Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts .
Supported Scale Existing NetWitness customer
(historical data available)		 Learning Period
Alerts will be generated when the learning period is complete
125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 10 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

125,000 users with 40 million Log and Endpoint events + 20 million Network events with 100,000 JA3 entities per day

No

Fresh installation of 12.3.1

28 days to complete the learning period before generating alerts.

Network events per day refers to number of events consumed by UEBA per day.

Learning Period Per Scale for 12.3.1 Multiple UEBA Servers

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

There are two UEBA servers, one is configured with Log and Endpoint data, while the other is configured with Network (TLS) data.

Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

 Yes

Fresh Installation of 12.3.1
Up to 12 days with 28 days of historical data
UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

 Yes Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.
UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

 Yes

An additional UEBA server must be installed to configure TLS schema on a separate UEBA server.
For example, if you are planning to upgrade from 11.7.1:
Before upgrade: UEBA Server 1 is configured with Log, Endpoint, and TLS data.
After upgrade:
• Add another UEBA Server 2 and configure it with TLS schema.
• Reconfigure UEBA Server 1 with only Log and Endpoint data followed by UEBA reset.
For more information, see Best Practices to Add and Remove Schemas for Multiple UEBA Servers.

Upgrade from 11.7.x, 12.1.x, 12.2.x, 12.3 to 12.3.1 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.
Historical data is available for N days:

  • N > 28 days: Up to 12 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.
Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

UEBA Server 1: 125,000 users with 120 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events with 100,000 JA3 entities per day

No

Fresh installation of 12.3.1

28 days to complete the learning period before generating alerts.

Learning Period Per Scale for 12.3

The displayed numbers are with the following enhancement enabled. Ensure that you enable the configuration in the application.properties file to improve the processing time. For more information, see The TLS model is taking too long to complete tasks section in the Troubleshooting UEBA Configurations.

 

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

Supported Scale

Existing NetWitness customer (historical data available)

 

 Learning Period
Alerts will be generated when the learning period is complete

100,000 users with 30 million Log and Endpoint events + 60 million Network events per day

 

 

 Yes

Fresh Installation of 12.3
Up to 10 days with 28 days of historical data
100,000 users with 30 million Log and Endpoint events + 60 million Network events per day Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.
Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

100,000 users with 30 million Log and Endpoint events + 60 million Network events per day

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 10 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

100,000 users with 30 million Log and Endpoint events + 60 million Network events per day

No

Fresh installation of 12.3

28 days to complete the learning period before generating alerts.

Virtual Machine

The recommended vCPU specification for UEBA is Intel Xeon CPU @2.59 Ghz.

CPU Memory Reserved Memory Allocation Disk Requirements for /var/netwitness Partition Read IOPS Write IOPS
32 cores 128GB

64GB

  • Storage: 1.5 TB

  • Provisioning: Thick

 500

500

 

The /var/netwitness partition must be mounted on a 1.5 TB Thick-provisoned disk for storage usage.

To determine the scale limits for Virtual Machine deployments, refer to the Scaling Limitation Issue section in the Troubleshooting UEBA Configurations.

NetWitness recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described in the "NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact NetWitness Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) for advice on choosing which host, virtual or physical, to use for UEBA.

Supported Scale Existing NetWitness customer
(historical data available)		 Learning Period
Alerts will be generated when the learning period is complete

100,000 users with 30 million Log and Endpoint events + 20 million Network events per day

 Yes

Fresh Installation of 12.3
Up to 8 days with 28 days of historical data
100,000 users with 30 million Log and Endpoint events + 20 million Network events per day Yes Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.
100,000 users with 30 million Log and Endpoint events + 20 million Network events per day Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.

Historical data is available for N days:

  • N > 28 days: Up to 8 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

100,000 users with 30 million Log and Endpoint events + 20 million Network events per day

No

Fresh installation of 12.3

28 days to complete the learning period before generating alerts.

Network events per day refers to number of events consumed by UEBA per day.

Learning Period Per Scale for 12.3 Multiple UEBA Servers

Physical Machine (SERIES 6 ESA (DELL R640) SPECIFICATIONS)

There are two UEBA servers, one is configured with Log and Endpoint data, while the other is configured with Network (TLS) data.

Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

UEBA Server 1: 100,000 users with 100 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events per day

 Yes

Fresh Installation of 12.3
Up to 10 days with 28 days of historical data

UEBA Server 1: 100,000 users with 100 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events per day

Yes

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3

UEBA reset is not required.

  • If learning period is already completed, data will be processed for alert generation immediately.

  • If learning period is completed only for N days, then it will take 28-N days to complete the learning period before generating alerts.

UEBA Server 1: 100,000 users with 100 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events per day

Yes

An additional UEBA server must be installed to configure TLS schema on a separate UEBA server.
For example, if you are planning to upgrade from 11.7.1:
Before upgrade: UEBA Server 1 is configured with Log, Endpoint, and TLS data.
After upgrade:
• Add another UEBA Server 2 and configure it with TLS schema.
• Reconfigure UEBA Server 1 with only Log and Endpoint data followed by UEBA reset.
For more information, see Best Practices to Add and Remove Schemas for Multiple UEBA Servers.

Upgrade from 11.7.x, 12.1.x, 12.2.x to 12.3 with schemas updated (Addition or removal of schemas configured on UEBA)

UEBA reset is required.
Supported Scale Existing NetWitness customer (historical data available) Learning Period
Alerts will be generated when the learning period is complete

UEBA Server 1: 100,000 users with 100 million Log and Endpoint events per day

UEBA Server 2: 100 million Network events per day

Yes

Historical data is available for N days:

  • N > 28 days: Up to 10 days with 28 days of historical data.

  • N < 28 days: It will take 28-N days to complete the learning period before generating alerts.

Historical data is not available

28 days to complete the learning period before generating alerts.

UEBA Server 1: 100,000 users with 100 million Log and Endpoint events per day

UEBA Server 2: 50 million Network events per day

No

Fresh installation of 12.3

28 days to complete the learning period before generating alerts.
0 Likes
Was this article helpful? Yes No
No ratings

On this page

© 2022 RSA Security LLC or its affiliates. All rights reserved.