NetWitness UEBA Use Cases
NetWitness UEBA focuses on providing advanced detection capabilities to guard enterprises from insider threats. These could either be compromised trusted users or network entity within a network, or alternatively, an external attacker malicious taking advantage of credentials acquired by using advanced account takeover techniques.
Identity theft typically begins with the theft of credentials, which are then used to obtain unauthorized access to resources and to gain control over the network. Attackers may also exploit compromised non-admin users to obtain access to resources for which they have administrative rights, and then escalate those privileges.
NetWitness UEBA helps you separate possibly malicious activity from the otherwise abnormal, but not risky, user or network entity actions.
Use Case for Users
An attacker who uses stolen credentials may trigger suspicious network events while accessing resources. Detecting illicit credential use is possible, but requires that you separate attacker activity from the high volume of legitimate events. The following use cases define certain risk types, and the corresponding system capabilities used for their detection. You can review the use cases, represented by their alert type and description, to gain an initial understanding of the related risky behavior of each use case. Using NetWitness UEBA, you can then drill down into the indicators that reflect the possibly risky user activities to learn more. For more information about NetWitness UEBA-supported indicators, see Indicators for Users. When anomalies are detected, they are compared to the baseline and compiled into hourly alerts. For more information on types of alerts for Users, see Alert Types for a User .
Use Case for Network Entities
UEBA can detect malicious traffic masked within a legitimate HTTPS session. Based on this alert analysis, the analyst can drill down to the indicators and determine if the activity was normal or not. For more information about NetWitness UEBA-supported entity indicators, see Indicators for Network Entities. For example, the analyst can detect if there was any abnormal number of bytes sent to a port or a domain. If this type of events or a combination of such events are detected an alert is triggered. For more information on types of alerts for network entity, see Alert Types for Network Entities.
Alert Types
Alert Types for a User Alert Types for a User
| Alert Type | Description |
|---|---|
| Mass Changes to Groups | An abnormal number of changes are made to groups. Investigate which elements are changed, and decide if the changes were legitimate or possibly the result of risky or malicious behavior. This activity is associated with the Multiple Group Membership Changes indicator. |
| Multiple Failed Logons | In traditional password cracking attempts, the attacker tries to obtain a password through guesswork or by employing other low-tech methods to gain initial access. The attacker risks getting caught or being locked out by explicitly attempting to authenticate; but with some prior knowledge of the victim’s password history, may be able to successfully authenticate. Look for additional abnormal indications that the account owner is not the one attempting to access this account. This activity is usually associated with the Multiple Failed Authentications indicator. |
| User Login to Abnormal Host | Attackers often need to reacquire credentials and perform other sensitive activities, like using remote access. Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity. If an attacker’s presence is limited to a single compromised host or to many compromised hosts, that activity can be associated with the Abnormal Host indicator. |
| Snooping User | Snooping is unauthorized access to another person's or company's data. Snooping can be as simple as the casual observance of an e-mail on others computer, or watching what someone else is typing. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. This activity can be associated with the Multiple File Access Events, Multiple Failed File Access Events, Multiple File Open Events, and Multiple Folder Open Events indicators. |
| Multiple Logons by User | All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is used for unusual activities, for example, authenticating an unusual amount of times, the account may have been compromised. This activity can be associated with the Multiple Successful Authentications indicator. |
| User Logged into Multiple Hosts | Attackers typically need to reacquire credentials periodically. This is because their key chain of stolen credentials naturally degrades over time, due to password changes and resets. Therefore, attackers frequently maintain a foothold in the compromised organization by installing backdoors and maintaining credentials from many computers in the environment. This activity can be associated with the Logged onto Multiple Hosts indicator. |
| Mass Permission Changes | Some credential theft techniques, for example, Pass-the-Hash, use an iterative, two-stage process. First, an attacker obtains elevated read-write permission to privileged areas of volatile memory and file systems, which are typically accessible only to system-level processes on at least one computer. Second, the attacker attempts to increase access to other computers on the network. Investigate if abnormal permission changes have taken place on the file systems to ensure that they were not compromised by an attacker. This activity can be associated with the Multiple File Access Permission Changes, Multiple Failed File Access Permission Changes, and Abnormal File Access Permission Change indicators. |
| Abnormal Active Directory (AD) Changes | If an attacker gains highly-privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire forest. If a single domain controller is compromised and an attacker modifies the AD database, those modifications replicate to every other domain controller in the domain, and depending on the partition in which the modifications are made, the forest as well. Investigate abnormal changes conducted by admins and non-admins in AD to determine if they represent a possible true compromise to the domain. This activity can be associated with the Abnormal Active Directory Change, Multiple Account Management Changes, Multiple User Account Management Changes, and Multiple Failed Account Management Changes indicators. |
| Sensitive User Status Changes | A domain or enterprise administrator account has the default ability to exercise control over all resources in a domain, regardless of whether it operates with malicious or benign intent. This control includes the ability to create and change accounts; read, write, or delete data; install or alter applications; and erase operating systems. Some of these activities trigger organically as part of the account’s natural life cycle. Investigate these security sensitive user account changes, and determine if it is compromised. This activity can be associated with the User Account Enabled, User Account Disabled, User Account Unlocked, User Account Type Changed, User Account Locked, User Password Never Expires Option Changed, User Password Changed by Non-Owner, and User Password Change indicators. |
| Abnormal File Access | Monitor for abnormal file access to prevent improper access to confidential files and theft of sensitive data. By selectively monitoring file views, modifications and deletions, you can detect possibly unauthorized changes to sensitive files, whether caused by an attack or a change management error. This activity can be associated with the Abnormal File Access Event and Multiple File Delete Events indicators. |
| Non-Standard Access | All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected, authorized activities. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. Use the indication of an abnormal activity time and/or day to determine if the account is taken over by an external actor. This activity can be associated with the following indicators: Abnormal File Access, Abnormal Active Directory Change Activity, Abnormal Logon Activity, Abnormal VPN Logon Activity, and Abnormal Azure AD Logon Activity. |
|
Credential Dumping |
Credential dumping is the process of obtaining account login and password information, in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform lateral movement and access restricted information. This activity can be associated with the Abnormal Process Created a Remote Thread in LSASS indicator. |
| Discovery & Reconnaissance | Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When attackers gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase. This activity can be associated with the Abnormal Reconnaissance Tool Execute , Multiple Distinct Reconnaissance Tools Executed, Multiple Reconnaissance Tool Activities Executed and User Executed a Reconnaissance Tool Multiple Times indicators. |
| PowerShell & Scripting | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Attackers can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. This activity can be associated with the User Ran an Abnormal Process to Execute a Scripting Tool, Abnormal Process Executed a Scripting Tool, Scripting Tool Triggered an Abnormal Application, User Ran a Scripting Tool that Triggered an Abnormal Application, User Ran a Scripting Tool to Open an Abnormal Process and Scripting Tool Opened an Abnormal Process indicators. |
| Registry Run Keys & Start Folder | Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. The program will be executed under the context of the user and will have the account's associated permissions level. Attackers can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Attackers may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. This activity can be associated with the Abnormal Process Modified a Registry Key Group indicator. |
| Multiple Failed Authentications - External Access | As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. Brute force techniques as well as more traditional password cracking methods like guesswork can be utilized to gain initial access. These activities can be associated with the Multiple Failed Azure AD Authentications and Multiple Failed VPN Authentications indicators. |
|
Abnormal Country |
As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. When devices or accounts are compromised as well as when credentials are wrongly shared, attackers may utilize them to gain initial access from an abnormal location. These activities can be associated with the Abnormal Azure AD Logon Country and Abnormal VPN Logon Country indicators. |
| Snooping User - Cloud Service Account | Snooping is unauthorized access to company data or data belonging to another person. Snooping can be as simple as the casual observance of an email on another person's computer. More sophisticated snooping uses software programs to remotely monitor activity on a computer or a cloud service account. This activity can be associated with the Azure AD - Logon Attempts to Multiple Applications indicator. |
|
Abnormal Remote Application |
Attackers may leverage compromised account details or devices to access remote applications that genuine end users do not frequently access to collect and even exfiltrate sensitive information. This activity can be associated with the Azure AD - Abnormal Application indicator. |
| Process Injection | Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. This activity can be associated with the Abnormal Process Created a Remote Thread in a Windows Process indicator. |
Alert Types for Network EntitiesAlert Types for Network Entities
| Alert Type | Description |
|---|---|
| Phishing | Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. This activity can be associated with Abnormal Country for SSL Subject, and Abnormal SSL Subject for JA4 indicators. |
| Data Exfiltration | Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data Exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with Abnormal Traffic Volume Sent to Domain and Abnormal Traffic Volume Sent from JA4 indicators. |
|
Command & Control (C&C) |
Command and control infrastructure can be leveraged by attackers as a communication channel between a compromised asset within the impacted network and an attacker-controlled server. Attackers may attempt to mask this malicious communication within regular network traffic; consequently, this activity can be associated with numerous network indicators such as Abnormal Destination Port for JA4 and High Number of IPs Contact a New SSL Subject. |
|
Non-Standard Activity |
This alert is triggered when a network activity has deviated from the normal or expected behavior for a network entity. Use the indication of an abnormal activity time and/or day to determine if a client is connecting to a malicious or suspicious external destination. This activity can be associated with Abnormal Activity for SSL Subject and Abnormal Activity for JA4 indicators. |
NetWitness UEBA Indicators
Indicators for UsersIndicators for Users
The following tables list indicators that display when a potentially malicious activity is detected for users.
Windows File Servers
| Indicator | Alert Type | Description | |
|---|---|---|---|
| Abnormal File Access | Non-Standard Access | A user has accessed a file at an abnormal time and/or day. |
|
| Abnormal File Access Permission Change | Mass Permission Changes | A user changed multiple share permissions. | |
| Abnormal File Access Event | Abnormal File Access | A user has accessed a file abnormally. |
|
| Multiple File Access Permission Changes | Mass Permission Changes | A user changed multiple file share permissions. | |
| Multiple File Access Events | Snooping User | A user accessed multiple file events. |
|
| Multiple Failed File Access Events | Snooping User | A user failed multiple times to access a file. | |
| Multiple File Open Events | Snooping User | A user opened multiple files. |
|
| Multiple Folder Open Events | Snooping User | A user opened multiple folders. | |
| Multiple File Delete Events | Abnormal File Access | A user deleted multiple files. |
|
| Multiple Failed File Access Permission Changes | Mass Permission Changes | A user failed multiple attempts to change file access permissions |
Active Directory
| Indicator | Alert Type | Description |
|---|---|---|
| Abnormal Active Directory Change Activity | Non-Standard Hours | A user executed Active Directory activity at an abnormal time and/or day. |
| Abnormal Active Directory Object Change | Abnormal AD Changes | A user made Active Directory attribute changes abnormally. |
| Multiple Group Membership Changes | Mass Changes to Groups | A user made multiple changes to groups successfully. |
| Multiple Active Directory Object Changes | Abnormal AD Changes | A user made multiple Active Directory changes successfully. |
| Multiple User Account Changes | Abnormal AD Changes | A user made multiple sensitive Active Directory changes successfully. |
| Multiple Failed Account Changes | Abnormal AD Changes | A user failed to make multiple Active Directory changes. |
| Admin Password Changed | Admin Password Change | The password of an admin was changed. |
| User Account Enabled | Sensitive User Status Changes | An account of a user was enabled. |
| User Account Disabled | Sensitive User Status Changes | An account of a user was disabled. |
| User Account Unlocked | Sensitive User Status Changes | An account of a user was unlocked. |
| User Account Type Changed | Sensitive User Status Changes | The type of user was changed. |
| User Account Locked | Sensitive User Status Changes | An account of a user was locked. |
| User Password Reset | Sensitive User Status Changes | The password of a user was reset. |
|
User Password Never Expires Option Changed |
Sensitive User Status Changes |
The password policy of a user was changed. |
Logon Activity
| Indicator | Alert Type | Description |
|---|---|---|
| Abnormal Remote Computer | Abnormal Computer Access | A user accessed a remote computer abnormally. |
| Abnormal Logon Activity | Non-Standard Access | A user logged on at an abnormal time and/or day. |
|
Abnormal Computer |
User Login to Abnormal Host |
A user attempted to access a computer abnormally. |
| Multiple Successful Authentications | Multiple Logons by User | A user logged on multiple times. |
|
Multiple Failed Authentications |
Multiple Failed Logons |
A user failed multiple authentication attempts. |
| Logon Attempts to Multiple Source Computers | User Logged into Multiple Hosts | A user attempted to log on from multiple computers. |
| Abnormal VPN Logon Activity | Non-Standard Access | A user logged on to VPN at an abnormal time and/or day. |
| Abnormal Azure AD Logon Activity | Non-Standard Access | A user logged on to Azure AD at an abnormal time and/or day. |
| Abnormal Kerberos Logon Activity | Non-Standard Access | A Kerberos service ticket was requested for a user at an abnormal time and/or day. |
| Abnormal Explicit Logon Activity |
Non-Standard Access | A user's explicit credentials were used to log on at an abnormal time and/or day. |
| Multiple Successful Kerberos Authentications |
Multiple Logons by User | Multiple Kerberos service tickets are requested successfully for a user account. |
| Multiple Successful Explicit Authentications |
Multiple Logons by User | Multiple logins are attempted successfully for a user account using explicit credentials. |
| Multiple Failed Azure AD Authentications | Multiple Failed Authentications | A user failed multiple times to authenticate into Azure AD. |
| Multiple Failed VPN Authentications | Multiple Failed Authentications | A user failed multiple times to authenticate for VPN access. |
| Multiple Failed Kerberos Authentications | Multiple Failed Logons | A Kerberos service ticket request for a user account failed multiple times. |
| Multiple Failed Explicit Authentications |
Multiple Failed Logons | Multiple attempts to log in failed for a user account using explicit credentials. |
| Abnormal Azure AD Logon Country | Abnormal Logon Country | A user attempted to access Azure AD from an abnormal country. |
| Abnormal VPN Logon Country* | Abnormal Logon Country | A user attempted to establish VPN access from an abnormal country. |
| Azure AD - Abnormal Application | Abnormal Remote Application | A user attempted to log on to abnormal number of applications through Azure AD. |
| Azure AD - Logon Attempts to Multiple Applications | Snooping User | A user attempted to log on to multiple applications through Azure AD. |
Process
| Indicator | Alert Type | Description |
|---|---|---|
| Abnormal Process Created a Remote Thread in LSASS | Credential Dumping | An abnormal process was created into the LSASS process. |
| Abnormal Reconnaissance Tool Executed | Discovery and Reconnaissance | An abnormal process was executed. |
| Abnormal Process Executed a Scripting Tool | PowerShell and Scripting | An abnormal process executed a scripting tool. |
|
Abnormal Process Executed a Scripting Tool |
PowerShell and Scripting | An abnormal process was triggered by a scripting tool. |
| Scripting Tool Triggered an Abnormal Application | PowerShell and Scripting | An abnormal process was opened by a scripting tool. |
| Abnormal Process Created a Remote Thread in a Windows | PowerShell and Scripting | An abnormal process was injected into a known windows process . |
| Multiple Distinct Reconnaissance Tools Executed | Discovery and Reconnaissance | Multiple reconnaissance tools were executed in an hour. |
|
Multiple Reconnaissance Tool Activities Executed |
Discovery and Reconnaissance |
Multiple reconnaissance tool activities were executed in an hour. |
|
User Ran an Abnormal Process to Execute a Scripting Tool |
PowerShell / Scripting |
An abnormal process executed a scripting tool. |
| User Ran a Scripting Tool that Triggered an Abnormal Application | PowerShell / Scripting | A scripting tool was executed that triggered an abnormal application. |
|
User Ran a Scripting Tool to Open an Abnormal Process |
PowerShell / Scripting |
A scripting tool was executed to open an abnormal process. |
Registry
| Indicator | Alert Type | Description |
|---|---|---|
| Abnormal Process Modified a Registry Key Group | Registry Run Keys | An abnormal process modified a service key registry. |
Indicators for Network EntitiesIndicators for Network Entities
The following tables list indicators that display when a potentially malicious activity is detected for SSL Subject entities.
| Indicator | Entity Type | Alert Type | Description |
|---|---|---|---|
| Abnormal Traffic Volume Sent from IP to SSL Subject | SSL Subject | Data exfiltration | An IP address in the organization sent an unexpectedly high amount of data to an SSL Subject. |
| Abnormal Traffic Volume Sent from IP to Domain | SSL Subject | Data exfiltration | An IP address in the organization sent an unexpectedly high amount of data to a domain and SSL Subject. |
| Abnormal Traffic Volume Sent from IP to Port | SSL Subject | Data exfiltration | An IP address in the organization sent an unexpectedly high amount of data to a port and SSL Subject. |
| Abnormal Traffic Volume Sent to SSL Subject | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to an SSL Subject. |
| Abnormal Traffic Volume Sent to Domain | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to a domain and SSL Subject. |
| Abnormal Traffic Volume Sent to Port | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to a port and SSL Subject. |
| Abnormal Traffic Volume Sent to Organization | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to an organization and SSL Subject. |
|
High Number of IPs Contact a New SSL Subject |
SSL Subject |
C&C |
High number of IPs contacted SSL Subject. |
| High Number of IPs Contact a New Domain | SSL Subject | C&C | High number of IPs contacted a new domain. |
|
High Number of IPs Contact a New Organization |
SSL Subject |
C&C |
High number of IPs contacted a new organization. |
| High Number of IPs Contact a New Port | SSL Subject | C&C | High number of IPs contacted a new port. |
|
Abnormal Traffic Volume Sent from an IP to a New SSL Subject |
SSL Subject |
Data Exfiltration |
Abnormal number of bytes sent from an IPs to an SSL Subject. |
| Abnormal Traffic Volume Sent from an IP to a New Domain | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent an IP to a domain. |
|
Abnormal Traffic Volume Sent from an IP to a New Port |
SSL Subject |
Data Exfiltration |
Abnormal number of bytes were sent from an IP to a port. |
| Abnormal Traffic Volume Sent from an IP to a New Organization | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent from an IP to an organization. |
|
Abnormal Traffic Volume Sent to a New SSL Subject |
SSL Subject |
Data Exfiltration |
Abnormal number of bytes were sent to a SSL Subject. |
| Abnormal Traffic Volume Sent to a New Domain | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent to a new domain. |
|
Abnormal Traffic Volume Sent to a New Port |
SSL Subject |
Data Exfiltration |
Abnormal number of bytes were sent to a new port. |
| Abnormal Traffic Volume Sent to a New Organization | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent to an organization for an SSL Subject. |
| Abnormal Traffic Volume Sent from a New JA4 | JA4 | Data Exfiltration | Abnormal number for bytes were sent to JA4. |
| High Number of IPs Use JA4 |
JA4 | C&C | An abnormally high number of IPs use JA4. |
| Abnormal Destination Port for Domain | SSL Subject and JA4 |
C&C |
A domain was accessed through an abnormal destination port. |
| Abnormal Destination Port for JA4 |
SSL Subject and JA4 |
C&C |
JA4 contacted an abnormal destination port. |
| Abnormal SSL Subject for JA4 |
SSL Subject and JA4 |
Phishing |
JA4 contacted an abnormal SSL Subject. |
| Abnormal Domain for JA4 |
SSL Subject and JA4 |
Phishing |
JA4 contacted an abnormal domain. |
| Abnormal Activity for SSL Subject |
SSL Subject and JA4 |
Non-Standard Activity |
An SSL Subject was contacted at an abnormal time and/or day. |
| Abnormal Activity for JA4 |
SSL Subject and JA4 |
Non-Standard Activity |
JA4 was used at an abnormal time and/or day. |
Access NetWitness UEBA
Note: To access the NetWitness UEBA service and Users tab, you must be assigned to either the UEBA_Analyst role or Administrators role. For information about how to assign these roles, see the "How Role-Based Access Control Works" topic in the System Security and User Maintenance Guide
To access NetWitness UEBA, log in to NetWitness and do one of the following:
- Go to Users > Overview to view the NetWitness UEBA feature displayed.
- Click
in the Top Risky Users panel displayed on the Springboard to view the Users tab.
- Click the All link option in the Top Suspicious Users widget displayed on the Analyst View of the Home page to view the users listed in the Users > Entities tab.
You can choose a dark or a light theme for the view. For more information, see the "Choose the Appearance of NetWitness" topic in the NetWitness Getting Started Guide.
View Data from Multiple UEBA Servers
From NetWitness Platform 12.3 or later, administrators can configure multiple UEBA servers in their environment. Using this enhancement, analysts can select data based on the multi-UEBA configuration option available and view only the related users, network entities, and alerts for the particular UEBA servers in the UI for further analysis and investigation.
To view the UEBA servers on UI
-
Log in to the NetWitness Platform.
-
Click Users > Overview.
-
Select the UEBA Server from the drop-down list before the Search Entity option.
Based on the UEBA Server selection, the data is loaded.
For example, The first UEBA server (UEBA-1- UEBA Server) is configured with Logs and Endpoint data. The second UEBA server (UEBA-2- UEBA Server) is configured with Network data, and based on your selection in the drop-down menu, data is retrieved and shown on the UI.
Note: You can configure multiple UEBA servers in your environment. NetWitness has installed and verified up to three UEBA servers.
UEBA Server-1 with Logs and Endpoint Data
UEBA Server-2 with Network Data
UEBA Licensing
You must alo ensure that you have NetWitness UEBA licensing configured. For information about NetWitness UEBA licensing, see the "User and Entity Behavior Analytics License" topic in the Licensing Management Guide.
