NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

Introduction

NetWitness^® UEBA configuration is designed for analysts to perform analytics for leveraged data collected from netwitness logs and networks to perform UEBA analytics.

Note: Mixed mode is not supported for UEBA in NetWitness Platform. The NetWitness server, and UEBA must all be installed and configured on the same NetWitness Platform version.

UEBA Supported Sources by Schema

Note: Please deploy the latest parsers from NetWitness Live to enable support for all the models and VPN devices.

Authentication Schema

Windows Logon and Authentication Activity - Supported Event IDs: 4624, 4625, 4769, 4648 (device.type=winevent_snare|winevent_nic)
RSASecurID Token - device.type = 'rsaacesrv' ec.activity = 'Logon'
RedHat Linux - device.type = 'rhlinux'
Windows Remote Management - Supported Event IDs: 4624,4625,4769,4648 (device.type=windows)
VPN Logs - event.type = 'vpn' ec.activity = 'logon'

Note: NetWitness has tested and verified the functionality of Juniper, Citrix NetScaler, Palo Alto Networks, Cisco Adaptive Security Appliance (ASA) and Fortinet VPNs under the Authentication schema of UEBA. For any VPN to be considered under the Authentication module, the following metadata must be present in the respective VPN vendor’s logs:
(event.type = 'vpn' && country.src exists && user.dst exists && ec.activity = 'logon')

Azure AD Logs - device.type = 'microsoft_azure_signin_events'

Note: Make sure you have configured the Azure Monitor plugin in your deployment. This enables UEBA to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.

File Schema

Windows File Servers - Supported Event IDs: 4663,4660,4670,5145 (device.type=winevent_snare|winevent_nic)
device.type=windows

Active Directory Schema

Windows Active Directory - Supported Event IDs: 4741,4742,4733,4734,4740,4794,5376,5377,5136,4764,4743,4739,4727,4728,4754,4756,4757,4758,4720,4722,4723,4724,4725,4726,4738,4767,4717,4729,4730,4731,4732 (device.type=winevent_snare|winevent_nic)
device.type=windows

Endpoint Process Schema

Endpoint Process - Category = 'Process Event'

Endpoint Registry Schema

Endpoint Registry - Category = 'Registry Event'

Packet Schema

TLS - Service 443 (direction='outbound')

Note: The TLS Packet requires adding the hunting package and enabling the JA3 features as described in Add required features for UEBA Packets Schema.

Configure Custom Feeds and Application Rules for VPN Vendors

Note: The approaches described below can be used temporarily until official support for this VPN vendor is added to NetWitness UEBA. To request official support for the required VPN vendor, please contact your NetWitness Customer Support team.

There are two methods to add support for VPN Vendors:

Configure Custom Feeds for Supporting VPN Vendors
Configure Application Rules for Supporting VPN Vendors

Configure Custom Feeds for Supporting VPN Vendors

To include VPN vendors that UEBA does not support out-of-the-box, you can create custom feeds and include those VPN vendors as part of UEBA processing. Before writing the custom feed, the user must first distinguish between success and failure events related to their VPN vendor. The following is a list of meta keys that UEBA considers when analyzing a VPN event. To receive support for any VPN vendor on UEBA, it is mandatory for these meta keys to be present:

event.time
user.dst
device.type
country.src
city.src
event.type = vpn
ec.outcome = success or failure
ec.activity = logon

The following is an example of deploying a custom feed for Palo Alto Networks logs.

Go to (Configure) > Custom Feeds and select Custom Feed and upload a .csv file containing logs and click Next.

For example, Palo Alto Networks has a meta result = success for success events, and an event.desc = globalprotect, which can be used as callbacks to append additional meta keys such as event.type, ec.outcome, and ec.activity to logs.
Select the Decoders and Log Decoders and click Next.
Select the callback keys to result and event.desc from the drop-down and add the additional meta keys such as event.type, ec.outcome, and ec.activity to logs and click Next.
Review the details and click Finish.

Similarly, you need to deploy one more custom feed for failure event. For detailed procedure on creating the custom feed, see the topic Creating a Custom Feed in the Live Services Management Guide.

Note: Two custom feeds must be created and deployed, one for successful and another for failed events.

Ensure the ec.outcome value is set to success for all successful logon events.

Ensure the ec.outcome value is set to failure for all failure logon events.

IMPORTANT: To ensure that UEBA always consider logon events for analytics, all of these events must contain the 8 meta keys listed above.

The following is an example of how it is demonstrated for events of Palo Alto Networks. Before using custom feeds, these are the list of meta keys available on the Investigate > Events page.

The following is the list of meta keys seen on the Investigate > Events page after deploying a custom feed.

Note: It is recommended that users parse the raw logs of VPN vendors from NetWitness.

IMPORTANT: The custom feed must be deployed on all Decoders that contain VPN Data.

Note: NetWitness recommends you to use multiple metas for callback keys and the right callback meta keys based on the available meta keys for success and failure events when deploying feeds.

Configure Application Rules for Supporting VPN Vendors

Before deploying the application rules, the user must first distinguish between success and failure events related to their VPN vendor. The following is a list of meta keys that UEBA considers when analyzing a VPN event. To receive support for any VPN vendor on UEBA, it is mandatory for these meta keys to be present:

event.time
user.dst
device.type
country.src
city.src
event.type = vpn
ec.outcome = success or failure
ec.activity = logon

This example describes how to use application rules to support VPN vendors.

In this case, Palo Alto Networks logs are considered where event.type, ec.outcome and ec.activity meta keys are missing. You need to create an application rule to enable these meta keys to be produced in logs. To create an application rule, see the topic Configure Application Rules in the Decoder Configuration Guide.

Note: Four application rules must be created and deployed for successful events, failed events, logon events, and VPN.

IMPORTANT: To ensure that UEBA always consider logon events for analytics, all of these events must contain the 8 meta keys listed above.

Ensure that you add the following VPN logs to the application rules:

Add success events of VPN logs to ec.outcome = success
Add failure events of VPN logs to ec.outcome = failure
Add all the authentication logon logs to ec.activity=logon
Add all the logon activity logs as event.type=vpn

The following figure shows four deployed application rules.

Next steps, after completing the configuration, you can verify if UEBA is consuming the custom VPN types. For more information, see How to verify if UEBA is consuming the Custom VPN types.

How to verify if UEBA is consuming the Custom VPN types

There are two ways to verify if UEBA is consuming custom VPN types.

Using NetWitness UI
Using the Mongo DB server

Using NetWitness UI

The UEBA alert can be used to confirm that the events of a custom device type are being consumed.

Note: This method is dependent on having relevant alerts that will be triggered by NetWitness UEBA.

Log in to the NetWitness Platform.
Go to Users > Entities.
In the Filters panel, under Indicators, search for a VPN indicator. For example, Multiple Failed VPN Authentications.
Click an entity name.

Indicators are displayed under the alert.
Select an indicator of interest.

Values that can be used to pivot are highlighted in light blue at the bottom of the panel.
In the Events table, click the link highlighted in blue and pivot to the alert in the Events view.

The Investigate > Events view is displayed.

Using the Mongo DB server

SSH to the UEBA server.
Connect to Mongo DB by running the following command:

mongo admin -u <user_name> -p <password>

Replace with your username and password for <user_name>, <password>
Run the following presidio command:

use presidio
Run the following command to get the list of devices:

db.output_authentication_enriched_events.distinct(“datasource”)

The events that UEBA is currently processing can be found in the list provided.

[

"/usr/bin/login",

"/usr/sbin/sshd",

"4624",

"4625",

"4648" ,

"azure",

"azuremonitor",

"juniper_juniper_vpn"

]

Note: The list includes a Juniper VPN. The list of VPNs will vary based on the environment's configuration.


Previous Page	Next Page

NetWitness Community

Table of Contents

Product Resources