UEBA: Troubleshooting

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by Scott Marcus on May 15, 2019
Version 5Show Document
  • View in full screen mode

This section provides information about possible issues when using NetWitness UEBA.


UEBA policy Issue


IssueAfter you create a rule under UEBA policy, duplicate values are displayed in the Statistics drop-down.

To remove the duplicate values perform the following:

  1. Log in to MongoDB using following command:mongo admin -u deploy_admin -p {Enter the password}
  2. Run the following command on MongoDB
    use sms;
    db.getCollection('sms_statdefinition').find({componentId :"presidioairflow"})
    db.getCollection('sms_statdefinition').deleteMany({componentId :"presidioairflow"})


Troubleshoot using Kibana



After you deploy NetWitness UEBA, the connection between the NetWitness Platform and NetWitness UEBA is successful but there are very few or no events in the Investigate > Users tab.

  1. Log in to Kibana.
  2. Go to Table of Content > Dashboards > Adapter Dashboard.
  3. Adjust the Time Range on the top right corner of the page and review the following:
    • If the new events are flowing.
    • In the Saved Events Per Schema graph, see the number of successful events per schema per hour.
    • In the Total Events vs. Success Events graph, see the total number of events and number of successful events. The number of successful events should be more every hour.

    For example, in an environment with 1000 users or more, there should be thousands of authentication and file access events and more than 10 Active Directory events. If there are very few events, there is likely an issue with Windows auditing.


You must identify the missing events and reconfigure the Windows auditing.

  1. Log into NetWitness Platform and go to INVESTIGATE > Navigate.
  2. Filter by devide.type= device.type “winevent_snare” or “winevent_nic”.
  1. Review the events using reference.id meta key to identify the missing events.
  2. Reconfigure the Windows auditing. For more information, see NetWitness UEBA Windows Audit Policy topic.





The historical load is complete and the events are coming from Adapter dashboard but no alerts are displayed in the Investigate > Users tab.
  1. Go to Kibana > Table of content > Scoring and model cache.
  2. Adjust the Time Range on the top right corner of the page, and see if the events are being scored.





The historical load is complete but no alerts are displayed in the Investigate > Users tab.
  1. Go to Kibana > Dashboard > Overview.

  2. Adjust the Time Range on the top right corner of the page, to see how many users are analyzed and if any anomalies are found.


Troubleshoot using Airflow


IssueAfter you deploy UEBA and if there are no events displayed in the Kibana > Table of content > Adapter dashboard and the Airflow already processed the hours but there are no events. This is due to some communication issue.

You must check the logs and resolve the issue.

  1. Login to Airflow.
  2. Go to Admin > REST API Plugin.
  3. In the Failed Tasks Logs, click execute.
    A zip file is downloaded.
  4. Unzip the file and open the log file to view and resolve the error.
  5. In the DAGs > reset_presidio, click Trigger Dag.
    This deletes all the data and compute all the alert from the beginning.

Note: During initial installation, if the hours are processed successfully but there is no events, you must click reset_presidio after fixing the data in the Broker. Do not reset if there are alerts.




Previous Topic:User Profile View
You are here

Table of Contents > Troubleshooting