UEBA: NetWitness UEBA Metrics in Health and Wellness

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Feb 9, 2020
Version 11Show Document
  • View in full screen mode

You can view the status of UEBA host in the Investigate > ENTITIES > Overview tab.

The UEBA system should generate at least 1 alert weekly. If the system stops generating the alerts for a period of 7 days or more, advanced monitoring is required to monitor statistics about the total number of events versus successful events, total number of alerts generated and so on.

Advanced monitoring is enabled through a third-party tools prepackaged in NetWitness Platform: Kibana and Airflow.

Access Kibana

To access kibana, go to https://<UEBA_host>/kibana/app/kibana#/, and enter user name and password. The Dashboard view is displayed.

Access Airflow

To access Airflow, go to https://<UEBA_host>/admin/, and enter user name and password.
The DAGs view is displayed.

Note: The Kibana and Airflow web server User Interface password is the same as the deploy_admin password. Make sure that you record this password and store it in a safe location.

Kibana

Kibana is an open source analytics and visualization platform. You can monitor the health of UEBA through various dashboards:

Overview Dashboard

The Overview dashboard provides the statistics over the analytics about the users, entities, alerts and indicators such as:

  • The alerts type that are generated, and the alert severity distribution with the severity types (Low, Medium, High, Critical)
  • Total number of active entities and how many alerts are generated for those entities
  • The number of indicators and events processed
  • The pie chart for entity score severity and distribution for the alerts classification
  • Alert daily histogram, which is the total number of alert per each severity triggered over time

To access the overview dashboard:

  1. Log into Kibana, click Dashboards > Overview.
    The Overview dashboard is displayed with the aggregate results for all entities.

  1. To view the data for a specific entity, select a value from the Select Entity Type drop-down. For example, ja3, sslSubject or userid
  2. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.


System Host overview

The System Host overview dashboard monitors the performance and health of UEBA host such as:

  • CPU usage
  • Memory consumption, and network.
  • Process consuming CPU and Memory, for example MongoDB.
  • Statistics over the disk usage.
  • Inbound data is the amount of data transferred by user to view the UEBA UI.

  • Outbound data is the amount of data fetched by UEBA from Broker or Concentrator.

 

To access System Host overview dashboard

  1. Go to Kibana, click Dashboards > System host overview.
    The System host overview dashboard is displayed.

  1. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.

 

Note: During historical load the system works in high parallelism. Due to that IO, CPU and Memory is in high utilization. The pace would be 30 logical days in 4 wall clock time. Once the UEBA server is online the resource utilization reduces.

Adapter Dashboard

The Adapter dashboard is used to monitor the following:

  • The failed events distribution
  • Total number of events versus successful events
  • Saved events per schema

To access the entities, alerts and indicators

  1. Log into Kibana, click Dashboards > Entities, alerts, indicators.
    The Entities, alerts, indicators Dashboard is displayed with an aggregate data for all entities.
  2. To view the data for a specific entity, select a value from the Select Entity Type drop-down. For example, ja3, sslSubject or userid.

To access the adapter dashboard system Time

  1. Log into Kibana, click Dashboards > Adapter.
    The Adapter Dashboard is displayed.

Adapter Dashboard

  1. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.

Support Dashboard Logical Time

The Support Dashboard Logical Time provides the capability to detect the events processed time which is different form the system time such as:

  • The amount of filtered events over time per schema
  • The total number of alerts generated
  • The alert types distribution
  • The events that are related to an alert

To access support dashboard logical time:

  1. Log into Kibana, click Dashboards > Support Dashboard Logical Time.
    The Support Dashboard logical time is displayed.

Support Dasboard Logical Time

  1. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.

Support Dashboard System Time

The support dashboard system time allows you to monitor the system time when the events are processed.

  • The amount of filtered events over time per schema
  • The total number of alerts generated
  • The alert types distribution
  • The events that are related to an alert

To access support dashboard system Time:

  1. Log into Kibana, click Dashboards > Support Dashboard system Time.

Support Dashboard system time

  1. Adjust the time range on the top right corner of the page to view the statistics.

Scoring and Model Cache

The Scoring and Model cache dashboard provides the capability to view the events being scored.

To access scoring and model cache dashboard:

  1. Log into Kibana, click Dashboards > Scoring and Model Cache.
    The Scoring and model cache dashboard is displayed.

  1. Adjust the time range on the top right corner of the page to view the statistics.

Airflow

Airflow is a tool for describing, executing, and monitoring the UEBA tasks. In Airflow, a DAG is a collection of all the tasks you want to run, organized based on the schemas that reflects their relationships and dependencies. For example, schemas such as Active Directory, Authentication, File, Process, TLS and Registry. Each schema is divided into two:

  • Indicator DAG which is responsible to read events from broker and score the events based on the models.
  • Model DAG which is responsible in building the models.

You can monitor the scheduled task by seeing how many tasks are successful, failed, or currently running. See the detailed information about the tasks and the logs.

There are several DAGs and each DAG is a workflow.

To monitor the UEBA service tasks, perform the following:

  1. Log into Airflow.
    The DAGs view is displayed.
    DAGs view
  2. In the DAG Runs section, see the status of the tasks. For example, how many tasks are successful, failed or currently running.
  3. To view the different tasks associated with the DAG, click Tree view.
    The Tree view of the DAG is displayed.
    Tree view of full flow DAG
  4. To view the DAG’s dependencies and the current status of a specific task, in the DAG, click Graph view.
    Click graph view
    In the Graph view hoverover the task to see the status of the specific task.
    Graph view
    For detailed information about the specific task, click Task and click Task Instance Details.
    Click Task Instance details
    The Task Instance Details view is displayed.
    Task Instance Details
    To view the logs of the specific task, click Log.
    Airflow view logs

Note: After you begin to run a DAG, schemas cannot be removed from UEBA, else the process will stop. For more information see, Troubleshooting UEBA.

Next Topic:Reference
You are here
Table of Contents > Monitor Health and Wellness of UEBA

Attachments

    Outcomes