UEBA: NetWitness UEBA Metrics in Health and Wellness

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on May 15, 2019
Version 4Show Document
  • View in full screen mode

You can view the status of UEBA host in the INVESTIGATE > Users > Overview tab.

The UEBA system should generate at least 1 alert weekly. If the system stops generating the alerts for a period of 7 days or more, advanced monitoring is required to monitor statistics about the total number of events versus successful events, total number of alerts generated and so on.

Advanced monitoring is enabled through a third-party tools prepackaged in NetWitness Platform: Kibana and Airflow.

Access Kibana

To access kibana, go to https://<UEBA_host>/kibana/app/kibana#/, and enter user name and password. The Dashboard view is displayed.

Access Airflow

To access Airflow, go to https://<UEBA_host>/admin/, and enter user name and password.
The DAGs view is displayed.

Note: The Kibana and Airflow webserver User Interface password is the same as the deploy_admin password. Make sure that you record this password and store it in a safe location.

Kibana

Kibana is an open source analytics and visualization platform. You can monitor the health of UEBA through various dashboards:

Overview Dashboard

The Overview dashboard provides the statistics over the analytics about the users, alerts and indicators such as:

  • The alerts type that are generated, and the alert severity distribution with the severity types (Low, Medium, High, Critical)
  • Total number of active users and how many alerts are generated for those users
  • The number of indicators and events processed
  • The pie chart for user score severity and distribution for the alerts classification
  • Alert daily histogram, which is the total number of alert per each severity triggered over time

To access the overview dashboard:

  1. Log into Kibana, click Dashboards > Overview.
    The Overview dashboard is displayed.

OveView Dashboard

  1. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.


System Host overview

The System Host overview dashboard monitors the performance and health of UEBA host such as:

  • CPU usage
  • Memory consumption, and network.
  • Process consuming CPU and Memory, for example MongoDB.
  • Statistics over the disk usage.
  • Inbound data is the amount of data transferred by user to view the UEBA UI.

  • Outbound data is the amount of data fetched by UEBA from Broker or Concentrator.

 

To access System Host overview dashboard

  1. Go to Kibana, click Dashboards > System host overview.
    The System host overview dashboard is displayed.

  1. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.

 

Note: During historical load the system works in high parallelism. Due to that IO, CPU and Memory is in high utilization. The pace would be 30 logical days in 4 wall clock time. Once the UEBA server is online the resource utilization reduces.

Adapter Dashboard

The Adapter dashboard is used to monitor the following:

  • The failed events distribution
  • Total number of events versus successful events
  • Saved events per schema

To access the adapter dashboard system Time

  1. Log into Kibana, click Dashboards > Adapter.
    The Adapter Dashboard is displayed.

Adapter Dashboard

  1. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.

Support Dashboard Logical Time

The Support Dashboard Logical Time provides the capability to detect the events processed time which is different form the system time such as:

  • The amount of filtered events over time per schema
  • The total number of alerts generated
  • The alert types distribution
  • The events that are related to an alert

To access support dashboard logical time:

  1. Log into Kibana, click Dashboards > Support Dashboard Logical Time.
    The Support Dashboard logical time is displayed.

Support Dasboard Logical Time

  1. Adjust the time range on the top right corner of the page based on your requirement to view the statistics.

Support Dashboard System Time

The support dashboard system time allows you to monitor the system time when the events are processed.

  • The amount of filtered events over time per schema
  • The total number of alerts generated
  • The alert types distribution
  • The events that are related to an alert

To access support dashboard system Time:

  1. Log into Kibana, click Dashboards > Support Dashboard system Time.

Support Dashboard system time

  1. Adjust the time range on the top right corner of the page to view the statistics.

Scoring and Model Cache

The Scoring and Model cache dashboard provides the capability to view the events being scored.

To access scoring and model cache dashboard:

  1. Log into Kibana, click Dashboards > Scoring and Model Cache.
    The Scoring and model cache dashboard is displayed.

  1. Adjust the time range on the top right corner of the page to view the statistics.

Airflow

Airflow is a tool for describing, executing, and monitoring the UEBA tasks. In Airflow, a DAG is a collection of all the tasks you want to run, organized in a way that reflects their relationships and dependencies.

You can monitor the scheduled task by seeing how many tasks are successful, failed, or currently running. See the detailed information about the tasks and the logs.

There are several DAGs and each DAG is a workflow. The Full flow DAG is the main flow for the UEBA service.

To monitor the UEBA service tasks, perform the following:

  1. Log into Airflow.
    The DAGs view is displayed.
    DAGs view
  2. In the DAG Runs section, see the status of the tasks. For example, how many tasks are successful, failed or currently running.
  3. To view the different tasks associated with the full flow, in the full flow DAG, click Tree view.
    The Tree view of the full flow DAG is displayed.
    Tree view of full flow DAG
  4. To view the DAG’s dependencies and the current status of a specific task, in the full flow DAG, click Graph view.
    Click graph view
    In the Graph view hoverover the task to see the status of the specific task.
    Graph view
    For detailed information about the specific task, click Task and click Task Instance Details.
    Click Task Instance details
    The Task Instance Details view is displayed.
    Task Instance Details
    To view the logs of the specific task, click view log.
    Airflow view logs
Next Topic:Reference
You are here
Table of Contents > Monitor Health and Wellness of UEBA

Attachments

    Outcomes