UEBA Quick Start Guide for RSA NetWitness Platform 11.x

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by Susan Ewald on May 30, 2019
Version 12Show Document
  • View in full screen mode

What is NetWitness UEBA?

RSA NetWitness UEBA (User and Entity Behavior Analytics) is an advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all users and entities in your network environment. NetWitness UEBA is used for:

  • Detecting malicious and rogue users
  • Pinpointing high-risk behaviors
  • Discovering attacks
  • Investigating emerging security threats
  • Identify potential attacker activity

About this Guide

This guide provides end-to-end instructions to configure NetWitness Platform UEBA and to use UEBA features.

RSA NetWitness Platform 11.3 Documentation in RSA Link

NetWitness Platform product documentation is organized along functional lines. If you are looking for a specific guide or version, go to the Version 11.x Master Table of Contents.

Use these links to view the RSA NetWitness Platform 11.3 documentation. Both links provide the same documentation, in these two formats:

Use these links to access documentation that is not related to a particular version of the software:

Getting Started

The following tasks can be performed in any sequence.

 

DescriptionReferences

    

View information about product updates, improvements, and known issues.

Release Notes

Understand NetWitness UEBA

RSA NetWitness UEBA User Guide

Setup and Installation

Standalone Installation

The following tasks must be performed in the following sequence.

DescriptionReferences

    

Review the supported hardware."System Requirement" topic in UEBA Standalone Installation Guide
Review the UEBA deployment."RSA NetWitness UEBA Standalone Installation " topic in UEBA Standalone Installation Guide
Configure the ports on your firewall."RSA NetWitness UEBA Standalone Installation " topic in UEBA Standalone Installation Guide

Install NetWitness Server host.

"Installation Tasks" topic in UEBA Standalone Installation Guide

Install 11.3 Log Hybrid Host.

"Installation Tasks" topic in UEBA Standalone Installation Guide

Install and Configure NetWitness UEBA."Installation Tasks" topic in UEBA Standalone Installation Guide

Assign the UEBA_Analysts and Analysts roles to the UEBA users.

"Role Permissions" in the System Security and User Management Guide

Fresh Installation

The following tasks must be performed in the following sequence.

DescriptionReferences

    

Review the supported hardware.

"Supported Hardware" in the Physical Host Installation Guide

Review the UEBA architecture.

"NetWitness Platform Network Architecture Diagram" topic in the Deployment Guide

Configure the ports on your firewall.

"Network Architecture and Ports" topic in the Deployment Guide

Install NetWitness Server host and other components.

"Task 1 - Install 11.3 on the NetWitness Server (NW Server) Host" and "Task 2 - Install 11.3 on Other Component Hosts" in Physical Host Installation Guide

"Install NetWitness Platform Virtual Host in Virtual Environment" in the Virtual Host Installation Guide

Install UEBA.

"RSA NetWitness® UEBA" in Physical Host Installation Guide

Assign the UEBA_Analysts and Analysts roles to the UEBA users.

"Role Permissions" in the System Security and User Management Guide

Update

The following tasks must be performed in the following sequence.

DescriptionReferences

    

Deploy the Endpoint Pack from RSA Live, which contains

File Category Lua Parser for the UEBA integration with Endpoint.

During deployment, you must specify Endpoint Log Hybrid Log Decoder service. In case of multiple Endpoint servers, select all the Endpoint Log Hybrid Log Decoder services

Enable Endpoint data sources such as Process and Registry to generate alerts in UEBA.

"Enable Endpoint Data Sources" in the Update Instructions
Enable UEBA indicator forwarder to transfer the UEBA indicators to the NetWitness Respond server and to the correlation server to create an incidents.

"Enable UEBA Indicator Forwarder" in the Update Instructions

After you update to NetWitness Platform 11.3 the Broker or Concentrator UUID changes. You must update the NetWitness Platform core services, and update the Broker or Concentrator UUID.

"Update Broker or Concentrator UUID" in the Update Instructions

Update Airflow Configuration.

"Update Airflow Configuration" in the Update Instructions

Restart the Airflow scheduler service after the presidio_upgrade DAG is successful.

"Restart Airflow scheduler service" in the Update Instructions

Investigation

The following tasks can be performed in any sequence.

DescriptionReferences

Investigate high risk users."Investigate High-Risk Users" topic in the RSA NetWitness UEBA User Guide
Investigate top alerts."Investigate Top Alerts" topic in the RSA NetWitness UEBA User Guide

Monitoring

The following tasks can be performed in any sequence.

DescriptionReferences

Review NetWitness UEBA metrics in Health and Wellness."View NetWitness UEBA Metrics in Health and Wellness" topic in the RSA NetWitness UEBA User Guide
Monitor Health and Wellness of UEBA."Monitor Health and Wellness of UEBA" topic in the RSA NetWitness UEBA User Guide

 

You are here

QuickStart

Attachments

    Outcomes