In NetWitness Platform 11.4, UEBA can detect malicious traffic masked within an authentic HTTPS session. To support this UEBA added TLS data source and introduced two new entities - namely JA3 and SSL Subject that are used on inbound and outbound network traffic.
JA3 - You can investigate on this entity when you have limited visibility to the anomalous behaviors in the network. The purpose is to be able to perform JA3-Signature-based analysis, to detect the abnormal network behavior.
SSL Subject - You can investigate on this entity to be able to validate False Negative and True Positive for SSL.fingerprints from the UEBA alerts. The purpose is to be able to view anomalies on SSL certificates entities, which represents domain network activity in HTTPS communication.
For more information about NetWitness UEBA-supported entity indicators, see NetWitness UEBA Use Cases for Network (Packets).
The following tables list indicators that display when a potentially malicious activity is detected for entities.
Access NetWitness UEBA
To access NetWitness UEBA, log into NetWitness Platform and go to INVESTIGATE > ENTITIES. The Entities view, which contains all the NetWitness UEBA feature is displayed.
You can choose a dark or a light theme for the view. For information, please see the "Choose the Appearance of NetWitness Platform" topic in the RSA NetWitness Getting Started Guide.