Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

UEBA Configuration: Configuration

Document created by RSA Information Design and Development Employee on Oct 14, 2020Last modified by RSA Information Design and Development Employee on Oct 15, 2020
Version 2Show Document
  • View in full screen mode
 

This topic provides the high-level tasks required to configure UEBA.

IMPORTANT: Changing the UEBA start-date or the UEBA processed schemas requires a re-run of the UEBA system as well as cleanup of the UEBA databases. In order to avoid deleting the information in the UI, you can use the reset_presidio.py script as described in reset-presidio script, it will keep the data in the UI (e.g. Alerts, Indicators, Entities and Scores).

Note: Steps 1 to 4 must be executed as root on the UEBA machine.

ueba-server-config script

The ueba-server-config script is usually used to configure and run the UEBA component after the deployment. Also, it can be used to update the UEBA configuration during run time.

IMPORTANT: If you change the start-time or the processing schemas, you must re-run UEBA. All script arguments (except the boolean arguments) are mandatory and must be filled.

For more information on the script parameters, see the NetWitness Installation Guide for Version 11.5.

To run the script use the following command /opt/rsa/saTools/bin/ueba-server-config --help

                                                     
ArgumentVariableDescription
-u <user>

User name of the credentials for the Broker or Concentrator instance that you are using as a data source.

-p <password>

Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password.

!"#$%&()*+,-:;<=>?@[\]^_`\{|}

If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example:
sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY TLS PROCESS REGISTRY' -o broker -v

-h <host>

IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.

-o <type>

Data source host type (broker or concentrator).

-t <startTime>

Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z).

Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.

-s <schemas>

Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS).

-v  

verbose mode.

-e <argument>

Boolean Argument. This enables the UEBA indicator forwarder to Respond.

Note: If your NetWitness deployment includes an active Respond server, you can transfer NetWitness UEBA indicators to the Respond server and create incidents by enabling the indicator forwarder, from this data. For more information on how to enable the NetWitness UEBA incidents aggregation, see Enable User Entity Behavior Analytics Incident Rule.

Note: The TLS packet requires adding the hunting package and enabling the JA3 features. For more information, see Add Features for UEBA Packet Schema.

reset-presidio script

IMPORTANT: The reset_presidio.py script deletes the UEBA back-end databases and can also delete the front-end database that is present in the UI.

The reset_presidio.py script is used to re-run the UEBA system as well as to update the UEBA start-date and the processing schemas easily without having to provide all the other parameters required by the ueba-server-config script. This script re-runs the UEBA while it deletes the backed data (models, aggregations, etc.). To delete the front-end data (UI entities and alerts, etc.) use the clean option. If you don’t specify a date, the script will set the default start date, a 28 days earlier than the current date. RSA recommends that the UEBA start date is set to 28 days earlier than the current date. For UEBA systems that intend to process TLS data, you must verify that the start date is set to no later than 14 days earlier than the current date.

Note: UEBA requires to process 28 days of data before the alerts can be created.
• If you choose a start date that is less than 28 days before the current date, for example 10 days earlier from the current date, you will have to wait for another 18 days from the current date to see alerts in your UEBA system (if created).
• If you choose a start date that is greater than 27 days, it's recommended to delete the front-end database as well (use the -c) to avoid duplicate alerts.

To run the script, load the Airflow virtual environment variables as follows:

source /etc/sysconfig/airflow

source $AIRFLOW_VENV/bin/activate

OWB_ALLOW_NON_FIPS=on python /var/netwitness/presidio/airflow/venv/lib/python2.7/site-packages/presidio_workflows-1.0-py2.7.egg/presidio/utils/airflow/reset_presidio.py --help

deactivate

                                 

Argument

Variable

Description

-h, --help Script Help
-c, --clean <argument>If true, clean any existing data in Elasticsearch DB (as Alerts, Indicators, Entities, etc), all data will be deleted form the UEBA UI
-s<schema>Reconfigure the UEBA engine array of schemas (e.g. [AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS])
-d<date> Reconfigure the UEBA engine to start from midnight UTC of this date. If not set, by default reset the start date to 27 days before the current system day, at midnight UTC, to avoid duplicate alerts in the UEBA UI, in case you didn't cleaned the elasticsearch data (-c) (e.g. 2010-12-31)

UEBA Indicator Forwarder

Note: The UEBA Indicator Forwarder is supported by the UEBA from version 11.3 and later.
If your NetWitness environment includes an active respond server, you can transfer the UEBA indicators to the respond server and to the correlation server in order to create Incidents. For more information, see Enable User Entity Behavior Analytics Incident Rule.

Run the following command to activate the UEBA Indicator Forwarder:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'

To deactivate the UEBA indicator forwarder, change the “value":true at the request body to be “value":false.

Update Data Source Details

In order to update the details of the data source you must use the ueba-server-config script. For more information, see ueba-server-config script.

The data sources details are:

  • Data Source type (Broker / Concentrator).
  • Data Source username.
  • Data Source password.
  • Data Source host.

Add Features for UEBA Packet Schema

Add the Hunting Pack:

In NetWitness Platform, add the hunting pack or verify it it’s available:

  1. Login to NetWitness Platform
  2. Navigate to (Admin) and select Admin Server
  3. Click and select Configure > Live Content

  1. On the left menu, select the following:
    1. Bundle under Resources Type.
    2. Packet under Medium
  2. Click Search.
    A list of matching resources is displayed.
  3. Select Hunting Pack from the list and click Deploy.
    The hunting pack is added.

Add JA3 and JA3s:

The JA3 and JA3s fields are supported by the Network Decoder in 11.3.1 and later. Verify that your Network Decoder is upgraded to one of these versions.

To add JA3 and Ja3s:

1. Log in to NetWitness Platform.

2. Go to (Admin) and select Decoder.

3. Navigate to /decoder/parsers/config/parsers.options.

4. Add HTTPS="ja3=true ja3s=true.

The JA3 and JA3s fields are configured.

Assign User Access to UEBA

To create a user with privileges to access the UEBA pages (Users tab) on the Netwitness UI do the following:

  1. Navigate to (Admin) > Security.
  2. Create a new UEBA_Analysts and Analysts user roles.

For more information, see the "Manage Users with Roles and Permissions" topic in the System Security and User Management Guide.

Create an Analysts Role

In order to fetch data from the data source (Broker / Concentrator), you need to create a user using the Docktor-UEBA: Validation Too" role in the data source service.

  1. Navigate to the security tab at the data source service page.
  2. (Admin) > Services > Security
  3. Create an analyst user and assign it to the any of supported special characters.

Enable User Entity Behavior Analytics Incident Rule

In order to aggregate the UEBA indicators under Incident rule, follow the instructions below:

Enable the UEBA Forwarding process as described in Enable UEBA Indicator Forwarder.

  1. Go to (Configure) > Incident Rules.
  2. Select the User Entity Behavior Analytics rule.
  3. Select the enable check box and click Save.

Learning Period Per Scale for 11.5

Physical Machine

SERIES 5 (DELL R630) SPECIFICATIONS

                                                    
Supported Scale Existing NetWitness customer
(historical data available)
Learning Period
Alerts will be generated when the learning period is complete
Logs and Endpoint data for 100,000 users + 20 million network events per day. Yes

11.5 Installation
Up to 4 days with 28 days of historical data.

Yes11.5 Upgrade from 11.4.x with no schema changes
No learning period.
  • UEBA rerun is not required.

Yes

11.5 Upgrade from 11.3.x or prior versions with no schema changes
Up to 4 days with 28 days of historical data.

  • UEBA rerun is required.
Yes

11.5 Upgrade with schema changes

Up to 4 days with 28 days of historical data.

  • UEBA rerun is required
Logs and Endpoint data for 100,000 users + 60 million network events per day.Yes11.5 Installation
Up to 14 days with 14 days of historical data.
Yes

11.5 Upgrade from 11.4.x with no schema changes
No learning period.

  • UEBA rerun is not required.
Yes

11.5 Upgrade from 11.3.x or prior versions with no schema changes
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

Yes

11.5 Upgrade with schema changes
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

Logs and Endpoint data for up to 100,000 users + 60 million network events per day.

No

11.5 Installation

28 days

Virtual Machine

                     
CPUMemoryRead IOPSWrite IOPS
16 cores64GB500MB

500MB

Note: RSA recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends you to deploy UEBA on the physical host as described in the "RSA NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.

                                               
Supported Scale Existing NetWitness customer
(historical data available)
Learning Period
Alerts will be generated when the learning period is complete
Logs and Endpoint data for up to 100,000 users with 30 million events per day (no network data). Yes

11.5 Installation

Up to 4 days with 28 days of historical data.

Yes11.5 Upgrade from 11.4.x with no schema changes

No learning period.

  • UEBA rerun is not required.
Yes11.5 Upgrade from 11.3.x or prior versions with no schema changes
Up to 4 days with 28 days of historical data.
  • UEBA rerun is required.
Yes

11.5 Upgrade with schema changes
Up to 4 days with 28 days of historical data.

  • UEBA rerun is required
Logs and Endpoint data for up to 100,000 users with 30 million events per day + 20 million network events per day.Yes

11.5 Installation

Up to 14 days with 14 days of historical data.

 

11.5 Upgrade from 11.4.x with no schema changes

No learning period.

  • UEBA rerun is not required.
 

11.5 Upgrade from 11.3.x or prior versions with no schema changes
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

 

11.5 Upgrade with schema removal
Up to 14 days with 14 days of historical data.

  • UEBA rerun is required.

Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

Note: Network events per day refers to number of events consumed by UEBA per day. To determine the scale of network events for existing customers, see Troubleshooting UEBA Configurations.

You are here
Table of Contents > UEBA Configuration

Attachments

    Outcomes