Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

UEBA Configuration: Configuration

Document created by RSA Information Design and Development Employee on Nov 11, 2020Last modified by RSA Information Design and Development Employee on Jan 6, 2021
Version 10Show Document
  • View in full screen mode
 

This topic provides the high-level tasks required to configure UEBA.

IMPORTANT: Changing the UEBA start-date or removing the UEBA processed schemas, requires a re-run of the UEBA system as well as a cleanup of the UEBA databases (specific instructions on adding schemas are available below). When rerunning UEBA, use the reset-presidio script to avoid deletion of the UI information (e.g. Alerts, Indicators, Entities and Scores).
Adding UEBA schemas:
- Version 11.5.0.0 or lower, a re-run of the UEBA system is required along with a cleanup of the UEBA databases. Use the reset-presidio script to avoid deletion of the UI information.
- Version 11.5.1.0 or higher, a re-run of the UEBA system is not required, it will continue to operate uninterrupted.

Note: Steps 1 to 4 must be executed as root on the UEBA machine.

ueba-server-config script

The ueba-server-config script is usually used to configure and run the UEBA component after the deployment. Also, it can be used to update the UEBA configuration during run time.

IMPORTANT: All script arguments (except the boolean arguments) are mandatory and must be filled.

For more information on the script parameters, see the NetWitness Installation Guide for Version 11.5.

To run the script use the following command /opt/rsa/saTools/bin/ueba-server-config --help

                                                     
ArgumentVariableDescription
-u <user>

User name of the credentials for the Broker or Concentrator instance that you are using as a data source.

-p <password>

Password of the credentials for the Broker or Concentrator instance that you are using as a data source. The following special characters are supported in a password.

!"#$%&()*+,-:;<=>?@[\]^_`\{|}

If you want to include a special character or special characters, you must delimit the password with an apostrophe sign, for example:
sh /opt/rsa/saTools/bin/ueba-server-config -u brokeruser -p '!"UHfz?@ExMn#$' -h 10.64.153.104 -t 2018-08-01T00:00:00Z -s 'AUTHENTICATION FILE ACTIVE_DIRECTORY TLS PROCESS REGISTRY' -o broker -v

-h <host>

IP address of the Broker or Concentrator used as the data source. Currently, only one data source is supported.

-o <type>

Data source host type (broker or concentrator).

-t <startTime>

Historical start time as of which you start collecting data from the data source in YYYY-MM-DDTHH-MM-SSZ format (for example, 2018-08-15T00:00:00Z).

Note: The script interprets the time you enter as UTC (Coordinated Universal Time) and it does not adjust the time to your local time zone.

-s <schemas>

Array of data schemas. If you want to specify multiple schemas, use a space to separate each schema (for example, AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS).

-v  

verbose mode.

-e <argument>

Boolean Argument. This enables the UEBA indicator forwarder to Respond.

Note: If your NetWitness deployment includes an active Respond server, you can transfer NetWitness UEBA indicators to the Respond server and create incidents by enabling the indicator forwarder, from this data. For more information on how to enable the NetWitness UEBA incidents aggregation, see Enable User Entity Behavior Analytics Incident Rule.

Note: The TLS packet requires adding the hunting package and enabling the JA3 features. For more information, see Add Features for UEBA Packet Schema.

reset-presidio script

IMPORTANT: The reset_presidio.py script deletes the UEBA back-end databases and can also delete the front-end database that is present in the UI.

The reset_presidio.py script is used to re-run the UEBA system as well as to update the UEBA start-date and the processing schemas easily without having to provide all the other parameters required by the ueba-server-config script. This script re-runs the UEBA while it deletes the backed data (models, aggregations, etc.). To delete the front-end data (UI entities and alerts, etc.) use the clean option. If you don’t specify a date, the script will set the default start date, a 28 days earlier than the current date. RSA recommends that the UEBA start date is set to 28 days earlier than the current date. For UEBA systems that intend to process TLS data, you must verify that the start date is set to no later than 14 days earlier than the current date.

Note: UEBA requires to process 28 days of data before the alerts can be created.
• If you choose a start date that is less than 28 days before the current date, for example 10 days earlier from the current date, you will have to wait for another 18 days from the current date to see alerts in your UEBA system (if created).
• If you choose a start date that is greater than 27 days, it's recommended to delete the front-end database as well (use the -c) to avoid duplicate alerts.

To run the script, load the Airflow virtual environment variables as follows:

source /etc/sysconfig/airflow

source $AIRFLOW_VENV/bin/activate

OWB_ALLOW_NON_FIPS=on python /var/netwitness/presidio/airflow/venv/lib/python2.7/site-packages/presidio_workflows-1.0-py2.7.egg/presidio/utils/airflow/reset_presidio.py --help

deactivate

                                 

Argument

Variable

Description

-h, --help Script Help
-c, --clean <argument>If true, clean any existing data in Elasticsearch DB (as Alerts, Indicators, Entities, etc), all data will be deleted form the UEBA UI
-s<schema>Reconfigure the UEBA engine array of schemas (e.g. [AUTHENTICATION FILE ACTIVE_DIRECTORY PROCESS REGISTRY TLS])
-d<date> Reconfigure the UEBA engine to start from midnight UTC of this date. If not set, by default reset the start date to 27 days before the current system day, at midnight UTC, to avoid duplicate alerts in the UEBA UI, in case you didn't cleaned the elasticsearch data (-c) (e.g. 2010-12-31)

Add a Schema without Rerunning the UEBA

Note: Adding a schema without rerunning the UEBA system is supported on RSA NetWitness Platform 11.5.1 and later.

To add a new UEBA schema without rerunning the UEBA system, run the following command on the UEBA host:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"add","path":"/dataPipeline/schemas/-","value":"<SCHEMA>"}]}'

Where <SCHEMA> string can be replaced with any one of the following schemas:

  • AUTHENTICATION
  • FILE
  • ACTIVE_DIRECTORY
  • PROCESS
  • REGISTRY
  • TLS.

UEBA Indicator Forwarder

Note: The UEBA Indicator Forwarder is supported by the UEBA from version 11.3 and later.
If your NetWitness environment includes an active respond server, you can transfer the UEBA indicators to the respond server in order to create Incidents. For more information, see Enable User Entity Behavior Analytics Incident Rule.

Run the following command to activate the UEBA Indicator Forwarder:

curl -X PATCH http://localhost:8881/configuration -H 'content-type: application/json' -d '{"operations":[{"op":"replace","path":"/outputForwarding/enableForwarding","value":true}]}'

To deactivate the UEBA indicator forwarder, change the “value":true at the request body to be “value":false.

Update Data Source Details

In order to update the details of the data source you must use the ueba-server-config script. For more information, see ueba-server-config script.

The data sources details are:

  • Data Source type (Broker / Concentrator).
  • Data Source username.
  • Data Source password.
  • Data Source host.

Add Features for UEBA Packet Schema

Add the Hunting Pack:

In NetWitness Platform, add the hunting pack or verify it it’s available:

  1. Login to NetWitness Platform
  2. Navigate to (Admin) and select Admin Server
  3. Click and select Configure > Live Content

  1. On the left menu, select the following:
    1. Bundle under Resources Type.
    2. Packet under Medium
  2. Click Search.
    A list of matching resources is displayed.
  3. Select Hunting Pack from the list and click Deploy.
    The hunting pack is added.

Add JA3 and JA3s:

The JA3 and JA3s fields are supported by the Network Decoder in 11.3.1 and later. Verify that your Network Decoder is upgraded to one of these versions.

To add JA3 and Ja3s:

1. Log in to NetWitness Platform.

2. Go to (Admin) > Services select the Decoder service.

3. Navigate to /decoder/parsers/config/parsers.options.

4. Add HTTPS="ja3=true ja3s=true".

After the parsers are reloaded, the JA3 and JA3s fields are configured.

Assign User Access to UEBA

To create a user with privileges to access the UEBA pages (Users tab) on the Netwitness UI do the following:

  1. Navigate to (Admin) > Security.
  2. Create a new UEBA_Analysts and Analysts user roles.

For more information, see the "Manage Users with Roles and Permissions" topic in the System Security and User Management Guide.

Create an Analysts Role

In order to fetch data from the data source (Broker / Concentrator), you need to create a user using the Docktor-UEBA: Validation Too" role in the data source service.

  1. Navigate to the security tab at the data source service page.
  2. (Admin) > Services > Broker > Security
  3. Create an analyst user and assign it to the any of supported special characters.

Enable User Entity Behavior Analytics Incident Rule

In order to aggregate the UEBA indicators under Incident rule, follow the instructions below:

Enable the UEBA Forwarding process as described in Enable UEBA Indicator Forwarder.

  1. Go to (Configure) > Incident Rules.
  2. Select the User Entity Behavior Analytics rule.
  3. Select the enable check box and click Save.

Enable or Disable Modeled Behaviors for Users

The UEBA Modeled Behaviors functionality is enabled by default from version 11.5.1.

To disable the Modeled Behaviors:

  1. SSH to the UEBA server.

  2. Edit the /etc/netwitness/presidio/configserver/configurations/presidio-uiconf.properties file and add the following line:

    entity.profile.enabled=false

  3. Restart the service.

    systemctl restart presidio-ui

To enable the Modeled Behaviors:

  1. SSH to the UEBA server.
  2. Remove the line entity.profile.enabled=false from the /etc/netwitness/presidio/configserver/configurations/presidio-uiconf.properties file.

  3. Restart the service.

    systemctl restart presidio-ui

  • To view user details that are created in the modeled behavior, perform the following on the NetWitness Platform UI:

    1. Log into NetWitness Platform and click Users.
    2. In the Overview tab, under Top Risky Users panel, click on a username.
    3. Click the Modeled Behaviors tab.
  • For more information, see "View Modeled Behaviors" topic in the UEBA User Guide for NetWitness Platform 11.x.

    Note: Users and Modeled behavior features are created after one day of processing data on AUTHENTICATION FILE ACTIVE_DIRECTORY schemas. When these features appear in the UI, it indicates that the system is working properly.

    Verify the UEBA Configuration

    After you have installed, deployed and configured UEBA on NetWitness Platform, you can verify that the UEBA server is working as expected and is healthy using the following procedures.

    Check UEBA progress status using Airflow

    To check check UEBA progress status using Airflow:

    1. Navigate to https://<UEBA-host-name>/admin.
    2. Enter the admin username and password.
      A red circle on the main page shows that some task has failed.
    3. (Optional) Click the red circle for details regarding the cause of the failure.
    4. To get the current running tasks, tap the Browse button and select task Instance.
    5. Add a filter - State = running Pool = spring_boot_jar_pool.

      The Execution Date column will show the current time window of each running task.

    Check if data is received on UEBA by Kibana

    To check if data is received on UEBA by Kibana:

    1. Navigate to https://<UEBA-host-name>/kibana.
    2. Enter the admin username and password.
    3. To check if the data is flowing to the UEBA:
      1. Go to the Adapter Dashboard.
      2. Tap the Dashboard tab in the left menu.
      3. Tap Adapter Dashboard at the right menu.
      4. Select the relevant time range at the top bar.
        The charts on this dashboard displays the data that is already fetched by UEBA.

    Learning Period Per Scale for 11.5

    Physical Machine

    SERIES 5 (DELL R630) SPECIFICATIONS

                                                        
    Supported Scale Existing NetWitness customer
    (historical data available)
    Learning Period
    Alerts will be generated when the learning period is complete
    Logs and Endpoint data for 100,000 users + 20 million network events per day. Yes

    11.5 Installation
    Up to 4 days with 28 days of historical data.

    Yes11.5 Upgrade from 11.4.x with no schema changes
    No learning period.
    • UEBA rerun is not required.

    Yes

    11.5 Upgrade from 11.3.x or prior versions with no schema changes
    Up to 4 days with 28 days of historical data.

    • UEBA rerun is required.
    Yes

    11.5 Upgrade with schema changes

    Up to 4 days with 28 days of historical data.

    • UEBA rerun is required
    Logs and Endpoint data for 100,000 users + 60 million network events per day.Yes11.5 Installation
    Up to 14 days with 14 days of historical data.
    Yes

    11.5 Upgrade from 11.4.x with no schema changes
    No learning period.

    • UEBA rerun is not required.
    Yes

    11.5 Upgrade from 11.3.x or prior versions with no schema changes
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

    Yes

    11.5 Upgrade with schema changes
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

    Logs and Endpoint data for up to 100,000 users + 60 million network events per day.

    No

    11.5 Installation

    28 days

    Virtual Machine

                         
    CPUMemoryRead IOPSWrite IOPS
    16 cores64GB500MB

    500MB

    Note: RSA recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends you to deploy UEBA on the physical host as described in the "RSA NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.

                                                   
    Supported Scale Existing NetWitness customer
    (historical data available)
    Learning Period
    Alerts will be generated when the learning period is complete
    Logs and Endpoint data for up to 100,000 users with 30 million events per day (no network data). Yes

    11.5 Installation

    Up to 4 days with 28 days of historical data.

    Yes11.5 Upgrade from 11.4.x with no schema changes

    No learning period.

    • UEBA rerun is not required.
    Yes11.5 Upgrade from 11.3.x or prior versions with no schema changes
    Up to 4 days with 28 days of historical data.
    • UEBA rerun is required.
    Yes

    11.5 Upgrade with schema changes
    Up to 4 days with 28 days of historical data.

    • UEBA rerun is required
    Logs and Endpoint data for up to 100,000 users with 30 million events per day + 20 million network events per day.Yes

    11.5 Installation

    Up to 14 days with 14 days of historical data.

     

    11.5 Upgrade from 11.4.x with no schema changes

    No learning period.

    • UEBA rerun is not required.
     

    11.5 Upgrade from 11.3.x or prior versions with no schema changes
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

     

    11.5 Upgrade with schema removal
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

    Note: Network events per day refers to number of events consumed by UEBA per day. To determine the scale of network events for existing customers, see Troubleshooting UEBA Configurations.

    Learning Period Per Scale for 11.5.1

    Note: For all supported scales, when historical data is not available, the learning period is 28 days.

    Physical Machine

    SERIES 5 (DELL R630) SPECIFICATIONS

                                         
    Supported Scale for existing NetWitness customers (historical data is available)Learning Period
    Alerts will be generated when the learning period is complete
    Logs and Endpoint data for 100,000 users + 20 million network events per day.

    11.5.1 Installation
    Up to 4 days with 28 days of historical data.

    11.5.1 Upgrade from 11.4.x
    No learning period.
    • UEBA rerun is not required.

    11.5.1 Upgrade from 11.3.x or prior versions
    Up to 4 days with 28 days of historical data.

    • UEBA rerun is required.

    11.5.1 Upgrade with schema removal

    Up to 4 days with 28 days of historical data.

    • UEBA rerun is required
    Logs and Endpoint data for 100,000 users + 60 million network events per day.11.5.1 Installation
    Up to 14 days with 14 days of historical data.

    11.5.1 Upgrade from 11.4.x
    No learning period.

    • UEBA rerun is not required.

    11.5.1 Upgrade from 11.3.x or prior versions
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

    11.5.1 Upgrade with schema removal
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

    Virtual Machine

    If there is not historical data, then the learning period will be 28 days.

                         
    CPUMemoryRead IOPSWrite IOPS
    16 cores64GB500MB

    500MB

    Note: RSA recommends you to deploy UEBA on a virtual host, only if your log collection volume is low. If you have a moderate to high log collection volume, RSA recommends you to deploy UEBA on the physical host as described in the "RSA NetWitness UEBA Host Hardware Specifications" topic of the Physical Host Installation Guide. Contact Customer Support (https://community.rsa.com/docs/DOC-1294) for advice on choosing which host, virtual or physical, to use for UEBA.

                                         
    Supported Scale for existing NetWitness customers (historical data is available)Learning Period
    Alerts will be generated when the learning period is complete
    Logs and Endpoint data for up to 100,000 users with 30 million events per day (no network data).

    11.5.1 Installation

    Up to 4 days with 28 days of historical data.

    11.5.1 Upgrade from 11.4.x

    No learning period.

    • UEBA rerun is not required.
    11.5.1 Upgrade from 11.3.x or prior versions
    Up to 4 days with 28 days of historical data.
    • UEBA rerun is required.

    11.5.1 Upgrade with schema removal
    Up to 4 days with 28 days of historical data.

    • UEBA rerun is required
    Logs and Endpoint data for up to 100,000 users with 30 million events per day + 20 million network events per day.

    11.5.1 Installation

    Up to 14 days with 14 days of historical data.

    11.5.1 Upgrade from 11.4.x

    No learning period.

    • UEBA rerun is not required.

    11.5.1 Upgrade from 11.3.x or prior versions
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

    11.5.1 Upgrade with schema removal
    Up to 14 days with 14 days of historical data.

    • UEBA rerun is required.

    Note: This scenario is impacted by ASOC-101686 known issue. For more information, see NetWitness Release Notes for 11.5.

    Note: Network events per day refers to number of events consumed by UEBA per day. To determine the scale of network events for existing customers, see Troubleshooting UEBA Configurations.

    You are here
    Table of Contents > UEBA Configuration

    Attachments

      Outcomes