The purpose of UEBA Essentials and user-hunting is to detect or bring focus to suspicious user and entity behavior to find potential insider threats, lateral movement by external attackers, or general abuse/misuse of user accounts. Deploying this bundle will download all of the content and content dependencies of the UEBA Essentials Pack to the services appropriate for each content type.
For details on using this pack, see UEBA Essentials Hunting Guide.
Versions supported: RSA NetWitness 11.1 and higher
The UEBA Essentials pack contains the following content:
- RDP over Non-Standard Port
- Windows Credential Harvesting Services
- Windows NTLM Network Logon Successful
- Account Added to Administrators Group and Removed
- Direct Login By A Watchlist Account
- Failed logins Followed By Successful Login and a Password Change
- Failed logins outside business hours
- Insider Threat Mass Audit Clearing
- krbtgt Account Modified on Domain controller
- Lateral Movement Suspected Windows
- Logins Across Multiple Servers
- Malicious Account Creation Followed by Failed Authorization to Neighboring Devices
- Malware Dropper
- Multiple Account Lockouts from Same or Different Users
- Multiple Failed Logins Followed by Successful Login
- Multiple Failed Logins from Multiple Diff Sources to Same Dest
- Multiple Failed Logins from Multiple Users to Same Destination
- Multiple Failed Logins from Same User Originating from Different Countries
- Multiple Failed Privilege Escalations by the Same User
- Multiple Login Failures by Administrators to Domain Controller
- Multiple Login Failures by Guest to Domain Controller
- Multiple Login Failures from Same Source IP with Unique Usernames
- Multiple Successful Logins from Multiple Diff Src to Diff Dest
- Multiple Successful Logins from Multiple Diff Src to Same Dest
- Privilege Escalation Detected
- Privilege User Account Password Change
- PunyCode Phishing Attempt
- RDP Inbound Traffic
- RDP Traffic from Same Source to Multiple Different Destinations
- RIG Exploit Kit
- Suspicious Account Removal
- Suspicious Privileged User Access Activity
- User Account Created and Deleted Within an Hour
- User Added to Admin Group Same User Login OR Same User su sudo
- User Added to administrative group then SIGHUP detected
- User Login Baseline
- Windows Suspicious Admin Activity: Audit log Cleared
- Windows Suspicious Admin Activity: Firewall Service Stopped
- Windows Suspicious Admin Activity: Network Share Created
- Windows Suspicious Admin Activity: Shared Object Accessed
- AWS Access Permissions Modified Report
- AWS Critical VM Modified Report
- Identity Management
- Lateral Movement Indicators - Windows
- RSA SecurID Authentication Summary
- NetWitness Administration Report
- User Watch
Additionally, the following items are related content for UEBA Essentials, and provided out of the box. Thus, they are not downloaded as part of the UEBA Essentials bundle.
- RSA SecurID
- Incident Rule: User Behavior
Mappings Between UEBA App Rules and Meta
The following table lists the mappings between application rules used in UEBA and corresponding meta keys and values.
To start your investigation, go to INVESTIGATE > Navigate > Load Values. Then, in the Meta drop-down menu, choose Use Meta Group > RSA User & Entity Behavior Analysis.
Here, you can see we've selected RSA Threat Analysis and then Use Meta Group > RSA User & Entity Behavior Analysis from the horizontal navigation menu.
If you right-click on one of the values, you can perform a Context Lookup. The following screen shows a context lookup of the administrator meta value.
You can also view interesting data in Respond. Go to RESPOND and choose one of the events.
If you select an incident name, the view the connections for the event are displayed:
To view session meta, select INDICATORS, then expand the events list:
Click Log for an event to display the raw log information as well as event meta for the selected event.