User and Entity Behavior Analytics (UEBA) Content Pack

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Apr 10, 2018
Version 6Show Document
  • View in full screen mode
 

The purpose of UEBA and user-hunting is to detect or bring focus to suspicious user and entity behavior to find potential insider threats, lateral movement by external attackers, or general abuse/misuse of user accounts. Deploying this bundle will download all of the content and content dependencies of the UEBA Pack to the services appropriate for each content type.

For details on using this pack, see User and Entity Behavior Analytics (UEBA) Hunting Guide.

 

Versions supported: RSA NetWitness 11.1 and higher

 

The UEBA pack contains the following content:

  • Application Rules:

    • NWFL_access:privilege-escalation-failure
    • NWFL_access:privilege-escalation-success
    • NWFL_access:remote-failure
    • NWFL_access:remote-success
    • NWFL_access:user-access-revoked
    • NWFL_account:account-disabled
    • NWFL_account:auth-success
    • NWFL_account:created
    • NWFL_account:deleted
    • NWFL_account:group-management
    • NWFL_account:login-and-logout
    • NWFL_account:logon-failure
    • NWFL_account:logon-success
    • NWFL_account:logon-success-direct-access
    • NWFL_account:logout
    • NWFL_account:modified
    • NWFL_account:password-change
    • NWFL_account:user-accessing-file-servers
    • NWFL_host:windows:account-disabled
    • NWFL_host:windows:local-group-account-changes
    • NWFL_host:windows:user-group-account-changes
    • RDP over Non-Standard Port
    • Windows Credential Harvesting Services
    • Windows NTLM Network Logon Successful
  • ESA Rules:

    • Account Added to Administrators Group and Removed
    • Direct Login By A Watchlist Account
    • Failed logins Followed By Successful Login and a Password Change
    • Failed logins outside business hours
    • Insider Threat Mass Audit Clearing
    • krbtgt Account Modified on Domain controller
    • Lateral Movement Suspected Windows
    • Logins Across Multiple Servers
    • Malicious Account Creation Followed by Failed Authorization to Neighboring Devices
    • Malware Dropper
    • Multiple Account Lockouts from Same or Different Users
    • Multiple Failed Logins Followed by Successful Login
    • Multiple Failed Logins from Multiple Diff Sources to Same Dest
    • Multiple Failed Logins from Multiple Users to Same Destination
    • Multiple Failed Logins from Same User Originating from Different Countries
    • Multiple Failed Privilege Escalations by the Same User
    • Multiple Login Failures by Administrators to Domain Controller
    • Multiple Login Failures by Guest to Domain Controller
    • Multiple Login Failures from Same Source IP with Unique Usernames
    • Multiple Successful Logins from  Multiple Diff Src to Diff Dest
    • Multiple Successful Logins from Multiple Diff Src to Same Dest
    • Privilege Escalation Detected
    • Privilege User Account Password Change
    • PunyCode Phishing Attempt
    • RDP Inbound Traffic
    • RDP Traffic from Same Source to Multiple Different Destinations
    • RIG Exploit Kit
    • Suspicious Account Removal
    • Suspicious Privileged User Access Activity
    • User Account Created and Deleted Within an Hour
    • User Added to Admin Group Same User Login OR Same User su sudo
    • User Added to administrative group then SIGHUP detected
    • User Login Baseline
    • Windows Suspicious Admin Activity: Audit log Cleared
    • Windows Suspicious Admin Activity: Firewall Service Stopped
    • Windows Suspicious Admin Activity: Network Share Created
    • Windows Suspicious Admin Activity: Shared Object Accessed
  • Lua parsers:

    • ein_detection_lua
    • Kerberos
    • LDAP
    • NetBIOS_lua
    • NTLMSSP_lua
    • radius
  • Reports:

    • AWS Access Permissions Modified Report
    • AWS Critical VM Modified Report
    • Identity Management
    • Lateral Movement Indicators - Windows
    • RSA SecurID Authentication Summary
    • Security Analytics Administration Report
    • User Watch

Additionally, the following items are related content for UEBA, and provided out of the box. Thus, they are not downloaded as part of the UEBA bundle.

  • Dashboards:

    • Identity
    • RSA SecurID
  • Incident Rule: User Behavior
You are here
Table of Contents > Content Bundles/Packs > UEBA Content Pack

Attachments

    Outcomes