NetWitness UEBA focuses on providing advanced detection capabilities to guard enterprises from insider threats. These could either be compromised trusted users or network entity within a network, or alternatively, malicious external attacker taking advantage of credentials acquired by using advanced account takeover techniques.
Identity theft typically begins with the theft of credentials, which are then used to obtain unauthorized access to resources and to gain control over the network. Attackers may also exploit compromised non-admin users to obtain access to resources for which they have administrative rights, and then escalate those privileges.
NetWitness UEBA helps you separate possibly malicious activity from the otherwise abnormal, but not risky, user or network entity actions.
Use Case for Users
An attacker who uses stolen credentials may trigger suspicious network events while accessing resources. Detecting illicit credential use is possible, but requires that you separate attacker activity from the high volume of legitimate events. The following use cases define certain risk types, and the corresponding system capabilities used for their detection. You can review the use cases, represented by their Alert Type and Description, to gain an initial understanding of the related risky behavior of each. Using NetWitness UEBA, you can then drill down into the indicators that reflect the possibly risky user activities to learn more. For more information about NetWitness UEBA-supported indicators, see Indicators for Users. When anomalies are detected, they are compared to the baseline and compiled into hourly alerts. For more information on types of alerts for Users, see Alert Types for User .
Use Case for Network Entities
UEBA can detect malicious traffic masked within an legitimate HTTPS session. Based on this alert analysis, the analyst can drill down to the indicators and determine if the activity was normal or not. For more information about NetWitness UEBA-supported entity indicators, see Indicators for Network Entities.For example, the analyst can detect if there was any abnormal number of bytes sent to a port or a domain. If this type of events or a combination of such events are detected an alert is triggered. For more information on types of alerts for Network Entity, see Alert Types for Network Entity.
NetWitness UEBA Indicators
The following tables list indicators that display when a potentially malicious activity is detected for users.
Windows File Servers
The following tables list indicators that display when a potentially malicious activity is detected for JA3 and SSL Subject entities.
Access NetWitness UEBA
To access NetWitness UEBA, log into NetWitness Platform and go to INVESTIGATE > ENTITIES. The Entities view, which contains all the NetWitness UEBA feature is displayed.
You can choose a dark or a light theme for the view. For information, please see the "Choose the Appearance of NetWitness Platform" topic in the RSA NetWitness Getting Started Guide.
Table of Contents > NetWitness UEBA Indicators