The following tables list indicators that display when potentially malicious activity is detected.
Windows File Servers
NetWitness UEBA Use Cases for Windows Logs
NetWitness UEBA focuses on providing advanced detection capabilities to guard enterprises from insider threats. These could either be compromised trusted users of the network, or alternatively, a malicious external attacker taking advantage of credentials acquired by using advanced account takeover techniques.
Identity theft typically begins with the theft of credentials, which are then used to obtain unauthorized access to resources and to gain control over the network. Attackers may also exploit compromised non-admin users to obtain access to resources for which they have administrative rights, and then escalate those privileges.
An attacker who uses stolen credentials may trigger suspicious network events while accessing resources. Detecting illicit credential use is possible, but requires that you separate attacker activity from the high volume of legitimate events. NetWitness UEBA helps you separate possibly malicious activity from the otherwise abnormal, but not risky, user actions.
The following use cases define certain risk types, and the corresponding system capabilities used for their detection. You can review the use cases, represented by their Alert Type and Description, to gain an initial understanding of the related risky behavior of each. Using NetWitness UEBA, you can then drill down into the Indicators that reflect the possibly risky user activities to learn more. For more information about NetWitness UEBA-supported indicators, see NetWitness UEBA Indicators.