How UEBA, SOAR, Threat Connect and ESA work together!
Some point I need to know, we need to create rules on ESA, and based on that alert will be generated. But how UEBA will help ESA? I mean do we need to see UEBA for anomaly behavior/deviations then write rules on SIEM again for fine-tuning the rules or else UEBA will generate alert separately that we also need to look for..!!! Another thing is, how UEBA, SOAR, Threat intel will work together to triage alert, removing false positive, can you please explain? I am giving you the scenario for example. Say some brute force attempt, password cracking, and DDOS attempt is done in our network. Whatever the malicious activity is done, our SIEM receive the logs. Now how ESA rules, UEBA, SOAR and Threat intel will work together with those logs and give us the best result as alert on the screen !! please explain me. I want to know step by step process. Thanks in advance and sorry for the long question.
Dear Md. Mahim Bin Firoj,
Both UEBA and ESA are alert sources for NW's Incident management. ESA uses a rule driven approach where as UEBA uses unsupervised machine learning to detect threats. You can do any customization in how various ML models detect threat. With ESA you can use rules to detect specific patterns. You cant put your own machine learning models unless you involve RSA PS as its code driven work. Using both in your infra helps you get best of both worlds. Both can consume network, log and endpoint data for their own detection logics. Hope that makes sense now. To improve alert fidelity, organizations also uses threat intelligence and to automate response, they use SOAR. TC provides both capabilities in a single product. Once you have TC in your infra you can:
- Improve threat intelligence quality by aggregating multiple sources of TI in your organization and using TC as single source of truth.
- Investigate any indicator that was detected as part of alert to investigate further using TC's workbench that uses community analytics and other functions to help you decide if this particular indicator is really a threat or not.
- Use the case management on TC not Netwitness Respond to manage all your alerts
- Automate response using TC's playbooks
Hope this helps
thank you dear and sorry for the late response...ok that means, UEBA analysis the logs from the SIEM and compare it with threat intelligence. correct me if i am wrong.