UEBA Essentials Content Pack

The purpose of UEBA Essentials and user-hunting is to detect or bring focus to suspicious user and entity behavior to find potential insider threats, lateral movement by external attackers, or general abuse/misuse of user accounts. Deploying this bundle will download all of the content and content dependencies of the UEBA Essentials Pack to the services appropriate for each content type.

For details on using this pack, see UEBA Essentials Hunting Guide.

Versions supported: RSA NetWitness 11.1 and higher

The UEBA Essentials pack contains the following content:

  • Application Rules:

    • NWFL_access:privilege-escalation-failure
    • NWFL_access:privilege-escalation-success
    • NWFL_access:remote-failure
    • NWFL_access:remote-success
    • NWFL_access:user-access-revoked
    • NWFL_account:account-disabled
    • NWFL_account:auth-success
    • NWFL_account:created
    • NWFL_account:deleted
    • NWFL_account:group-management
    • NWFL_account:login-and-logout
    • NWFL_account:logon-failure
    • NWFL_account:logon-success
    • NWFL_account:logon-success-direct-access
    • NWFL_account:logout
    • NWFL_account:modified
    • NWFL_account:password-change
    • NWFL_account:user-accessing-file-servers
    • NWFL_host:windows:account-disabled
    • NWFL_host:windows:local-group-account-changes
    • NWFL_host:windows:user-group-account-changes
    • RDP over Non-Standard Port
    • Windows Credential Harvesting Services
    • Windows NTLM Network Logon Successful
  • ESA Rules:

    • Account Added to Administrators Group and Removed
    • Direct Login By A Watchlist Account
    • Failed logins Followed By Successful Login and a Password Change
    • Failed logins outside business hours
    • Insider Threat Mass Audit Clearing
    • krbtgt Account Modified on Domain controller
    • Lateral Movement Suspected Windows
    • Logins Across Multiple Servers
    • Malicious Account Creation Followed by Failed Authorization to Neighboring Devices
    • Malware Dropper
    • Multiple Account Lockouts from Same or Different Users
    • Multiple Failed Logins Followed by Successful Login
    • Multiple Failed Logins from Multiple Diff Sources to Same Dest
    • Multiple Failed Logins from Multiple Users to Same Destination
    • Multiple Failed Logins from Same User Originating from Different Countries
    • Multiple Failed Privilege Escalations by the Same User
    • Multiple Login Failures by Administrators to Domain Controller
    • Multiple Login Failures by Guest to Domain Controller
    • Multiple Login Failures from Same Source IP with Unique Usernames
    • Multiple Successful Logins from Multiple Diff Src to Diff Dest
    • Multiple Successful Logins from Multiple Diff Src to Same Dest
    • Privilege Escalation Detected
    • Privilege User Account Password Change
    • PunyCode Phishing Attempt
    • RDP Inbound Traffic
    • RDP Traffic from Same Source to Multiple Different Destinations
    • RIG Exploit Kit
    • Suspicious Account Removal
    • Suspicious Privileged User Access Activity
    • User Account Created and Deleted Within an Hour
    • User Added to Admin Group Same User Login OR Same User su sudo
    • User Added to administrative group then SIGHUP detected
    • User Login Baseline
    • Windows Suspicious Admin Activity: Audit log Cleared
    • Windows Suspicious Admin Activity: Firewall Service Stopped
    • Windows Suspicious Admin Activity: Network Share Created
    • Windows Suspicious Admin Activity: Shared Object Accessed
  • Lua parsers:

    • ein_detection_lua
    • Kerberos
    • LDAP
    • NetBIOS_lua
    • NTLMSSP_lua
    • radius
  • Reports:

    • AWS Access Permissions Modified Report
    • AWS Critical VM Modified Report
    • Identity Management
    • Lateral Movement Indicators - Windows
    • RSA SecurID Authentication Summary
    • NetWitness Administration Report
    • User Watch

Additionally, the following items are related content for UEBA Essentials, and provided out of the box. Thus, they are not downloaded as part of the UEBA Essentials bundle.

  • Dashboards:

    • Identity
    • RSA SecurID
  • Incident Rule: User Behavior

Mappings Between UEBA App Rules and Meta

The following table lists the mappings between application rules used in UEBA and corresponding meta keys and values.

Rule Name in Live Meta Value Meta Key
NWFL_access:privilege-escalation-failure access:privilege-escalation-failure alert.id
NWFL_access:privilege-escalation-success access:privilege-escalation-success alert.id
NWFL_access:remote-failure access:remote-failure alert.id
NWFL_access:remote-success access:remote-success alert.id
NWFL_access:user-access-revoked access:user-access-revoked alert.id
NWFL_account:account-disabled account:account-disabled alert.id
NWFL_account:auth-success account:auth-success alert.id
NWFL_account:created account:created alert.id
NWFL_account:deleted account:deleted alert.id
NWFL_account:group-management account:group-management alert.id
NWFL_account:login-and-logout account:login-and-logout alert.id
NWFL_account:logon-failure account:logon-failure alert.id
NWFL_account:logon-success account:logon-success alert.id
NWFL_account:logon-success-direct-access account:logon-success-direct-access alert.id
NWFL_account:logout account:logout alert.id
NWFL_account:modified account:modified alert.id
NWFL_account:password-change account:password-change alert.id
NWFL_account:user-accessing-file-servers account:user-accessing-file-servers alert.id
NWFL_host:windows:account-disabled host:windows:account-disabled alert.id
NWFL_host:windows:local-group-account-changes host:windows:local-group-account-changes alert.id
NWFL_host:windows:user-group-account-changes host:windows:user-group-account-changes alert.id
RDP over Non-Standard Port rdp over non-standard port analysis.service

UEBA Investigation

To start your investigation, go to INVESTIGATE > Navigate > Load Values. Then, in the Meta drop-down menu, choose Use Meta Group > RSA User & Entity Behavior Analysis.


Here, you can see we've selected RSA Threat Analysis and then Use Meta Group > RSA User & Entity Behavior Analysis from the horizontal navigation menu.


If you right-click on one of the values, you can perform a Context Lookup. The following screen shows a context lookup of the administrator meta value.


You can also view interesting data in Respond. Go to RESPOND and choose one of the events.


If you select an incident name, the view the connections for the event are displayed:


To view session meta, select INDICATORS, then expand the events list:


Click Log for an event to display the raw log information as well as event meta for the selected event.