View UEBA Cloud Alerts from Respond View

Analysts can view all the NetWitness UEBA Cloud alerts from the Respond > Alerts View. In the Alerts List view, analysts can browse the UEBA Cloud alerts from the NetWitness UEBA (Cloud) source, filter them, and group them to create incidents. This procedure shows you how to access the UEBA Cloud alerts list. For more information on the complete list of UEBA Cloud Alert types, see Understand the UEBA Alert Types.

From NetWitness Platform 12.5 or later, analysts can view the details of the tactics and techniques used by advanced attackers or advanced persistent threats (APTs) for NetWitness UEBA Cloud alerts. You do not have to search the MITRE pages to understand techniques or tactics and learn about their implications. When clicking on any tactic or technique for the UEBA Cloud alert, the ATT&CK Explorer panel will display all the details.

Important

Both MITRE ATT&CK® and ATT&CK® are registered trademarks of the MITRE Corporation. © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

For more information on the MITRE ATT&CK framework usage, see MITRE ATT&CK Framework topic in NetWitness Respond User Guide.

View UEBA Cloud Alert Details

In the Alerts List view, you can browse the UEBA Cloud alerts from the NetWitness UEBA (Cloud) source, filter them, and group them to create incidents. This procedure shows you how to access the Insight alerts list.

To View UEBA Cloud Alert Details

  1. Log in to the NetWitness Platform.

  2. Go to Respond > Alerts. The Alerts List view displays a list of all NetWitness alerts.

  3. In the Filters panel, under the Source options, select NetWitness UEBA (Cloud).

    View UEBA Alerts

Note

You can change the time range to filter them and view alerts.

   All the alerts related to NetWitness UEBA (Cloud) are listed.

  1. Clicking on the Alert Name takes you to the Overview page with the following details. The following figure represents high number of successful object change operations alert.
    View Insight Alerts

The following table represents the Alert information available on the Overview panel.

Column Description
Incident ID Displays the Incident ID of the alert. If there is no incident ID, the alert does not belong to any incident, and you can create an incident to include this alert or add the alert to an existing incident.

Note

Insight alerts will have no Incident IDs by default and will be displayed as (None). You need to enable the Incident Rules to start generating the Incident IDs. For more information, see the topic Enable UEBA Cloud Incident Rules.

Created Displays the date and time when the alert was recorded in the source system.
Severity Displays the level of severity of the alert. The values are from 1 through 100. In this case, the severity is 40 for medium Insight alerts.
Source Displays the source of the alert. In this case, the source of the alert is NetWitness UEBA (Cloud).
Type Displays the type of events in the alert. In this case, the type of event is Network.
# Events Displays the number of events contained within an alert.
Host Summary Displays details of the IP, like the IP from where the alert was triggered.
Persisted status Displays the persistent status of the Incident. In this case, it is None (-).
MITRE ATT&CK TACTICS Displays the tactic associated with the alert. In this case, the tactics are Privilege Escalation and Defense Evasion.
MITRE ATT&CK TECHNIQUES Displays the techniques associated with the alert. In this case, the technique is Domain Policy Modification.
Raw Alert Displays the raw alert metadata.

View Event details of a UEBA Cloud Alert

After you review the general information about the UEBA Cloud alert in the Overview panel in the Alerts Details view. You can check for the event that occurred for the UEBA Cloud alert in the Event Details panel on the right. An alert contains one or more events. In the Alert Details view, you can drill down into an alert to get additional event details and investigate the alert further.

The Events panel on the right displays information about the events in the alert, such as event time, source IP, destination IP, detector IP, source user, destination user, and file information about the events. The amount of information listed depends on the event type.

There are two types of events:

  • A transaction between two machines (a Source and a Destination)
  • An anomaly detected on a single machine (a Detector)

To View Event details of a UEBA Cloud Alert

  1. To view event details for a UEBA Cloud alert, in the Alerts List view, click on the Alert Name.

    View Insight Alerts

The Events panel shows a list of events with information about each event.

View Insight Alerts

The following table shows some of the columns that can appear in the Events List (Events Table).

Column Description
Time Displays the time the event occurred
Type Displays the type of alert, such as Log.
Source IP Displays the source IP address if there was a transaction between two machines.
Source Port Displays the source port of the transaction. The source and destination ports can be on the same IP address.
Source Mac Displays the MAC address of the source machine.
Source User Displays the user of the source machine.
Destination IP Displays the destination IP address if there is a transaction between two machines
Destination Port Displays the destination port of the transaction. The source and destination ports can be on the same IP address.
Destination Host Displays the host name of the destination machine.
Destination Mac Displays the MAC address of the destination machine.
Destination User Displays the user of the destination machine.
Detector IP Displays the IP address of the machine where an anomaly was detected.
File Name Displays the file name if a file is involved with the event.
File Hash Displays a hash of the file contents.

If there is only one event on the list, you will see only the event details for that event instead of a list.

  1. Click an event in the Events list to view the Event details. This example shows the event details for the first event in the list.

    View Insight Alerts

  2. Use the page navigation to the right of the Back To Table button to view other events. This example shows the details of the last event on the list.

    View Insight Alerts

  3. Click on any Tactics or Techniques for the alert. The ATT&CK© Explorer Panel will automatically appear on the right and populate with relevant information.

    View Insight Alerts

For more information on managing alerts, see Reviewing Alerts topic in NetWitness Respond User Guide.

See also