1 - What's New
Provides information about new features and enhancements for NetWitness UEBA.
- September 25, 2024
- March 14, 2024
- November 2, 2023
- September 6, 2023
- February 2, 2022
- November 11, 2021
- August 12, 2021
- June 2, 2021
- March 16, 2021
- February 4, 2021
September 25, 2024
MITRE ATT&CK Mapping for UEBA Cloud
NetWitness now integrates MITRE ATT&CK framework mapping for UEBA alerts and incidents. This mapping helps analysts understand the attacker’s potential tactics, techniques, and sub-techniques behind detected activities by correlating them with known behaviors. When investigating UEBA alerts and incidents, analysts can see a list of mapped tactics and techniques from the Respond view, along with a dedicated ATT&CK Explorer panel that provides further context and related information, which eliminates the need to visit MITRE’s website for ATT&CK information. This enhancement provides valuable insights into threat severity and nature, enabling faster and more informed response decisions.
For example, A UEBA alert identified suspicious remote access behavior from a user account. This behavior aligns with the MITRE ATT&CK tactic of Lateral Movement and technique using Remote Services, alerting analysts to investigate a possible attempt to obtain data and take necessary actions.
For more information on the Mitre ATT&CK framework, see topics View UEBA Cloud Alerts from Respond View and View UEBA Cloud Incident Details.
March 14, 2024
Support for VPN Devices in UEBA Cloud
NetWitness UEBA Cloud has added support for the Citrix NetScaler, Palo Alto Networks, Cisco ASA, and Fortinet VPN devices. With this enhancement, UEBA Cloud can process logs from these VPN devices to help you gather and analyze user activity information.
Note
- Ensure that the NetWitness Platform and Cloud Link Sensor versions are in 12.4 or later to use the feature.
- Please deploy the latest parsers from NetWitness Live to enable support for all VPN devices. For any VPN to be considered under the Authentication module, the following metadata must be present in the respective VPN vendor’s logs:
(event.type = 'vpn' && country.src exists && user.dst exists && ec.activity = 'logon').
For more information, see Understand Sources Supported by Schema in UEBA Cloud.
Email Notification Settings for Sensor Status and Updates
NetWitness now includes Email Notification preferences for Sensor Status and Sensor Updates. With this feature, administrators can choose to turn on or turn off email notifications as needed, giving them more control and flexibility in managing notifications.
For more information, see Configure Email Notification Preferences for UEBA.
November 2, 2023
Email Notification Settings for License Usage
NetWitness introduces a new Email Notifications setting option on the NetWitness Cloud Portal. This feature enables administrators to manage email notification preferences for License Usage. With this feature, administrators can choose to turn on or turn off email notifications as needed, giving them more control and flexibility in managing notifications.
For more information, see Configure Email Notification Preferences for UEBA.
Check NetWitness Cloud Services Operational Health Status
Users can check the operational health status and service availability of NetWitness Cloud Services such as UEBA, Insight, and Live on
NetWitness Statuspage. The operational health status indicates if all the services and integrations are operational or experiencing any disruptions. These disruptions may be caused by server maintenance activity, regional network outages, or cloud vendor outages. If there are any service disruptions, they are recorded as Incidents and displayed on the Statuspage.
In addition, users can subscribe to receive email or Slack notifications whenever an incident occurs, see
Check System Status.
September 6, 2023
Introducing Contextual Information for Users
Analysts can now view contextual information about users on the NetWitness Users page. This enhancement enables analysts to make better decisions and take appropriate actions. A single place contains contextual information about users to help analysts identify and prioritize areas of investigation. The Context Highlights panel enables analysts to view contextual information for selected users, including total Respond alerts and incidents associated with them. Moreover, analysts can also switch to the Investigate view for a deeper look at users for focused analysis and
investigation.
NoteEnsure that the NetWitness Platform version is in 12.3 or later and Context Hub service is configured.
For more information, see View Contextual Information for Users.
February 2, 2022
Updating On-premises Sensors
Administrators can now easily keep all their sensors (Cloud Link Service) up to date with ease by setting up automatic updates or scheduled updates to save time and avoid manual sensor tracking. Administrators can set up update options on the Sensor Configuration tab:
- Manual Update: This option allows you to update each sensor manually.
- Automatic Update: Cloud Link Service is automatically updated when an update is available, and it is selected by default.
- Scheduled Update: This option allows you to specify (day of the week and time) when all sensors must be updated. This helps you to schedule updates outside the peak working hours.
NoteMake sure to update your sensor regularly to have all the latest capabilities, improvements, and security fixes.
November 11, 2021
UEBA support for Endpoint queries
The Cloud Link Service is enhanced to support endpoint-related queries. The Cloud Link Service transfers endpoint metadata (process and registry data) from your on-premise deployment for analytics on UEBA.
NoteTo support endpoint-related queries, Cloud Link Service must be on version 11.7.1 or later.
August 12, 2021
A new and enhanced dotted chart is introduced in UEBA. The dotted chart provides the analyst with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly in case of an indicator. In order to view the dotted chart and display the UEBA data in an optimal way, the on-premise version should be upgraded to 11.6.
For more information, see Read an Indicator Chart.
June 2, 2021
Introducing Cloud Link Overview Dashboard
A new Cloud Link Overview Dashboard is introduced in the New Health & Wellness to monitor the health of the Cloud Link Service. Each visualization on this dashboard will be automatically refreshed with the most recent data, to efficiently manage the service.
The dashboard provides insights on the following:
- Status of all the Cloud Link Services in your deployment (offline and online)
- The sessions aggregation rate, count of sessions behind, and sessions collected for each Cloud Link Service
- Status of the uploads such as the count of sessions uploaded, the rate at which upload took place, and outstanding sessions to be uploaded
- CPU and memory usage of each Cloud Link service
For more information, see Monitor the Health of the Cloud Link Service.
March 16, 2021
Cloud Link Service Enhancements
Cloud Link Service is released as part of NetWitness Platform 11.5.3 with the following enhancements:
February 4, 2021
Introduction of NetWitness UEBA
NetWitness UEBA is an add-on to NetWitness® Platform and is offered as a SaaS service.
NetWitness UEBA is an advanced analytics and machine learning solution that empowers Security Operations Center (SOC) teams to detect, investigate, and respond to advanced internal attacks and behavior-based anomalies.
This helps organizations to:
- Leverage behavior baselining and modeling to uncover anomalous behavior, and insider threats using unsupervised machine learning algorithms.
- Process data to monitor abnormal user behavior to identify risky users.
- Generate alert risk scores to raise severity and priority of high risk alerts, reducing alert fatigue and false positives.
- Leverage User Profile baselines to gain insights on daily user activities.
Users are analyzed for abnormal user activities using the logs data from the NetWitness® Platform.
UEBA leverages the capabilities of NetWitness® Platform User and Entity Behavior Analytics (UEBA) and is provided as a SaaS application.
As a cloud service, UEBA has many additional advantages:
- Security teams are better equipped to respond to threats as NetWitness manages this service for your organization and releases new content and enhancements.
- Organizations can be benefitted by:
- Reduced setup time
- No additional hardware requirements
- Minimal investment for ongoing maintenance
Cloud Link Service for Data Transfer to NetWitness UEBA
Cloud Link service is a sensor that transfers data from your on-premise deployment for analytics on NetWitness UEBA. When you install and register this service it:
- Transfers metadata from the host (such as Log Decoders) in your on-premise deployment to the NetWitness UEBA.
- Transfer alerts generated in NetWitness UEBA to your on-premise NetWitness Platform Respond server.
Some key features of Cloud Link Service are:
- Easy Installation and Registration: Installation is easy and can be performed using the NetWitness Platform user interface. Once installed, the activation package can be downloaded to register it.
- Service Notifications: Email and Syslog notifications can be configured to track the status of the service. For example, when a service goes offline or when a service exceeds the resource utilization beyond the set threshold.
2 - Known Issues
Provides information on the known issues, component title, issue, and their workaround.
June 25, 2024
| Components |
Title, Problem and Workaround |
Fixed Date |
| Cloud Link Service |
Title: Cloud Link Sensor upgrade from version 12.4 to 12.4.1 cannot be performed using the NetWitness Cloud Portal UI.
Issue: Users cannot upgrade the Cloud Link Sensor from the 12.4 to the 12.4.1 version using the UI due to the AlmaOS change of the NetWitness Platform from 12.4 or later.
Workaround: Do one of the following to resolve the issue:
1. You must download and manually install the Cloud Link Sensor RPM for version 12.4.1 from the NetWitness Community or NetWitness Live. Follow these steps:
a. Download the Cloud Link Sensor RPM for version 12.4.1 from the NetWitness Community or NetWitness Live.
b. Install the RPM on the Cloud Link Sensor host manually using the command rpm -Uvh .
c. To verify if the Cloud Link Sensor was upgraded successfully, navigate to Admin > Sensor List and view the updated sensor version number 12.4.1 in the Sensor Version column of the NetWitness Cloud Portal.
2. Upgrade all NetWitness Platform services to version 12.4.1 to ensure a successful upgrade for sensors. |
|
March 14, 2024
| Components |
Title, Problem and Workaround |
Fixed Date |
| Cloud Link Service |
Title: No email notifications are received when sensor updates are completed or failed.
Issue: UEBA Cloud users are not receiving email notifications for sensor update success or failure after the Cloud Link Sensor update.
Workaround: Perform the following steps to verify if the sensor updates are successful or failed:
For Success: When the sensor updates are completed (for example, 12.3 to 12.3.1), you can navigate to the Sensor List tab and view the updated sensor version number 12.3.1 in the Sensor Version column of the NetWitness Cloud Portal.
For Failed: If the sensor update fails, navigate to the Sensor List tab and see the warning icon next to the sensor version number in the Sensor Version column of the NetWitness Cloud Portal. NoteIf you hover over the warning icon, it displays that the sensor update has failed, and the sensor version is reverted to the previously installed version. |
|
| Components |
Title, Problem and Workaround |
Fixed Date |
| Cloud Link Service |
Title: UEBA Cloud users with Cloud Link Sensor on 12.3.0.0 or lower may experience frequent sensor status updates, resulting in excessive sensor status notifications.
Issue: UEBA Cloud users with Cloud Link Sensor on 12.3 0 0 or lower versions may experience frequent sensor status updates, resulting in a large number of notification emails regarding the connection and disconnection of Cloud Link Sensor.
Workaround: Upgrade all NetWitness Platform services to 12.3.1.0 or a later version to resolve the issue. For more information on the upgrade, see NetWitness Upgrade Guide 12.3.1.0. |
|
| Components |
Title, Problem and Workaround |
Fixed Date |
| UEBA Cloud |
Title: No Juniper VPN events are generated in the NetWitness Platform UI for UEBA Cloud.
Issue: In version 12.3.1, the Cloud Link Sensor query expects the user.src metadata to be present, but the decoder does not parse that metadata. As a result, the system is unable to receive Juniper VPN events. In version 12.4, the query has been corrected to use user.dst metadata.
Workaround: To resolve this issue, you must upgrade the NetWitness Platform to the 12.4 version. |
|
March 16, 2021
| Components |
Title, Problem and Workaround |
Fixed Date |
| Cloud Link Service |
Title: Intermittent data loss was observed during data upload, after changing proxy configurations.
Issue: If you change the proxy configurations after registering the Cloud Link Service, you may experience intermittent data loss.
Workaround: Ensure that the proxy settings are applied before the Cloud Link Service is deployed. Data transfer resumes automatically once the new proxy configuration takes effect. |
June 2, 2021 |