What's New
- September 25, 2024
- March 14, 2024
- November 2, 2023
- September 6, 2023
- February 2, 2022
- November 11, 2021
- August 12, 2021
- June 2, 2021
- March 16, 2021
- February 4, 2021
September 25, 2024
MITRE ATT&CK Mapping for UEBA Cloud
NetWitness now integrates MITRE ATT&CK framework mapping for UEBA alerts and incidents. This mapping helps analysts understand the attacker’s potential tactics, techniques, and sub-techniques behind detected activities by correlating them with known behaviors. When investigating UEBA alerts and incidents, analysts can see a list of mapped tactics and techniques from the Respond view, along with a dedicated ATT&CK Explorer panel that provides further context and related information, which eliminates the need to visit MITRE’s website for ATT&CK information. This enhancement provides valuable insights into threat severity and nature, enabling faster and more informed response decisions.
For example, A UEBA alert identified suspicious remote access behavior from a user account. This behavior aligns with the MITRE ATT&CK tactic of Lateral Movement and technique using Remote Services, alerting analysts to investigate a possible attempt to obtain data and take necessary actions.
For more information on the Mitre ATT&CK framework, see topics View UEBA Cloud Alerts from Respond View and View UEBA Cloud Incident Details.
March 14, 2024
Support for VPN Devices in UEBA Cloud
NetWitness UEBA Cloud has added support for the Citrix NetScaler, Palo Alto Networks, Cisco ASA, and Fortinet VPN devices. With this enhancement, UEBA Cloud can process logs from these VPN devices to help you gather and analyze user activity information.
Note
- Ensure that the NetWitness Platform and Cloud Link Sensor versions are in 12.4 or later to use the feature.
- Please deploy the latest parsers from NetWitness Live to enable support for all VPN devices. For any VPN to be considered under the Authentication module, the following metadata must be present in the respective VPN vendor’s logs:
(event.type = 'vpn' && country.src exists && user.dst exists && ec.activity = 'logon')
.
For more information, see Understand Sources Supported by Schema in UEBA Cloud.
Email Notification Settings for Sensor Status and Updates
NetWitness now includes Email Notification preferences for Sensor Status and Sensor Updates. With this feature, administrators can choose to turn on or turn off email notifications as needed, giving them more control and flexibility in managing notifications.
For more information, see Configure Email Notification Preferences for UEBA.
November 2, 2023
Email Notification Settings for License Usage
NetWitness introduces a new Email Notifications setting option on the NetWitness Cloud Portal. This feature enables administrators to manage email notification preferences for License Usage. With this feature, administrators can choose to turn on or turn off email notifications as needed, giving them more control and flexibility in managing notifications.
For more information, see Configure Email Notification Preferences for UEBA.
Check NetWitness Cloud Services Operational Health Status
Users can check the operational health status and service availability of NetWitness Cloud Services such as UEBA, Insight, and Live on
NetWitness Statuspage. The operational health status indicates if all the services and integrations are operational or experiencing any disruptions. These disruptions may be caused by server maintenance activity, regional network outages, or cloud vendor outages. If there are any service disruptions, they are recorded as Incidents and displayed on the Statuspage.
In addition, users can subscribe to receive email or Slack notifications whenever an incident occurs, see
Check System Status.
September 6, 2023
Introducing Contextual Information for Users
Analysts can now view contextual information about users on the NetWitness Users page. This enhancement enables analysts to make better decisions and take appropriate actions. A single place contains contextual information about users to help analysts identify and prioritize areas of investigation. The Context Highlights panel enables analysts to view contextual information for selected users, including total Respond alerts and incidents associated with them. Moreover, analysts can also switch to the Investigate view for a deeper look at users for focused analysis and
investigation.
NoteEnsure that the NetWitness Platform version is in 12.3 or later and Context Hub service is configured.
For more information, see View Contextual Information for Users.
February 2, 2022
Updating On-premises Sensors
Administrators can now easily keep all their sensors (Cloud Link Service) up to date with ease by setting up automatic updates or scheduled updates to save time and avoid manual sensor tracking. Administrators can set up update options on the Sensor Configuration tab:
- Manual Update: This option allows you to update each sensor manually.
- Automatic Update: Cloud Link Service is automatically updated when an update is available, and it is selected by default.
- Scheduled Update: This option allows you to specify (day of the week and time) when all sensors must be updated. This helps you to schedule updates outside the peak working hours.
NoteMake sure to update your sensor regularly to have all the latest capabilities, improvements, and security fixes.
November 11, 2021
UEBA support for Endpoint queries
The Cloud Link Service is enhanced to support endpoint-related queries. The Cloud Link Service transfers endpoint metadata (process and registry data) from your on-premise deployment for analytics on UEBA.
NoteTo support endpoint-related queries, Cloud Link Service must be on version 11.7.1 or later.
August 12, 2021
A new and enhanced dotted chart is introduced in UEBA. The dotted chart provides the analyst with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly in case of an indicator. In order to view the dotted chart and display the UEBA data in an optimal way, the on-premise version should be upgraded to 11.6.
For more information, see Read an Indicator Chart.
June 2, 2021
Introducing Cloud Link Overview Dashboard
A new Cloud Link Overview Dashboard is introduced in the New Health & Wellness to monitor the health of the Cloud Link Service. Each visualization on this dashboard will be automatically refreshed with the most recent data, to efficiently manage the service.
The dashboard provides insights on the following:
- Status of all the Cloud Link Services in your deployment (offline and online)
- The sessions aggregation rate, count of sessions behind, and sessions collected for each Cloud Link Service
- Status of the uploads such as the count of sessions uploaded, the rate at which upload took place, and outstanding sessions to be uploaded
- CPU and memory usage of each Cloud Link service
For more information, see Monitor the Health of the Cloud Link Service.
March 16, 2021
Cloud Link Service Enhancements
Cloud Link Service is released as part of NetWitness Platform 11.5.3 with the following enhancements:
February 4, 2021
Introduction of NetWitness UEBA
NetWitness UEBA is an add-on to NetWitness® Platform and is offered as a SaaS service.
NetWitness UEBA is an advanced analytics and machine learning solution that empowers Security Operations Center (SOC) teams to detect, investigate, and respond to advanced internal attacks and behavior-based anomalies.
This helps organizations to:
- Leverage behavior baselining and modeling to uncover anomalous behavior, and insider threats using unsupervised machine learning algorithms.
- Process data to monitor abnormal user behavior to identify risky users.
- Generate alert risk scores to raise severity and priority of high risk alerts, reducing alert fatigue and false positives.
- Leverage User Profile baselines to gain insights on daily user activities.
Users are analyzed for abnormal user activities using the logs data from the NetWitness® Platform.
UEBA leverages the capabilities of NetWitness® Platform User and Entity Behavior Analytics (UEBA) and is provided as a SaaS application.
As a cloud service, UEBA has many additional advantages:
- Security teams are better equipped to respond to threats as NetWitness manages this service for your organization and releases new content and enhancements.
- Organizations can be benefitted by:
- Reduced setup time
- No additional hardware requirements
- Minimal investment for ongoing maintenance
Cloud Link Service for Data Transfer to NetWitness UEBA
Cloud Link service is a sensor that transfers data from your on-premise deployment for analytics on NetWitness UEBA. When you install and register this service it:
- Transfers metadata from the host (such as Log Decoders) in your on-premise deployment to the NetWitness UEBA.
- Transfer alerts generated in NetWitness UEBA to your on-premise NetWitness Platform Respond server.
Some key features of Cloud Link Service are:
- Easy Installation and Registration: Installation is easy and can be performed using the NetWitness Platform user interface. Once installed, the activation package can be downloaded to register it.
- Service Notifications: Email and Syslog notifications can be configured to track the status of the service. For example, when a service goes offline or when a service exceeds the resource utilization beyond the set threshold.
Feedback
Was this page helpful?
Thank you! We appreciate you sending us your feedback.
Thank you for your feedback!
Please Submit your Feedback