What's New

March 14, 2024

Support for VPN Devices in UEBA Cloud

NetWitness UEBA Cloud has added support for the Citrix NetScaler, Palo Alto Networks, Cisco ASA, and Fortinet VPN devices. With this enhancement, UEBA Cloud can process logs from these VPN devices to help you gather and analyze user activity information.

Note

  • Ensure that the NetWitness Platform and Cloud Link Sensor versions are in 12.4 or later to use the feature.
  • Please deploy the latest parsers from NetWitness Live to enable support for all VPN devices. For any VPN to be considered under the Authentication module, the following metadata must be present in the respective VPN vendor’s logs:(event.type = 'vpn' && country.src exists && user.dst exists && ec.activity = 'logon').

For more information, see Understand Sources Supported by Schema in UEBA Cloud.

Email Notification Settings for Sensor Status and Updates

NetWitness now includes Email Notification preferences for Sensor Status and Sensor Updates. With this feature, administrators can choose to turn on or turn off email notifications as needed, giving them more control and flexibility in managing notifications.

For more information, see Configure Email Notification Preferences for UEBA.

November 2, 2023

Email Notification Settings for License Usage

NetWitness introduces a new Email Notifications setting option on the NetWitness Cloud Portal. This feature enables administrators to manage email notification preferences for License Usage. With this feature, administrators can choose to turn on or turn off email notifications as needed, giving them more control and flexibility in managing notifications.

For more information, see Configure Email Notification Preferences for UEBA.

Check NetWitness Cloud Services Operational Health Status

Users can check the operational health status and service availability of NetWitness Cloud Services such as UEBA, Insight, and Live on NetWitness Statuspage. The operational health status indicates if all the services and integrations are operational or experiencing any disruptions. These disruptions may be caused by server maintenance activity, regional network outages, or cloud vendor outages. If there are any service disruptions, they are recorded as Incidents and displayed on the Statuspage.

In addition, users can subscribe to receive email or Slack notifications whenever an incident occurs, see Check System Status.

September 6, 2023

Introducing Contextual Information for Users

Analysts can now view contextual information about users on the NetWitness Users page. This enhancement enables analysts to make better decisions and take appropriate actions. A single place contains contextual information about users to help analysts identify and prioritize areas of investigation. The Context Highlights panel enables analysts to view contextual information for selected users, including total Respond alerts and incidents associated with them. Moreover, analysts can also switch to the Investigate view for a deeper look at users for focused analysis and investigation.

Note

Ensure that the NetWitness Platform version is in 12.3 or later and Context Hub service is configured.

For more information, see View Contextual Information for Users.

February 2, 2022

Updating On-premises Sensors

Administrators can now easily keep all their sensors (Cloud Link Service) up to date with ease by setting up automatic updates or scheduled updates to save time and avoid manual sensor tracking. Administrators can set up update options on the Sensor Configuration tab:

  • Manual Update: This option allows you to update each sensor manually.
  • Automatic Update: Cloud Link Service is automatically updated when an update is available, and it is selected by default.
  • Scheduled Update: This option allows you to specify (day of the week and time) when all sensors must be updated. This helps you to schedule updates outside the peak working hours.

Note

Make sure to update your sensor regularly to have all the latest capabilities, improvements, and security fixes.

November 11, 2021

UEBA support for Endpoint queries

The Cloud Link Service is enhanced to support endpoint-related queries. The Cloud Link Service transfers endpoint metadata (process and registry data) from your on-premise deployment for analytics on UEBA.

Note

To support endpoint-related queries, Cloud Link Service must be on version 11.7.1 or later.

August 12, 2021

Introduced a New Chart Format

A new and enhanced dotted chart is introduced in UEBA. The dotted chart provides the analyst with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly in case of an indicator. In order to view the dotted chart and display the UEBA data in an optimal way, the on-premise version should be upgraded to 11.6.

For more information, see Read an Indicator Chart.

June 2, 2021

A new Cloud Link Overview Dashboard is introduced in the New Health & Wellness to monitor the health of the Cloud Link Service. Each visualization on this dashboard will be automatically refreshed with the most recent data, to efficiently manage the service.

The dashboard provides insights on the following:

  • Status of all the Cloud Link Services in your deployment (offline and online)
  • The sessions aggregation rate, count of sessions behind, and sessions collected for each Cloud Link Service
  • Status of the uploads such as the count of sessions uploaded, the rate at which upload took place, and outstanding sessions to be uploaded
  • CPU and memory usage of each Cloud Link service

For more information, see Monitor the Health of the Cloud Link Service.

March 16, 2021

Cloud Link Service is released as part of NetWitness Platform 11.5.3 with the following enhancements:

February 4, 2021

Introduction of NetWitness UEBA

NetWitness UEBA is an add-on to NetWitness® Platform and is offered as a SaaS service. NetWitness UEBA is an advanced analytics and machine learning solution that empowers Security Operations Center (SOC) teams to detect, investigate, and respond to advanced internal attacks and behavior-based anomalies. This helps organizations to:

  • Leverage behavior baselining and modeling to uncover anomalous behavior, and insider threats using unsupervised machine learning algorithms.
  • Process data to monitor abnormal user behavior to identify risky users.
  • Generate alert risk scores to raise severity and priority of high risk alerts, reducing alert fatigue and false positives.
  • Leverage User Profile baselines to gain insights on daily user activities.

Users are analyzed for abnormal user activities using the logs data from the NetWitness® Platform. UEBA leverages the capabilities of NetWitness® Platform User and Entity Behavior Analytics (UEBA) and is provided as a SaaS application. As a cloud service, UEBA has many additional advantages:

  • Security teams are better equipped to respond to threats as NetWitness manages this service for your organization and releases new content and enhancements.
  • Organizations can be benefitted by:
    • Reduced setup time
    • No additional hardware requirements
    • Minimal investment for ongoing maintenance

Cloud Link service is a sensor that transfers data from your on-premise deployment for analytics on NetWitness UEBA. When you install and register this service it:

  • Transfers metadata from the host (such as Log Decoders) in your on-premise deployment to the NetWitness UEBA.
  • Transfer alerts generated in NetWitness UEBA to your on-premise NetWitness Platform Respond server.

Some key features of Cloud Link Service are:

  • Easy Installation and Registration: Installation is easy and can be performed using the NetWitness Platform user interface. Once installed, the activation package can be downloaded to register it.
  • Service Notifications: Email and Syslog notifications can be configured to track the status of the service. For example, when a service goes offline or when a service exceeds the resource utilization beyond the set threshold.