This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

NetWitness Detect AI

1 - Detect AI

Provides information about Detect AI and its usage.

1.1 - Getting Started

Provides information on getting started with Detect AI.

1.1.1 - Getting Started with Detect AI

This topic provides information to get started with NetWitness Detect AI.

Getting Started with Detect AI

To onboard NetWitness Detect AI, existing customers with NetWitness Platform version 11.5.2 or later can share their tenant administrative user details with the NetWitness Sales team. The NetWitness Sales team then onboards the first administrative user from your organization to kick-start the set up process. The administrative user then receives a welcome email that contains the NetWitness Detect AI access URL, a user name, and a temporary password. Ensure that you reset the password at the first login.

The following checklist includes the steps to set-up and use NetWitness Detect AI:

Before you Begin

  1. Ensure that you configure the actual time on the Cloud Link Service (Log Decoder Host). Sync the device Network Time Protocol (NTP) with the NTP service on the admin server. For more information on how to configure NTP Sever, see Configure NTP Servers.

  2. The host on which the Cloud Link Service will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges.

  3. (Optional) Ensure that you configure the proxy settings from NetWitness Platform version 11.5.3 or later, before installing the Cloud link Service. For more information, see Configure the proxy for the Cloud Link Service.

Check Task Navigate To
checkbox 1. Understanding NetWitness Detect AI • NetWitness Detect AI Overview
• What use cases does NetWitness Detect AI address
• Detect AI Works
• Types of NetWitness Detect AI licenses
checkbox 2. Log in to your account and perform the initial set up tasks • Log in to your account
• Set up and manage administrators
• Enable multi-factor authentication for your account
checkbox 3. Understanding Cloud Link Service Cloud Link Service Overview
checkbox 4. Plan your Cloud Link Service installation Planning considerations for Cloud Link Service
checkbox 5. Install Cloud Link Service on Log Decoder (11.5.2 or later) Install Cloud Link Service
checkbox 6. Download the activation package Download the activation package
checkbox 7. Register the Cloud Link Service Register the Cloud Link Service
checkbox 8. Verify if the Cloud Link Service is working Verify if the Cloud Link Service is working
checkbox 9. Enable data transfer from Detect AI to NetWitness Platform Transfer Detect AI data to NetWitness platform
checkbox 10. Monitor Cloud Link Service Monitor the health of the Cloud Link Service
checkbox 11. (Optional) Enabling email and syslog notifications for Cloud Link Service Configure email or syslog notifications to monitor the service
checkbox 12. Updating the Cloud Link Service automatically Update the Cloud Link Service automatically
checkbox 13. (Optional) Delete Cloud Link Service if no longer required Delete Cloud Link Service
checkbox 14. Install Detect AI with an existing on-premise UEBA Install Detect AI with an existing on-premise UEBA
checkbox 15. (Optional) Configure proxy setting for the Cloud Link Service Configure the proxy for Cloud Link Service

After completing the set-up, you can perform several tasks to respond to threats reported by NetWitness Detect AI. For more information, see Investigate.

Video - Setting up Detect AI

1.1.2 - Welcome to NetWitness Detect AI

This topic provides information about NetWitness Detect AI.

Welcome to NetWitness Detect AI

NetWitness Detect AI is an add-on to NetWitness® Platform XDR. The product is a SaaS service that analyzes NetWitness Platform data and triggers alerts on potential threats and malicious activity. NetWitness Detect AI takes all the traditional functions of NetWitness User and Entity Behavior Analytics (UEBA) and provides them as a native SaaS application. As a cloud service, Detect AI has many additional benefits including operations from the Operations team who manage the service for your organization which enables NetWitness to release new content and enhancements faster so security teams are better equipped to respond to threats.

NetWitness Detect AI is an advanced analytics and machine learning solution that leverages unsupervised machine learning and empowers Security Operations Center (SOC) teams to discover, investigate, and monitor risky behaviors in their environment. All users in an organization can be analyzed for abnormal user activities using log, and endpoint data already collected by your NetWitness Platform.

For existing NetWitness Platform XDR customers, NetWitness Detect AI enables analysts to:

  • Detect malicious and rogue users
  • Pinpoint high-risk behaviors
  • Discover attacks
  • Investigate emerging security threats
  • Identify potential attacker’s activity

NetWitness Detect AI resides on an Amazon Virtual Private Cloud (VPC) and each organization has its own VPC. If you have an on-premises NetWitness Platform deployment in your network, metadata will be uploaded to the cloud for analysis.

NetWitness Detect AI performs advanced analytics on the data to enable analysts to discover potentials threats. Analysts will begin to see alerts and behavior profiles of users directly in their existing NetWitness Platform UI, and will be able to perform basic administration of the SaaS components from a dedicated SaaS UI.

Detect AI Workflow

1.1.3 - Detect AI Use Cases

This topic provides information about what use cases does NetWitness Detect AI address.

Detect AI Use Cases

NetWitness Detect AI focuses on providing advanced detection capabilities to alert organizations about suspicious and anomalous user behavior. These behaviors could represent a malicious insider abusing credentials and access or could represent an external threat actor exploiting compromised credentials and systems.

Identity theft typically begins with the theft of credentials, which are then used to obtain unauthorized access to resources and to gain control over the network. Attackers may also exploit compromised non-admin users to obtain access to resources for which they have administrative rights, and then escalate those privileges.

An attacker who uses stolen credentials might trigger suspicious network events while accessing resources. Detecting illicit credential use is possible, but requires the separation of attacker activity from the high volume of legitimate events. NetWitness Detect AI helps you differentiate possible malicious activity from the otherwise abnormal, but not risky, user actions.

The use cases shown in the Alert Types for Detect AI list define certain risk types and the corresponding system capabilities used for their detection. It is important that you review the use cases, represented by their alert type and description, to gain an initial understanding of the related risky behavior of each use case.

Using NetWitness Detect AI, you can then drill down into the indicators that reflect potential risky user activities to learn more. For more information about supported indicators, see Alert Types for Detect AI.

1.1.4 - Detect AI Works

This topic provides information about how Detect AI works.

Detect AI Works

The analytics engine in NetWitness® Detect AI automatically monitors user behavior and utilizes advanced analytics to detect anomalies and risky behaviors. The analytics engine provides detailed analysis of user behavior, which enables analysts to review, investigate, monitor, and act on the identified risky behaviors.

The following table shows the steps that the alerting engine performs to derive the user behavioral results.

Step Description
1. Retrieve NetWitness Platform Data The analytics engine retrieves the raw event data and metadata keys from the Concentrators and Brokers in NetWitness® Platform. The analytics engine processes and analyzes this data to create analytic results.
2. Create Baselines Baselines are derived from a detailed analysis of normal user behavior and are used as a basis for comparison to user behavior over time. An example of the baseline for a user can include information about the time a user typically logs in to the network.
3. Detect Anomalies An anomaly is a deviation from a user’s normal baseline behavior. The analytics engine performs statistical analysis to compare each new activity to the baseline. User activities that deviate from the expected baseline values are scored accordingly to reflect the severity of the deviation. Anomalous activities are user behavior or abnormal user activities such as suspicious user logons, brute-force password attacks, unusual user changes, and abnormal file access.
4. Generate Alerts The anomalies detected in the previous step are grouped into hourly batches by the username. Each batch is scored based on the uniqueness of its Indicators, which define validated anomalous activities. If the indicator composition is unique compared to a user’s historic hourly batch compositions, it is likely that this batch will be transformed into an alert and its anomalies into indicators. A high-scored batch of anomalies becomes an alert that contains validated indicators of compromise.
5. Prioritize Users with Risky Behaviors The analytics engine prioritizes the potential risk from a user by using a simplified additive scoring formula. Each alert is assigned a severity that increases a user’s risk score by a predefined number of points. Users with high scores either have multiple alerts associated with them or they have alerts with high severity levels associated with them.

1.1.5 - Access Detect AI

How to access detect AI

Access Detect AI

In order to view a list of all users monitored by Detect AI, you need to have access to the NetWitness Platform User Interface.

To access NetWitness Detect AI

  1. Log in to NetWitness Platform XDR.

  2. Go to Users > Overview.

    The user activity details are displayed.

    Users view

1.1.6 - log in to your Account

This topic provides information about how to access your NetWitness Detect AI account.

log in to your Account

To log in to NetWitness Detect AI:

  1. Click on the URL provided in the NetWitness Detect AI welcome email. The NetWitness Detect AI home page is displayed.
  2. Enter your registered email ID and the temporary password in the respective fields. As this is your first login, the page prompts you to reset your password.
  3. Enter the new password, and confirm the same. Review the password format rules and ensure that your new password conforms to the indicated format rules.
  4. Click Sign In.

1.1.7 - About Detect AI licenses

This topic provides information about NetWitness Detect AI licenses.

Types of Detect AI licenses

NetWitness Detect AI licenses are subscription based licenses. The license entitlement is based on the number of users with a default data storage of 500 GB data storage capacity.

License Type Limitations
NetWitness Detect AI Subscription. This is based on the number of active user accounts monitored in your environment. Capacity limited to 500 GB per day of data storage.
NetWitness Detect AI additional Daily Capacity Subscription. 50 GB per day increments.

1.1.8 - Setup and Manage Administrators

Learn how to set up and manage administrators for NetWitness Detect AI.

Setup and Manage Administrators

Once the tenant administrative user of an organization is onboarded into NetWitness Detect AI, the administrative user can perform the following tasks:

  • Manage other administrative users - add, delete, enable and disable administrators, and update the profiles.
  • Install, configure, and manage sensors.
  • Configure and manage multi-factor authentication (MFA) for administrators.
  • Temporarily enable or disable access to other administrators, instead of deleting them permanently.

Use the following table as a guide to the user management tasks that you can perform.

User Management Tasks in NetWitness Platform on the Cloud

Task Description
Add an administrator See Add Additional Administrators
Edit account settings See Edit User Account Settings
Delete an administrator See Remove an Administrator
Multi-factor user authentication See Enable Multi-Factor Authentication

Add Additional Administrators

To add an administrative user

  1. Go to admin icon Admin > Users Management > Users.

    The Users and Roles page is displayed.

  2. Click Add User.

    The Add User window is displayed.

  3. Enter your first name, last name, email ID, and mobile number in the respective fields.

  4. Click Add.

Edit User Account Settings

As an administrator, you can update the user account settings for the administrators who are configured in the system. You must ensure that the contact information of administrative users is specified so that the user receives notifications on this contact number.

NOTE: The mobile number you specify here must be valid as it will be used for multi-factor authentication for the user. For more information on multi-factor authentication, see Enable Multi-Factor Authentication.

To edit the administrator account settings

  1. Go to admin icon Admin > Users Management > Users.

    The Users and Roles page is displayed.

  2. Select the user, and click Edit Details.

    The Edit Details page is displayed.

  3. Edit the first name, last name, and mobile number of the user in the respective fields.

  4. Click Save.

If you are logged in and you want to edit your contact information, update your user profile by going to User Account > Profile.

Remove an Administrator

As an administrator, you can remove the account details and access privileges for other administrators.

To delete an administrator

  1. Go to admin icon Admin > Users Management > Users.

    The Users page is displayed.

  2. Click Delete User.

Enable or Disable Access for Users

You can enable or disable access for users. When you disable access for a specific user, the user cannot access the NetWitness Platform on the Cloud account.

If a user is logged in to NetWitness Platform on the Cloud and the user access is disabled, the user can continue to access NetWitness Platform on the Cloud until the session times out.

To enable access for a user

  1. Log in to NetWitness Platform on the Cloud.
  2. Go to admin icon Admin > Users Management > Users.
  3. Under the Users tab, select a user and click Enable User.
  4. To confirm, click Enable.

To disable access for a user

  1. Log in to NetWitness Platform on the Cloud.
  2. Go to admin icon Admin > Users Management > Users.
  3. Under the Users tab, select a user and click Disable User.
  4. To confirm, click Disable.

1.1.9 - Enable Multi-factor Authentication for your Account

Multi-factor authentication provides you with additional security by adding a second-level authentication when you access your account.

Enable Multi-factor Authentication for your Account

NetWitness Detect AI offers Multi-factor authentication (MFA), using which you can configure an additional layer of credentials to secure your identity and manage access. If you enable MFA, then the administrative user will be prompted to additional identifications at the time of log in, such as verification code sent to the mobile number or mobile authentication application.

To Configure MFA

  1. Go to admin icon Admin > Account Settings > Multi-Factor Authentication. The Multi-Factor Authentication page is displayed.
  2. Select ON, OFF or OPTIONAL as per your requirement.

The following table provides information on the different MFA settings that NetWitness Platform on the cloud offers:

Multi-Factor Authentication Settings

MFA Setting Description
ON Select ON to activate MFA. A secret code will be sent to the registered email account of the new administrators. Administrators can log in to their account, and choose between the secret code or an authentication mobile application as their preferred authentication method.
OFF Select OFF to deactivate MFA. Administrators can log in to their account with their registered email ID and password.
OPTIONAL Select OPTIONAL if you want to let the administrators decide if they want to activate or deactivate MFA for their accounts.

1.2 - Install and setup

Provides information on how to install and setup the Cloud Link Service, Monitor the health, uninstall and Troubleshoot any issues.

1.2.1 - Cloud Link Service overview

Introduction to Cloud Link Service and planning considerations for installing Cloud Link Service.

NetWitness Cloud Link Service enables you to use the NetWitness Detect AI solution and its features by providing a secure transportation mechanism between existing NetWitness Platform hosts (Decoders) and the NetWitness Detect AI service. Example: to perform analytics on the NetWitness Detect AI, you must install and register the Cloud Link Service on at least one Log Decoder host.

Cloud Link service is a sensor that you must install and register on your on-premise host to:

  • Transfers metadata from the host (such as Decoders) in your on-premises deployment to the NetWitness Detect AI for analysis and investigation.
  • Transfer alerts generated in NetWitness Detect AI to your on-premises NetWitness Platform Respond server for incident management.

You can install Cloud Link Service on the following host types:

  • Log Decoder
  • Log Hybrid
  • Endpoint Log Hybrid
  • Log Hybrid Retention

NOTE:

  • Cloud Link Service and the hosts must be on version 11.5.2.0 or later.
  • You need a separate Cloud Link Service to be installed for each host.
  • To support endpoint-related queries, Cloud Link Service must be on version 11.7.1.0 or later.

This section provides information on how data is transferred using Cloud Link Service:

Single Deployment: Data Transfer

flow 1

  1. Cloud Link Service fetches all the metadata from the host. For example: Log Decoder.
  2. The Cloud Link Service filters metadata from the following data sources:
    • Active Directory
    • Authentication
    • File
    • Process
    • Registry
  3. Cloud Link Service collects only matching metadata, compresses the matching metadata, and transfers it to NetWitness Detect AI through a secure channel.

NOTE: Cloud Link Service ensures that no data is lost during temporary network issues or outages. If the outage lasts for more than 7 days, then the data older than 7 days will not be considered.

Multiple Deployment: Data Transfer

flow 2

Data Transfer from NetWitness Detect AI

NetWitness Detect AI transfers the alerts generated to the on-premises NetWitness Platform Respond server which can be viewed on the user interface for incident management.

flow 3

1.2.2 - Planning Considerations for Installing Cloud Link Service

This topic provides information about system requirements and various prerequisites.

Before you install the Cloud Link Service, you must plan for the following:

  • The NetWitness Platform XDR (Log Decoder Host) is on version 11.5.2 or later.
  • Ensure you have at least 8 GB of memory on your host.
  • Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on the Admin server. For more information on how to configure NTP server, see Configure NTP Servers.
  • Ensure you have the administrator access to the NetWitness Detect AI user interface.
  • If you have an existing on-premises UEBA host deployed in your environment and you plan to move to Detect AI, you need to remove the host from the Admin server and stop the airflow-scheduler service on the UEBA host. If you plan to run UEBA and Detect AI simultaneously, see Install Detect AI with an existing on-premises UEBA.
  • The host on which the Cloud Link Service will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges.
  • Open TCP port 443 to allow outbound network traffic.
  • Ensure you have configured the Azure Monitor plugin in your deployment. This enables Detect AI to run a query for Azure AD log events for monitoring purposes in the correct format. For more information on how to configure the Azure Monitor plugin, see the Azure Monitor Event Source Configuration Guide.
  • (Optional) Ensure that you configure the proxy settings from NetWitness Platform version 11.5.3 or later, before installing the Cloud link Service. For more information, see Configure the proxy for the Cloud Link Service.

To understand the deployment of the Cloud Link Service, see Cloud Link Service Architecture.

NOTE: Data will be fetched from only the host (Example: Log Decoder) on which the Cloud Link Service is installed.

You can install Cloud Link Service on the following hosts:

Model Category
S5/S6/S6E/Virtual
Cloud (AWS, Azure, GCP)		 Log Hybrid
Log Decoder
Endpoint Log Hybrid
Log Hybrid Retention
Virtual Log Decoder
Virtual Log Hybrid

1.2.3 - Cloud Link Service Installation

Learn how to install and set up Cloud Link Service for Detect AI.

The administrators can perform the following tasks to install the Cloud Link Service successfully:

  1. Install Cloud Link Service
  2. Download the Activation Package
  3. Register the Cloud Link Service
  4. Verify if the Cloud Link Service is working
  5. Transfer Detect AI data to NetWitness Platform XDR

You can install the Cloud Link Service on the following host types:

  • Log Decoder
  • Log Hybrid
  • Endpoint Log Hybrid
  • Log Hybrid Retention

Prerequisites

Ensure that the NetWitness Platform XDR and the host (Decoder) are on version 11.5.2.0 or later.

NOTE: Data will be fetched from only the host (For Example: Log Decoder) on which the Cloud Link Service is installed.

To install the Cloud Link Service

  1. Log in to the NetWitness Platform XDR as an administrator and go to admin icon Admin > Hosts.

    The Hosts view is displayed.

  2. Select a host (Example: Log Decoder) and click install button.

    The Install Services dialog is displayed.

  3. Select the Cloud Link Service from the Category drop-down menu, and click Install.

    Cloud Link Service Installation

  4. Log in to the NetWitness Platform XDR, and go to download icon Admin > Services to verify successful Cloud Link Service installation.

Download the Activation Package

You need the activation package to register Cloud Link Service with the NetWitness Detect AI. The activation package can be used on all hosts containing Cloud Link Service, which you want to register and you can download it from the NetWitness Detect AI.

To download the activation package

  1. Log in to the NetWitness Detect AI.
  2. Go to admin icon Admin > Sensors > Sensor Configuration.
  3. Under Download Activation Package, click generate icon to generate the activation package.
  4. Click download icon to download the activation package.

Registration of Cloud Link Service requires copying the activation package to the Cloud Link Service directory, and setting up the required permissions. Once this is completed, the Cloud Link Service will be registered automatically.

NOTE:

  • The same activation package can be used for multiple registrations.
  • Ensure you use the most recently downloaded activation package.

Prerequisites

Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on Admin server. For more information on how to configure NTP Sever, see Configure NTP Servers.

To register the Cloud Link Service

  1. SSH to the host on which the Cloud Link Service is installed.

  2. Copy the device-activation-package.json file downloaded from the NetWitness Platform on the cloud to the /root or /temp directory on the Cloud Link Service host.

  3. Change the user and group of the device-activation-package.json file to netwitness by executing the following command:

          chown netwitness:netwitness device-activation-package.json

IMPORTANT: Avoid using cp command to add files under /var/lib/netwitness/cloud-link-server directory. The cp command changes the user and group to root , which can result in the Cloud Link Service registration failure.

  1. Move the device-activation-package.json file to the Cloud Link Service directory by executing the following command:

          mv device-activation-package.json /var/lib/netwitness/cloud-link-server/

  2. To verify if Cloud Link Service is registered successfully, log in to the NetWitness Platform on the cloud, and check the status of the Cloud Link Service. For more information, see Verify if the Cloud Link Service is working.

NOTE: If you want to re-register a Cloud Link Service with a different activation package, first remove the Cloud Link Service from the NetWitness Platform sensor list on the cloud, and then uninstall Cloud Link Service on the NetWitness Platform. For more information about deleting the Cloud Link Service, see Delete Cloud Link Service.

You can check the status of NetWitness Platform Sensor List on the cloud to verify the successful registration of Cloud Link Service. The status must reflect as Connected for the Cloud Link Service to start transferring data. You can use this status to monitor the Cloud Link Service and troubleshoot registration failures.

To verify the status of the Cloud Link Service

  1. Log in to the NetWitness Detect AI.
  2. Go to admin icon Admin > Sensors > Sensor List.
    The following information is displayed for every Cloud Link Service registered in your deployment:
Detail Description
Hostname The host on which the Cloud Link Service is installed. Example: Endpoint Log Hybrid.
Status Status of the Cloud Link Service:
- Registered: The Cloud Link Service is registered successfully.
- Connected: The Cloud Link Service is connected and operating normally.
- Disconnected: The Cloud Link Service is not connected.
- Connecting: The Cloud Link Service starts connecting.
Sensor Version The installed version of the sensor. Example: 11.7.0.
Device Type Type of sensor that is installed and registered. Example: CLOUD_LINK.
Uptime Displays the sensor’s uptime and downtime.

Transfer Detect AI data to NetWitness Platform XDR

If you want to view the Detect AI data on your NetWitness Platform user interface you must configure the data transfer from the cloud to the Admin server. Perform the following steps:

IMPORTANT: This step should be performed only once after you register the Cloud Link Service for the first time.

  1. SSH to the Admin server.

  2. Execute the following command:

     
nw-manage --enable-cba

1.2.4 - Monitor the Health of the Cloud Link Service

This topic provides information about how to access the service dashboard and monitor the health of the service.

NetWitness Platform XDR enables you to visualize the health of the Cloud Link Service similar to other NetWitness Platform XDR services deployed in your environment. It helps you troubleshoot the problematic spikes, identify high resource usage, and gives a deep visibility into the source of problems before the service goes down.

Monitoring the health of the Cloud Link Service at all times enables you to keep track of the following parameters:

  • Status of all the Cloud Link Services in your deployment (offline and online).
  • For each Cloud Link Service, the sessions aggregation rate, sessions behind, and sessions collected.
  • Status of the uploads such as the count of sessions uploaded, the rate at which upload took place, and outstanding sessions to be uploaded.
  • CPU and memory usage of each service.

Prerequisites

  • You must install the New Health and Wellness. For more information, see New Health and Wellness
  • You must ensure to download the Cloud Link Service dashboard from RSA Live and monitor the data transfer. For more information, see Advanced Configurations

The Cloud Link Service Dashboard provides key metrics as described in Cloud Link Overview dashboard visualizations.

To access the Cloud Link Overview Dashboard

  1. Log in to the NetWitness Platform XDR.

  2. Go to Admin > Health & Wellness.

  3. Click New Health & Wellness.

  4. Click Pivot to Dashboard.

    The Deployment Health Overview dashboard is displayed.

NOTE: To view dashboards, your browser must be configured to allow popups and redirects.

  1. Click Dash icon and then click Dashboard.

    The Dashboards dialog is displayed.

  2. Select the Cloud Link Overview Dashboard.

    You can look at the visualizations (charts, tables, and so on) to view current CPU and memory of Cloud Link Service, Sessions behind and Upload rate per Cloud Link Service, and so on.

  3. You can adjust the time range on the top right corner and also use the host filter to view the visualizations on each host.

    aggregate

    difference rate

    memory usage

    status

1.2.5 - Cloud Link Overview Dashboard Visualizations

This topic provides information about Cloud Link Service Dashboard.

This topic provides information on the Cloud Link Overview dashboard. The dashboard contains information on Cloud Link Service key metrics such as the hosts the Cloud Link Service is running on, outstanding sessions to be uploaded, CPU, memory usage, and so on.

NOTE: The metrics listed below are the default values. You can customize the visualizations based on your requirement. For example, you can customize a visualization to view the CPU utilization for all the Cloud Link Service.

Cloud Link Overview Dashboard

Visualization Metrics Objective Description
Sessions Aggregation Rate Per CLS Sessions aggregated rate by all Cloud Link Service. Provides the sessions aggregated rate for all Cloud Link Service to take necessary actions when the session aggregation rate goes down. Displays the sessions aggregation rate for all Cloud Link Service.
Sessions Behind Per CLS Sessions behind by each Cloud Link Service. Provides the sessions behind trend on each Cloud Link Service to take necessary actions when the session behind goes higher. Displays the sessions behind trend for each Cloud Link Service.
Sessions Collected Sessions collected by each Cloud Link Service. Provides the sessions collected trend for each Cloud Link Service to take necessary actions when the session collection rate goes down. Displays the sessions collected trend for each Cloud Link Service.
Sessions Uploaded Sessions uploaded by each Cloud Link Service. Provides the sessions uploaded trend for each Cloud Link Service to take necessary actions when the session uploaded rate goes down. Displays the sessions uploaded trend for each Cloud Link Service.
Difference - Sessions Collected and Uploaded Difference in Sessions collected and sessions uploaded count by each Cloud Link Service. Provides the difference between the sessions collected count and sessions uploaded count for each Cloud Link Service to take necessary actions when the session value goes higher. Displays the difference between the sessions collection count and sessions uploaded count for each Cloud Link Service.
Upload Rate per CLS - Host name
- Upload rate		 Provides the rate at which the Cloud Link Service uploads the sessions to the Detect AI. Displays the upload rate of sessions from each Cloud Link Service to Detect AI.
Outstanding Sessions to be uploaded to Cloud per CLS - Host name
- Count of Outstanding Records		 Provides the outstanding session trend to identify any high values and take necessary action. Displays the total number of sessions that have not been uploaded to Detect AI per Cloud Link Service.
Cloud Link Service by CPU Percentage - Host name
- CPU usage		 Identifies the CPU usage by Cloud Link Service to detect high use and take necessary action. Displays the CPU usage by Cloud Link Service.
Cloud Link Service by Resident Memory Usage - Host name
- Resident memory usage		 Identifies the resident memory usage by Cloud Link Service to detect high use and take necessary action. Displays the resident memory usage by Cloud Link Service.
Cloud Link Service Status - Service name
- Service Status
- Status time		 Provides the status of Cloud Link Service. Displays the status of Cloud Link Service.
Offline vs Total Cloud Link Services - Service name
- Service Status		 Identifies the number of offline services with the total number of Cloud Link services in your deployment. Displays the total number of Cloud Link services and the number of services that are offline.

1.2.6 - Configure Email or Syslog Notifications to Monitor the Service

This topic provides information about configuring email or syslog notifications to monitor the service.

Configure Email or Syslog Notifications to Monitor the Service

Notifications such as email or syslog can be configured to monitor the Cloud Link Service. You will be notified when the following events occur:

  • Cloud Link Service goes offline.
  • Offline Cloud Link Service is back online.
  • Cloud Link Service CPU, memory, or disk storage thresholds are exceeded.

NOTE: You must install the New Health and Wellness to add the required notification. For more information, see New Health and Wellness.

Notifications can be set up on the NetWitness Platform user interface by configuring the output, server settings, and notification. This is the notification type, namely email and syslog. When you set up a notification, you must specify the notification output for an alert.

Configure email or syslog as a notification

  1. Go to admin icon Admin > System.

  2. In the options panel, select Global Notifications.

    The Notifications configuration panel is displayed with the Output tab open.

    email notification

  3. On the Output tab, from the drop-down menu, select Email or Syslog.

    The following is an example of email notification:

    Define Email Notification

  4. In the Define Email Notification dialog, provide the required information and click Save.

Configure email or syslog settings as a notification server

This is the source of the notifications and must be configured to specify the email server or syslog server settings.

  1. Go to Admin > System.

  2. In the options panel, select Global Notifications.

    The Notifications configuration panel is displayed with the Output tab open.

  3. Click the Servers tab.

    Server settings

  4. From the drop-down menu, select Email or Syslog.

    The following is an example for email server:

    Server

  5. In the Define Email Notification Server dialog, provide the required information and click Save.

Add a email or syslog notification

  1. Go to admin icon Admin > Health & Wellness.

  2. Click New Health & Wellness.

  3. Click View Notifications Settings.

  4. Specify the following:

    • Output Type: Select the Notification type as Email or Syslog.
    • Recipient: Select the recipient based on the output type selected.
    • Notification Server: Select the notification server that will send the notification.
    • Template: Notification template as Email or Syslog.

  5. If you want to add another notification, click Add Condition and repeat step 4.

NOTE: You can specify a maximum of four conditions in the notification settings.

  1. Click Save.

1.2.7 - Delete Cloud Link Service

This topic provides information about uninstalling the Cloud Link Service.

If you have Cloud Link Service installed and no longer want to use it, perform the following steps to delete the Cloud Link Service.

NOTE: When you delete the Cloud Link service, any data which are yet to be uploaded to the Detect AI will be discarded.

To delete the Cloud Link Service, first remove the Cloud Link Service from NetWitness Platform on the Cloud, and then uninstall the Cloud Link Service on the NetWitness Platform XDR.

Step 1: Remove the Cloud Link Service from the NetWitness Platform on the Cloud

  1. Log in to the NetWitness Detect AI.

  2. Go to Admin icon Admin > Sensors > Sensor List.

  3. Select the Cloud Link Service that you want to delete, and click Remove Sensor.

Step 2: Uninstall the Cloud Link Service on the NetWitness Platform XDR

  1. SSH to the host on which the Cloud Link Service is installed.

  2. Execute the following command:

        /var/lib/netwitness/cloud-link-server/nwtools/uninstall-cloud-link.sh

  3. Log in to the NetWitness Platform XDR and go to Admin icon Admin > Services to verify if the Cloud Link Service is removed.

1.2.8 - Update the Cloud Link Service Automatically

Learn how to update the Cloud Link Service manually as well as automatically and how to schedule your update based on the day and time

You can now easily keep all your Cloud Link Service up-to-date with the latest version. You can set up automatic updates or scheduled updates to save time and avoid manual tracking of the Cloud Link Service.

You can set up update options on the Configuration tab:

  • Automatic update: Select to allow auto-update of sensors as and when a new version is available.
  • Custom update: Select to schedule auto-update of the sensor for a specific day and time.

Prerequisites

  • The NetWitness Platform XDR (host) is on version 11.6.1 or later.
  • Ensure that the Cloud Link Service is in a connected state in the UI to start the update.

NOTE:

  • The Sensor Update button will be enabled only when there is a new version available.
  • During the update process, the Cloud Link Service will get disconnected and data transfer to the cloud will be paused. If the update fails, the Cloud Link Service will revert to the last installed version.
  • Cloud Link Service will begin updating automatically within 10 minutes if the automatic update option is enabled.

To update the Cloud Link Service automatically

  1. Log in to the NetWitness Detect AI.

  2. Go to admin icon Admin > Sensors > Configuration.

  3. Do one of the following:

    • To setup the Automatic update: select the option Automatic.
    • To setup the Schedule update: Select the option Custom.
      • Specify the day from the Day field.
      • Specify the time in Time field. For example, 07:03.

NOTE: To change the sensor Update settings at any point, select the preferred update option and click Save.

You can update the Cloud Link Service manually on selected hosts.

NOTE: You can update the Cloud Link Service individually on each host. You cannot update multiple Cloud Link Services.

To update the Cloud Link Service manually

  1. Log in to the NetWitness Detect AI.

  2. Go to admin icon Admin > Sensors > Sensor Configuration.

  3. Select the option Manual and click Save.

  4. Click the Sensor List tab.

  5. Select the Cloud Link Service that needs to be updated and click Update Sensor.

    A pop-up message is displayed to confirm the update.

  6. Click Update.

NOTE: If the update fails, the error for update failure is displayed, and you can troubleshoot the Cloud Link Service and resolve the issue. For more information, see Troubleshoot the Cloud Link Service.

Limitations for sensor update

Limitations associated with this version of the sensor are included below:

  1. When a new version of the sensor update is available, for example, 11.6.1, the Sensor Update button is enabled and ready to update the sensor. When you click Sensor Update, the sensor update starts. However, at the same time if a new rpm for the sensor update is uploaded, for example, 11.7, there are high chances the sensor update will not be overridden, causing the sensor to not be updated with the latest version.

  2. When a new version of sensor update is available, and you have configured for manual updates, the sensor update will not be triggered automatically. In this scenario, you need to update to the new version manually. However, if a new version of the sensor update is released after changing the setting to automatic, all sensor updates will be performed automatically from that moment.

1.2.9 - Install Detect AI with an Existing On-premises UEBA

This topic provides information about installing Detect AI and UEBA together in an enviornment.

Install Detect AI with an Existing On-premises UEBA

If you have UEBA deployed on your on-premises NetWitness Platform XDR, you can install Detect AI and can run them simultaneously. This is because they are independent of each other. However, the User Interface can be connected to only one source at a time.

When you have both UEBA on-premises and Detect AI running simultaneously, it can impact the performance as both consume data from the NetWitness Platform XDR. Detect AI receives data from the Cloud Link Service installed on Log Decoder hosts, and the on-premises UEBA receives the data from the Concentrator or Broker.

NOTE: This feature is supported from the 11.6.0.0 version or later.

Install and Setup Detect AI

  1. Install the Cloud Link Service. For more information, see Install Cloud Link Service.

  2. Download the Activation Package. For more information, see Download the activation package.

  3. Register the Cloud Link Service. For more information, see Register the Cloud Link Service.

  4. Verify the Cloud Link Service is working. For more information, see Verify if the Cloud Link Service is working.

  5. Enable Detect AI data transfer by running the following command:

           
    nw-manage --enable-cba

    This command connects the Detect AI to the on-premises Admin Server, and the data in the Users page is fetched from the Detect AI. For more information, see Transfer Detect AI data to NetWitness platform XDR.

NOTE: If you want to receive the data from on-premises UEBA, run the following command: nw-manage –disable-cba
This command connects the UEBA to the Admin Server and the data in the Users page is fetched from the on-premises UEBA.

  1. Enable the Detect AI incident rules. For more information, see Step 1. Configure Alert Sources to Display Alerts in the Respond View.

Uninstall Detect AI

  1. Uninstall the Cloud Link Services from the Decoders. For more information, see Delete Cloud Link Service.

  2. Contact the NetWitness Customer Support to uninstall all the related tenants and entitlements.

    If you want to reconnect to the on-premises UEBA, run the following command:

            
    nw-manage --disable-cba

    This command connects the UEBA to the Admin Server and fetch the data in the Users page from the on-premises UEBA.

1.2.10 - Change the Default Service for Investigation

This topic provides information about changing prefered Broker Service ID for investigation.

Change the Default Service for Investigation

By default, if you have a Broker installed on an Admin Server, then the service ID of a Broker will be automatically updated in Cloud Link Service as default service for investigation on the NetWitness Platform user interface for Detect AI. However, if there are no Brokers installed on an Admin server, then any one of the service ID of a Broker installed on another node will be automatically updated in Cloud Link Service. If you want to set a specific service ID for a Broker, you can configure in the Explore view of the Cloud Link Service on the NetWitness Platform user interface.

To locate the service ID for a Broker

  1. Log in to the NetWitness Platform XDR.

  2. Go to admin icon Admin > Services.

  3. In the Services list, search Broker in the Filter field.

  4. Select a Broker, and click action button > View > Explore.

    The Explore view for the Broker is displayed.

    services view

  5. On the left panel, click sys > stats.

    The service ID is displayed on the right panel.

    services view

To set the service ID for a Broker

  1. Log in to the NetWitness Platform XDR.

  2. Go to admin icon Admin > Services.

  3. In the Services list, search Cloud Link Server in the Filter field.

  4. Select the Cloud Link Server and click action button > View > Explore.

    The Explore view for the service is displayed.

    services view

  5. On the left panel, click cloudlink/sync.

  6. Edit and enter the required service ID of a broker in the default-service-for-investigation parameter field.

    services view

1.2.11 - Configure the Proxy for Cloud Link Service

This topic provides information about configuring proxy support for Cloud Link Service.

If you are using a proxy network, you can configure the proxy for the Cloud Link Service under the NetWitness Platform, System > HTTP Proxy Settings page. This allows the Cloud Link Service to connect using a proxy and transfers data to the Detect AI.

To configure proxy for Cloud Link Service

  1. Log in to the NetWitness Platform XDR.

  2. Go to admin icon Admin > System.

  3. In the options panel, select HTTP Proxy Settings.

    The HTTP Proxy Settings panel is displayed.

    Proxy settings

  4. Click the Enable checkbox.

    The fields where you configure the proxy settings are activated.

  5. Type the hostname for the proxy server and the port used for communications on the proxy server.

  6. (Optional) Type the username and password that serve as credentials to access the proxy server if authentication is required.

  7. (Optional) Enable Use NTLM Authentication and type the NTLM domain name.

  8. (Optional) Enable Use SSL if communications use Secure Socket Layer.

  9. To save and apply the configuration, click Apply.

    The proxy is immediately available for use for the Cloud Link Service.

1.2.12 - List of Domains required to be Whitelisted for Detect AI

This topic provides information about Domains required to be whitelisted for Detect AI.

List of Domains required to be Whitelisted for Detect AI

In case your organization uses a firewall to restrict network access to only specific websites or software, you need to whitelist the following domains to ensure that Cloud Link Service can communicate with AWS-related services and transfer the required metadata to Detect AI for analytics.

  • These Domains/URLs will be region-specific for the deployment. The region can be found in the device activation package from the region section.

    • sts.us-(region).amazonaws.com
    • s3.us-(region).amazonaws.com
    • kinesis.(region).amazonaws.com
    • monitoring.us-(region).amazonaws.com
    • ssm.us-(region).amazonaws.com

  • Besides the common domains you need to whitelist specific domains based on your deployment and are provided in the device activation package. Following are the names of domains/URLs:

    • controlApi
    • deviceApi
    • iotApi
    • iotHost
    • uebaApiGatewayUrl

In the following example, with this device activation package, the given deployment is in us-east-1 region, and the highlighted domains are the ones that must be whitelisted for this deployment.

Whistelisting domains

The following table shows the list of domains/URLs that are whitelisted for the deployment in the above example:
SlNo Domain URL
1 sts.us-east-1.amazonaws.com
2 s3.us-east-1.amazonaws.com
3 kinesis.us-east-1.amazonaws.com
4 monitoring.us-east-1.amazonaws.com
5 ssm.us-east-1.amazonaws.com
6 ghbcfjkbc.execute-api.us-east-1.amazonaws.com
7 abc8hgbvbk4.execute-api.us-east-1.amazonaws.com
8 h7vcvkvjbhbb78.credentials.iot.us-east-1.amazonaws.com
9 fhgodewbcimb-ats.iot.us-east-1.amazonaws.com
10 xhhvbbej52.execute-api.us-east-1.amazonaws.com

1.2.13 - Troubleshoot the Cloud Link Service

This topic describes the common issues that you might encounter while installing, registering, deleting, and upgrading the sensors. It also contains workarounds for these issues.
Problem Cause Solution
Cloud Link Service fails to register when you use an older activation package. If you have generated a new activation package but used an older activation package to register the Cloud Link Service, the registration fails and no error message is logged. To resolve the issue, perform the following steps:
1. Generate and download the new activation package from NetWitness Platform on the cloud. For more information, see Download the Activation Package.
2. Register the Cloud Link Service using the new activation package. For more information, see Register the Cloud Link Service.
Cloud Link Service fails to register when the date and time are not in sync with NTP Server. If the date and time on the host containing the Cloud Link Service are not in sync with the NTP server, then invalid certificate exceptions are logged. Update the date and time to be in sync with the NTP Server.
Execute the following commands to resolve the issue:
1. To display the default date and time on your system, execute the following command: timedatectl status
2. Execute the following command to turn off the NTP Server: timedatectl set-ntp 0
3. Execute the following command to correct the date and time: timedatectl set-time ‘date time’ Replace the default date and time with current date and time. Example: timedatectl set-time '2020-02-02 16:14:50'
4. Execute the following command to turn on the NTP Server: timedatectl set-ntp 1
5. Register the Cloud Link Service by using the recently downloaded activation package. For more information, see Register the Cloud Link Service.
Deletion of the Cloud Link Service sensor failed If you have removed the Cloud Link Service sensor when the Cloud Link Service is offline, the logs show the Cloud Link Service sensor is deleted, however the Cloud Link service is not deleted and is back online. Ensure that you uninstall the Cloud Link Service on the NetWitness Platform soon after you remove it from the NetWitness Platform on the cloud UI to delete the Cloud Link Service completely. For more information, see Delete Cloud Link Service.
Unable to update the Cloud Link Service due to RPM file download failure. During network outage, the RPM file download fails because there is no access to the RPM file URL. Check your network connection and try again. If the problem persists, try after some time.
Unable to update the Cloud Link Service. One of the services might be down or offline. Ensure that all the services are up and running. For more details, check the following services log:
- Check the orchestration log on the Admin server: /var/log/netwitness/orchestration-server/orchestration-server.log
- Check the chef-solo.log on the Cloud Link servers: /var/log/netwitness/config-management/chef-solo.log
Unable to update the Cloud Link Service due to RPM checksum validation failure. The checksum validation of the RPM file fails because of the following reasons:
- The RPM file downloaded is corrupted.
- The RPM file downloaded is incomplete or incorrect.		 Check your network connection and try again. If the problem persists, try after some time.

1.3 - Investigate

Provides information about how Analysts uses Detect AI to identify and respond to threats.

1.3.1 - Alert types for Detect AI

This topic provides information about the different alert types for users.

Alert types for Detect AI

An Alert is an analyst notification created from a high-scoring batch of anomalies, which contains validated indicators of compromise. It is important that you review the following use cases, represented by their alert type and description, to gain an initial understanding of the related risky behavior of each use case.

Alert Type Table

Alert Type Description
Mass Changes to Groups An abnormal number of changes have been made to groups. Investigate which elements have been changed and decide if the changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Multiple Group Membership Changes indicator.
Multiple Failed Logons In traditional password cracking attempts, the attacker tries to obtain a password through guesswork or by employing other low-tech methods to gain initial access. The attacker risks getting caught or being locked out by explicitly attempting to authenticate; but with some prior knowledge of the victim’s password history, may be able to successfully authenticate. Look for additional abnormal indications that the account owner is not the one attempting to access this account. This activity is usually associated with the Multiple Failed Authentications indicator.
User Logon to Abnormal Host Attackers often need to reacquire credentials and perform other sensitive activities, like using remote access. Tracing the access chain backwards may lead to the discovery of other computers involved in possibly risky activity. If an attacker’s presence is limited to a single compromised host or too many compromised hosts, that activity can be associated with the Abnormal Computer indicator.
Snooping User Snooping is unauthorized access to another person’s or company’s data. Snooping can be as simple as the casual observance of an e-mail on another’s computer or watching what someone else is typing. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device. This activity can be associated with the Multiple File Access Events, Multiple Failed File Access Events, Multiple File Open Events, and Multiple Folder Open Events indicators.
Multiple Logons by User All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. When an account is being used for unusual activities, for example; authenticating an unusual amount of times the account may have been compromised. This activity can be associated with the Multiple Successful Authentications indicator.
User Logon to Multiple Hosts Attackers typically need to reacquire credentials periodically. This is because their keychain of stolen credentials naturally degrades over time, due to password changes and resets. Therefore, attackers frequently maintain a foothold in the compromised organization by installing backdoors and maintaining credentials from many computers in the environment. This activity can be associated with the Logged onto Multiple Computers indicator.
Mass Permission Changes Some credential theft techniques, for example, Pass-the-Hash, use an iterative, two-stage process. First, an attacker obtains elevated read-write permission to privileged areas of volatile memory and file systems, which are typically accessible only to system-level processes on at least one computer. Second, the attacker attempts to increase access to other computers on the network. Investigate if abnormal permission changes have taken place on the file systems to ensure that they were not compromised by an attacker. This activity can be associated with the Multiple File Access Permission Changes, Multiple Failed File Access Permission Changes, and Abnormal File Access Permission Change indicators.
Abnormal Active Directory (AD) Changes If an attacker gains highly-privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire forest. If a single domain controller is compromised and an attacker modifies the AD database, those modifications replicate to every other domain controller in the domain; and depending on the partition in which the modifications are made, the forest as well. Investigate abnormal changes conducted by admins and non-admins in AD to determine if they represent a possible true compromise to the domain. This activity can be associated with the Abnormal Active Directory Change, Multiple Account Management Changes, Multiple User Account Management Changes, and Multiple Failed Account Management Changes indicators.
Sensitive User Status Changes A domain or enterprise administrator account has the default ability to exercise control over all resources in a domain, regardless of whether it operates with malicious or benign intent. This control includes the ability to create and change accounts; read, write, or delete data; install or alter applications; and erase operating systems. Some of these activities are triggered organically as part of the account’s natural life cycle. Investigate these security sensitive user account changes, and determine if it has been compromised. This activity can be associated with the User Account Enabled, User Account Disabled, User Account Unlocked, User Account Type Changed, User Account Locked, User Password Never Expires Option Changed, User Password Changed by Non-Owner, and User Password Change indicators.
Abnormal File Access Monitor for abnormal file access to prevent improper access to confidential files and theft of sensitive data. By selectively monitoring file views, modifications and deletions, you can detect possibly unauthorized changes to sensitive files, whether caused by an attack or a change management error. This activity can be associated with the Abnormal File Access Event and Multiple File Delete Events indicators.
Non-Standard Hours All authentication activity, malicious or not, appears as normal logons. Therefore, administrators should monitor unexpected authorized activity. The key is that attackers use these stolen credentials for unauthorized access, which may provide an opportunity for detection. For example, unusual activity such as multiple authentication events in an account may indicate that the account has been compromised. You can check if the account has been taken by an external actor be determining the abnormal activity time. This activity can be associated with the Abnormal File Access Time, Abnormal Active Directory Change Time, and Abnormal Logon Time indicators.
Multiple Failed Authentications - External Access As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. Brute force techniques as well as more traditional password cracking methods like guesswork can be utilized to gain initial access. These activities can be associated with the Multiple Failed Azure AD Authentications and Multiple Failed VPN Authentications indicators.
Abnormal Country As organizations increase their reliance on external authentication infrastructures, attackers may attempt to leverage these infrastructures to their advantage. When devices or accounts are compromised or when credentials are wrongly shared, attackers may utilize them to gain initial access from an abnormal location. These activities can be associated with the Abnormal Azure AD Logon Country and Abnormal VPN Logon Country indicators.
Snooping User - Cloud Service Account Snooping is unauthorized access to company data or data belonging to another person. Snooping can be as simple as the casual observance of an email on another person’s computer. More sophisticated snooping uses software programs to remotely monitor activity on a computer or a cloud service account. This activity can be associated with the Azure AD - Logon Attempts to Multiple Applications indicator.
Abnormal Remote Application Attackers may leverage compromised account details or devices to access remote applications that genuine end users do not frequently access to collect and even exfiltrate sensitive information. This activity can be associated with the Azure AD - Abnormal Application indicator.
Admin Password Change Shared long-term secrets, for example, privileged account passwords, are frequently used to access anything from print servers to domain controllers. To contain attackers that seek to leverage these accounts, pay close attention to password changes by admins, and ensure they have been made by trusted parties and have no additional abnormal behavior associated with them. This activity can be associated with the Admin Password Change indicator.
User Logins to Multiple AD Sites Domain controllers store credential password hashes for all accounts on the domain, so they are high-value targets for attackers. Domain controllers that are not stringently updated and secured are susceptible to attack and compromise, which could leave the domain vulnerable. User privileges on multiple domains could indicate that a parent domain has been compromised. Determine if user access to and from multiple sites is legitimate or is an indication of a potential compromise. This activity is usually associated with the Logged into Multiple Domains indicator.
Elevated Privileges Granted Elevated account privileges have been delegated to a user. Attackers often use regular user accounts, granting them elevated privileges, to exploit the network. Investigate the user that received the elevated privileges, and decide if these changes were legitimate or possibly the result of risky or malicious behavior. This activity is usually associated with the Nested Member Added to Critical Enterprise Group and Member Added to Critical Enterprise Group indicators.
Data Exfiltration Data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Data exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with the Excessive Number of File Rename Events, Excessive Number of Files Moved from File System, and Excessive Number of Files Moved to File System indicators.
Credential Dumping Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Discovery & Reconnaissance Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When Attackers gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
PowerShell & Scripting PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Attackers can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Registry Run Keys & Start Folder Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. The program will be executed under the context of the user and will have the account’s associated permissions level. Attackers can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Attackers may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Process Injection Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. This activity can be associated with the Abnormal Process Created a Remote Thread in a Windows Process indicator.

1.3.2 - Indicators for Detect AI

This topic provides information about the different indicators that are generated for Detect AI.

Indicators for Detect AI

An Indicator is a validated anomaly, which is different from the typical or baseline behavior of the user. The following tables list indicators that display in the user interface when a potentially malicious activity is detected for users.

Windows File Servers

Indicator Alert Type Description
Abnormal File Access Time Non-Standard Hours A user has accessed a file at an abnormal time.
Abnormal File Access Permission Change Mass Permission Changes A user changed multiple share permissions.
Abnormal File Access Event Abnormal File Access A user has accessed a file abnormally.
Multiple File Access Permission Changes Mass Permission Changes A user changed multiple file share permissions.
Multiple File Access Events Snooping User A user accessed multiple files.
Multiple Failed File Access Events Snooping User A user failed multiple times to access a file.
Multiple File Open Events Snooping User A user opened multiple files.
Multiple Folder Open Events Snooping User A user opened multiple folders.
Multiple File Delete Events Abnormal File Access A user deleted multiple files.
Multiple Failed File Access Permission Changes Mass Permission Changes A user failed multiple attempts to change file access permissions.

Active Directory

Indicator Alert Type Description
Abnormal Active Directory Change Time Non-Standard Hours A user made Active Directory changes at an abnormal time.
Abnormal Active Directory Object Change Abnormal AD Changes A user made Active Directory attribute changes abnormally.
Multiple Group Membership Changes Mass Changes to Groups A user made multiple changes to groups successfully.
Multiple Active Directory Object Changes Abnormal AD Changes A user made multiple Active Directory changes successfully.
Multiple User Account Changes Abnormal AD Changes A user made multiple sensitive Active Directory changes successfully.
Multiple Failed Account Changes Abnormal AD Changes A user failed to make multiple Active Directory changes.
Admin Password Changed Admin Password Change The password of an admin was changed.
User Account Enabled Sensitive User Status Changes An account of a user was enabled.
User Account Disabled Sensitive User Status Changes An account of a user was disabled.
User Account Unlocked Sensitive User Status Changes An account of a user was unlocked.
User Account Type Changed Sensitive User Status Changes The type of user was changed.
User Account Locked Sensitive User Status Changes An account of a user was locked.
User Password Reset Sensitive User Status Changes The password of a user was reset.
User Password Never Expires Option Changed Sensitive User Status Changes The password policy of a user was changed.

Logon Activity

Indicator Alert Type Description
Abnormal Remote Host Logon to Abnormal Remote Host A user attempted to access a remote computer abnormally.
Abnormal Logon Time Non-Standard Hours A user logged on at an abnormal time.
Abnormal Host User Logon to Abnormal Host A user attempted to access a host abnormally.
Multiple Successful Authentications Multiple Logons by User A user logged on multiple times.
Multiple Failed Authentications Multiple Failed Logons A user failed multiple authentication attempts.
Logon Attempts to Multiple Source Hosts User Logged into Multiple Hosts A user attempted to log on from multiple computers.
Abnormal VPN Logon Time Non-Standard Hours A user has logged on at an abnormal time.
Abnormal VPN Logon Country* Abnormal Logon Country A user attempted to establish VPN access from an abnormal country.
Multiple Failed VPN Authentications Multiple Failed VPN Logons A user failed multiple times to authenticate for VPN access.
Abnormal Azure AD Logon Time Non-Standard Hours A user has logged on at an abnormal time.
Abnormal Azure AD Logon Country* Abnormal Logon Country A user attempted to access Azure AD from an abnormal country.
Multiple Failed Azure AD Authentications Multiple Failed Logons A user failed multiple times to authenticate into Azure AD.
Azure AD - Abnormal Application Abnormal Remote Application A user attempted to log on to abnormal number of applications through Azure AD.
Azure AD - Logon Attempts to Multiple Applications Snooping User - Cloud Service Account A user attempted to log on to multiple applications through Azure AD.

NOTE: *For Abnormal Azure AD Logon Country, it is recommended to dynamically update the GeoIP repository to obtain optimal results.

Process

Indicator Alert Type Description
Abnormal Process Created a Remote Thread in LSASS Credential Dumping An abnormal process was created into the LSASS process.
Abnormal Reconnaissance Tool Executed Discovery and Reconnaissance An abnormal process was executed.
Abnormal Process Executed a Scripting Tool PowerShell and Scripting An abnormal process executed a scripting tool.
Abnormal Process Executed a Scripting Tool PowerShell and Scripting An abnormal process was triggered by a scripting tool.
Scripting Tool Triggered an Abnormal Application PowerShell and Scripting An abnormal process was opened by a scripting tool.
Abnormal Process Created a Remote Thread in a Windows PowerShell and Scripting An abnormal process was injected into a known windows process.
Multiple Distinct Reconnaissance Tools Executed Discovery and Reconnaissance Multiple reconnaissance tools were executed in an hour.
Multiple Reconnaissance Tool Activities Executed Discovery and Reconnaissance Multiple reconnaissance tool activities were executed in an hour.
User Ran an Abnormal Process to Execute a Scripting Tool PowerShell / Scripting An abnormal process executed a scripting tool.
User Ran a Scripting Tool that Triggered an Abnormal Application PowerShell / Scripting A scripting tool was executed that triggered an abnormal application.
User Ran a Scripting Tool to Open an Abnormal Process PowerShell / Scripting A scripting tool was executed to open an abnormal process.

Registry

Indicator Alert Type Description
Abnormal Process Modified a Registry Key Group Registry Run Keys An abnormal process modified a service key registry.

1.3.3 - What is Happening now in your Organization

This topic provides information about What is happening now in your organization.

What is Happening now in your Organization

Workflow Overview

The Users Overview view shows what is happening in your environment at a glance. NetWitness Detect AI enables you to quickly determine potential malicious activity, investigate it further, detect anomalies, and take action.

Workflow Overview

Top Risky Users

In this view you can look at the top ten users listed, which are the top ten users with the highest user risk scores. The circled user indicates high score and severity. Compare and see if any user scores have increased since the previous day. Also, investigate users with critical alerts.

Top Risky Users

Use Case Scenario

In the above example, Levi Thomas has a user score of 132, which is over 100, and 3 critical alerts. Charlie Martin has a user score of 80, which is not over 100, but Charlie has 4 critical alerts. (All of the top ten users listed show +0 next to their score, so the scores did not increase since yesterday.) In the Top Alerts panel, look at the top alerts for Users in the last 24 hours or a later time period if you do not see any alerts.

  1. Check the alerts by severity level, starting with the critical alerts. What type of alerts are they? Which users are associated with the alerts?
  2. Check for alerts with a high number of indicators (anomalies).
  3. To view the specific indicators associated with an alert, hover over the number of indicators listed.

Alerts View

In this example, the Top Alerts panel shows four Snooping User critical alerts shown for user Charlie Martin in the last 3 months. Hovering over “3 indicators” for one of the alerts shows the names of the indicators of compromise in the alert: Multiple File Access Events, Multiple File Delete Events, and Abnormal File Access Event.

In the above example, user Charlie Martin has one critical Snooping User alert containing 3 indicators in the last 3 months.

Alerts View

Severity View

In the Alerts Severity panel, look at when the critical alerts happened in the last three months. In this example, the majority of the alerts in the last three months occurred on the same day.

Severity View

All Alerts View

If you click on this day, it opens the Alerts view, where you can drill down into the alerts from the selected day.

All Alerts View

Snooping Alerts

If you go back to the Top Risky Users panel (Users > Overview), you can drill further into the alerts listed for each of the top risky users. For example, Charlie’s user profile shows Snooping User alerts and provides details of multiple files accessed and deleted.

User Profile 2

Data Retention

NetWitness retains any inactive users with no incoming data for six months. NetWitness removes the user’s data and any associated alerts from the system after six months.

1.3.4 - Read an Indicator Chart

This topic provides information about how to read an Indicator Chart.

Read an Indicator Chart

NOTE: To view the dotted chart and display the data in an optimal way the on-premise version must be upgraded to 11.6 version or later.

An indicator chart is a pictorial illustration of the anomaly and baseline values of an entity that you want to further investigate. The chart gives the Analyst a better insight of the indicator which in turn will help determine the next steps. The chart provides the analyst with the user’s baseline values over time to better understand the context of the anomaly.

To view an indicator chart

  1. Log in to NetWitness Platform XDR.

  2. Go to Users > Entities.

  3. Select the user you want to investigate. The following figure displays an alert for a user logged on multiple times.

    Chart 1

  4. In the Alert Flow section, select the Multiple Logon by User.

  5. Click the + icon to expand and view the details.

    Chart 2

Type of Charts

There are three main types of charts currently available.

Continuous Bar Chart

In this type of an indicator chart, the bar color differentiates the behavior by displaying a blue bar and a red bar. For example, the following figure displays in a span of 30-days the number of files a Snooping User has attempted to access in an hour which are displayed by blue bars and indicates the baseline behavior. The red bar indicates that the user has accessed a high number of files in a specific hour.

Chart 3

Another variation in the visualization of the chart is where you see an additional series of grey bars that represents the baseline values of the model. In this case, if the blue bars series is displayed, it depicts the specific entity trend that the anomaly is also a part of.

Dotted Chart

In the dotted indicator chart, the anomaly is displayed on top of the graph indicated by yellow color text and red color circle. The chart provides the analyst with the user’s baseline values over time to better understand the context of the anomaly. The additional values (apart from the anomaly value) depicted in the Y-axis, represent the baseline values and the total number of days they were observed for this specific entity.

Chart 4

Time Chart

The time indicator chart displays the time the user has accessed a particular information. For example, in the following figure, the user has accessed the Active Directory at an abnormal time over the past 30 days. It displays the aggregate time spent on each day between 8.00 to 16.00. The baseline values are displayed with the regular working hours of the user and the anomaly value (the hour marked in red) to indicate that this is an abnormal time for this user to make changes in AD.

Chart 3

1.3.5 - Identify all Risky Users

This topic provides information about how to identify all risky users.

Identify Risky Users

  1. Go to Users > Entities.

    The users list in the Entities view shows all the users monitored by SIEM Analytics. Risky Users are users with a risk score (risk score greater than 0). Risky users display abnormal behavior and can potentially compromise your organization.

  2. For each user of interest, click the user in the list to open the user’s profile. To investigate a user and drill further into the user behavior detail, see Identify the Top Risky Users.

1.3.6 - Reduce User Risk Score

This topic provides information about how to reduce the risk score.

Reduce User Risk Score

If an alert is not a risk, you can mark it so that the user score is automatically reduced.

  1. Log in to NetWitness Platform XDR and click Users.

  2. In the Overview tab, under Top Risky Users panel, click on a username.

    The User Profile view is displayed.

  3. Select the alert, click Not a Risk.

    Reduce the User Risk Score

1.3.7 - Identify Top Risky Users

This topic provides information about how to identify top risky users.

Identify Top Risky Users

All users in your organization can be analyzed for abnormal user activities and assigned a user risk score. Users with high scores either have multiple alerts associated with them or they have high-level severity alerts associated with them. These scores and alerts enable you to quickly identify high-risk users so that you can investigate their abnormal activities in your environment.

The top risky users are users with the highest risk scores. A lot of alerts and high-severity alerts contribute to the score.

  1. Go to Users > Overview and in the Users tab, look at the Top Risky Users panel on the left.

    Alerts Risky Users

  2. Look at the Top Risky Users, which are the top ten users with the highest risk scores.

    a. Look for high user scores marked with critical or high severity.

    b. Check if any user scores increased since yesterday. If you see +0, there was no increase since yesterday.

    c. Look for users with critical (red band) alerts.

    Alerts Risky

    In this example, Levi has a high user score of 112, and 2 critical alerts. Levi also has 2 high, 3 medium, and 12 low severity alerts. Charlie has a user score of 80 lower than Levi, but there are also 4 critical alerts. Looking at this information, it would be a good idea to further investigate the activities of both of these risky users.

  3. Hover over the number of alerts associated with the risky users to quickly see the severity levels of the alerts associated with the users. In this example, you can see that Levi has 2 critical, 2 high, 3 medium, and 12 low severity alerts.

    Critical Users

  4. You can click a risky user of interest in the list to open the user’s profile.

    Critical Users

    The user profile enables you to access detailed information on the anomalous behavior of the user, including the alerts associated with them and the indicators that generated those alerts.

    topRiskyUserProfile

  5. See Investigate a Risky User to investigate the user and drill further into the user behavior details.

    Top risky users

1.3.8 - Investigate Events

This topic provides information about how to investigate events.

Investigate Events

You can view all alerts and indicators associated with a user in the User Profile view. In the events table, you can find the events that contributed to a specific indicator for a specific user. You can further investigate on events by clicking on a username that pivots to Investigate > Events. In the Events view, you can see the list of events that occurred on that day for the specific user. By default, the time range is set to one hour. You can change the time range.

To Investigate Events

  1. Go to Users > Alerts.

  2. Under Filters, select the Entity Type as Users. The Alerts are displayed, along with the anomaly value, data source, and start time.

    Alert Flow

  3. Click an alert name, and under Alert Flow, click the + icon.

    A graph is displayed that shows details about a specific indicator, including the timeline in which the anomaly occurred and the user associated with the indicator. The following figure shows an example of a graph. The type of graph can vary, depending on the type of analysis performed by NetWitness.

    Alert Graph

1.3.9 - Save a Behavioral Profile

How to monitor user behavior and utilize advanced analytics to detect anomalies and risky behaviors?

Save a Behavioral Profile

The combination of the alert types and indicators you select during the forensics investigation is a behavioral profile. You can save the behavioral profile, so you can monitor this use case in future. For example, if in your organization a user attempted to login and failed multiple times, you can select filters using the multiple failed authentications alert type. This can be saved as favorite. You can proactively monitor for future brute force attempts. To do so, you can click the favorite to see if new users were subjected to this type of attack.

To save a behavioral profile

  1. Log in to the NetWitness Platform XDR and click Users.

    The Overview tab is displayed.

  2. Click Entities tab.

  3. In the Filters panel, select the alert in the Alerts drop-down and Indicators in the Indicators drop-down.

    BehavioralProfile

1.3.10 - Watch a Profile

This topic provides information about how to watch a profile.

Watch a Profile

The watch user profile is a list of users that you want to monitor for potential threats. The watch user profile marks a user so that the users can be quickly referenced on the dashboard. This is essentially a bookmark to monitor suspicious users.

To watch a user profile

  1. Log in to the NetWitness Platform XDR and click Users.

  2. In the Overview tab, under Top Risky Users panel, click username.

  3. Click Watch Profile.

    The user is added to the watchlist.

    Watch profile

1.3.11 - Export a List of High-risk Users

This topic provides information about how to export a list of high-risk users.

Export a List of High-risk Users

You can export a list of all users and their scores in a .csv file format. You can use this information to compare with other data analysis tools like tableau, powerbi, and zeppelin.

  1. Log in to NetWitness Platform XDR and click Users.

    The Overview tab is displayed.

  2. Click Entities tab.

  3. Click Export.

    Export

1.3.12 - View the Usual Behavior of a User

This topic provides information about how to view the usual behavior of a user.

View the Usual Behavior of a User

NetWitness Detect AI Modeled Behavior provides analysts with visibility into the usual activities of users monitored by Detect AI. These modeled behaviors are based on the log data leveraged by Detect AI and are available a day after the Detect AI service is configured. Detect AI monitors abnormal user behaviors to identify risky users and this requires data to be processed for a certain period of time. However, Modeled Behaviors reflect the activities of the user within a day of the service configuration. For example, if a user fails multiple times by logging in with incorrect credentials within an hour, analysts can view these behaviors as Failed Authentications for the user.

To view the Modeled Behaviors

  1. Log in to NetWitness Platform XDR and click Users.

  2. In the Overview tab, under Top Risky Users panel, click a username.

  3. Click Modeled Behaviors, to view the Modeled Behaviors highlighted with a blue line in the left panel. The results can be sorted by the date or in alphabetical order.

    Pie Chart depiction of Modeled Behavior

1.3.13 - Check the Activity of a Specific User

This topic provides information about checking the activity of a specific user.

Check the Activity of a Specific User

You can view all alerts and indicators associated with a user in the User Profile view. In the events table, you can find the events that contributed to a specific indicator for a specific user. You can further investigate on events by clicking on a username that pivots to Investigate > Events. In the Events view, you can see the list of events that occurred on that day for the specific user. By default, the time range is set to one hour. You can change the time range.

To check the activities of a specific user

  1. Log in to NetWitness Platform XDR. Go to Users > Alerts.

  2. Under Filters, click Users.

  3. Select a specific user.

    Check the activity of a specific user

1.3.14 - Filter Users for Investigation

This topic provides information about how to filter users for investigation.

Filter Users for Investigation

In the Entities tab, you can use Alert Types and Indicators which are behavioral filters to view high-risk users. The behavioral profile is saved and displayed in the Favorites panel. You can click on the profile in the Favorites to monitor the users.

To view users for investigation

  1. Log in to NetWitness Platfor XDR.

  2. Go to Users > Entities.

    The Overview tab is displayed.

  3. Click Entities tab.

  4. To create a behavioral filter using alert types, select one or more alerts in the Alerts drop-down list 4.

  5. To create a behavioral filter using indicators, select one or more indicators in the Indicators drop-down list 5.

    Filter Users for Investigation

1.3.15 - Identify Critical Alerts

This topic provides information about identifying the critical alerts.

Identify Critical Alerts

Anomalies that are found as incoming events are compared to the baseline and compiled into hourly alerts. Relatively strong deviations from the baseline, together with a unique composition of anomalies, are more likely to get a higher alert score. You can quickly view the most critical alerts in your environment, and start investigating them from either the Overview tab or the Alerts tab. The following figure is an example of top alerts in the Overview tab. The alerts are listed in order of severity and the number of indicators who generate the alerts.

Alerts Tab

Here you can quickly view all the critical alerts, filter them based on date range and criticality in your environment, and start investigation.

To identify such alerts

  1. Log in to NetWitness Platform XDR.

  2. Go to Users > Alerts.

    The Alerts tab is displays all the critical alerts.

  3. In the filters panel, do the following:

    • In the Severity drop-down, select Critical.
    • In the Date Range drop-down, select the date range. The options are Last 24 Hours, Last 7 Days, Last 1 Month, and Last 3 Months. By default, last 3 Months alerts are displayed.
    • If you want to set a unique date range, select the Custom Date under Date Range and specify the Start Date and End Date that you want the investigate. The alerts are displayed in the right panel according to the filter you selected.

1.3.16 - Investigate Alerts

This topic provides information about how to investigate alerts.

Investigate Alerts

  1. Log in to NetWitness Platform XDR and go to Users.

    The overview tab is displayed.

  2. In the Overview tab, look at Alert Severity panel. Is there an even distribution of alerts or are there a few days when there was a noticeable spike? A spike could indicate something suspicious like malware. Make a note of those days so you can inspect the alerts (the bar from the chart links directly to the alerts for that specific day).

  3. Click Critical Alerts date range.

    Alerts Tab

    The Alerts tab is displayed.

    Alerts Tab

  4. In the Alerts tab, you can view the indicator count to identify users with the highest number of alerts, more indicators help illustrate more insights and
    provide a more rigid timeline that you can follow:

    • Expand the top alerts in the list.
    • Look for alerts that have varied data sources. These show a broader pattern of behavior.
    • Look for a variety of different indicators.
    • Look for indicators with high numeric values, specifically for high values that are not indicative of a manual activity (for example, a user accessed 8,000 files).
    • Look for unique Windows event types that users do not typically change as these can indicate suspicious administrative activity.

  5. Search by indicators. The list shows the number of alerts raised that contain each indicator.

    • Look for the top volume indicators; filter by an indicator and review by user to find users who experienced the highest number of these indicators.
    • In general, as they are common time-based alerts (for example, Abnormal Logon Time), they can provide good context when combined with higher interest indicators.

  6. Drill into more detail:

    Alerts Tab
    • Leverage alert names to begin establishing a threat narrative. Use the strongest contributing indicator that usually determines the alert’s name to begin explaining why this user is flagged.
    • Use the timeline to layout the activities found and try to understand the observed behaviors.
    • Follow up by reviewing each indicator and demonstrating the supporting information, in the form of graphs and events, that can help you verify an incident. Suggest possible next stages of investigation using external resources (for example, SIEM, network forensics, and directly reaching out to the user, or a managing director).

1.3.17 - Save a Filter

This topic provides information about saving a filter.

Save a Filter

You can save a behavioral filter for future investigations and avoid entering the details every time. The behavioral profile is saved and displayed in the Favorites panel. You can click on the profile in the Favorites to monitor the users.

To save a filter

  1. Log in to NetWitness Platform XDR.

  2. Go to Users > Entities.

    The Overview tab is displayed.

  3. Click Entities tab.

  4. Enter the required details in the Filter panel on the left-side panel.

  5. Click Save as.

  6. Enter a Filter Name in the Save as Favorites pop-up window.

  7. Click Save.

1.3.18 - Filter an Alert

This topic provides information about how to filter an alert.

Filter an Alert

You can filter alerts to retrieve alert details using specific parameters to help further investigation. They are displayed in the Alerts tab by severity, feedback, indicators, and date range.

  1. Go to Users > Alerts. The Alerts tab is displayed.

    Alerts Tab

  2. To filter by severity, click the down arrow under Severity in the Alerts Filters panel, and select any one option. The options are Critical, High, Medium, and Low.

  3. To filter by feedback marked as Not a Risk, click the down arrow under Feedback, and select the Rejected option.

  4. To filter by entity, click the down arrow under Entity Type, and select Users option.

  5. To filter by date range, click the down arrow under Date Range and select an option. The Options are Last 24 Hours, Last 7 Days, Last 1 Month, and Last 3 Months. The alerts are displayed in the right panel according to the selected filter. To reset filters, click Reset, in the bottom of left panel.

1.3.19 - Take Action on Users

This topic provides information about how to take action on users.

Take Action on Users

After investigation, you can take action on the risky users to reduce or prevent further damage caused by malicious attackers in your organization. You can take any of the following actions:

  • Specify if the alert is not risky.
  • Save the behavioral profile for the use case found in your environment.
  • Add user profiles to the watchlist, if you want to keep a track of the user activity.

1.3.20 - Export User Data

This topic provides information about how to export user data.

Export User Data

You can export a list of all users and their scores in a .csv file format. You can use this information to compare with other data analysis tools like tableau, powerbi, and zeppelin.

To export alert data

  1. Log in to NetWitness Platform XDR.

  2. Go to Users > Alerts.

    The Alerts tab is displayed with the alert data.

  3. Click Export.

    Export User Data

1.4 - Release Information

Provides information about new features and enhancements for Detect AI.

1.4.1 - Whats New

Information on release cycles and new features.

What’s New

February 2, 2022

Updating On-premises Sensors

Administrators can now easily keep all their sensors (Cloud Link Service) up to date with ease by setting up automatic updates or scheduled updates to save time and avoid manual sensor tracking. Administrators can set up update options on the Sensor Configuration tab:

  • Manual Update: This option allows you to update each sensor manually.
  • Automatic Update: Cloud Link Service is automatically updated when an update is available, and it is selected by default.
  • Scheduled Update: This option allows you to specify (day of the week and time) when all sensors must be updated. This helps you to schedule updates outside the peak working hours.

NOTE: Make sure to update your sensor regularly to have all the latest capabilities, improvements, and security fixes.

November 11, 2021

Detect AI support for Endpoint queries

The Cloud Link Service is enhanced to support endpoint-related queries. The Cloud Link Service transfers endpoint metadata (process and registry data) from your on-premise deployment for analytics on Detect AI.

NOTE: To support endpoint-related queries, Cloud Link Service must be on version 11.7.1 or later.

August 12, 2021

Introduced a New Chart Format

A new and enhanced dotted chart is introduced in Detect AI. The dotted chart provides the analyst with the entities baseline values over time to better understand the context of the modeled behavior and the anomaly in case of an indicator. In order to view the dotted chart and display the Detect AI data in an optimal way, the on-premise version should be upgraded to 11.6.

For more information, see Read an Indicator Chart.

June 2, 2021

A new Cloud Link Overview Dashboard is introduced in the New Health & Wellness to monitor the health of the Cloud Link Service. Each visualization on this dashboard will be automatically refreshed with the most recent data, to efficiently manage the service.

The dashboard provides insights on the following:

  • Status of all the Cloud Link Services in your deployment (offline and online)
  • The sessions aggregation rate, count of sessions behind, and sessions collected for each Cloud Link Service
  • Status of the uploads such as the count of sessions uploaded, the rate at which upload took place, and outstanding sessions to be uploaded
  • CPU and memory usage of each Cloud Link service

For more information, see Monitor the health of the Cloud Link Service.

March 16, 2021

Cloud Link Service is released as part of NetWitness Platform 11.5.3 with the following enhancements:

February 4, 2021

Introduction of NetWitness Detect AI

NetWitness Detect AI is an add-on to NetWitness® Platform and is offered as a SaaS service. NetWitness Detect AI is an advanced analytics and machine learning solution that empowers Security Operations Center (SOC) teams to detect, investigate, and respond to advanced internal attacks and behavior-based anomalies. This helps organizations to:

  • Leverage behavior baselining and modeling to uncover anomalous behavior, and insider threats using unsupervised machine learning algorithms.
  • Process data to monitor abnormal user behavior to identify risky users.
  • Generate alert risk scores to raise severity and priority of high risk alerts, reducing alert fatigue and false positives.
  • Leverage User Profile baselines to gain insights on daily user activities.

Users are analyzed for abnormal user activities using the logs data from the NetWitness® Platform. Detect AI leverages the capabilities of NetWitness® Platform User and Entity Behavior Analytics (UEBA) and is provided as a SaaS application. As a cloud service, Detect AI has many additional advantages:

  • Security teams are better equipped to respond to threats as NetWitness manages this service for your organization and releases new content and enhancements.
  • Organizations can be benefitted by:
    • Reduced setup time
    • No additional hardware requirements
    • Minimal investment for ongoing maintenance

Cloud Link service is a sensor that transfers data from your on-premise deployment for analytics on NetWitness Detect AI. When you install and register this service it:

  • Transfers metadata from the host (such as Log Decoders) in your on-premise deployment to the NetWitness Detect AI.
  • Transfer alerts generated in NetWitness Detect AI to your on-premise NetWitness Platform Respond server.

Some key features of Cloud Link Service are:

  • Easy Installation and Registration: Installation is easy and can be performed using the NetWitness Platform user interface. Once installed, the activation package can be downloaded to register it.
  • Service Notifications: Email and Syslog notifications can be configured to track the status of the service. For example, when a service goes offline or when a service exceeds the resource utilization beyond the set threshold.

1.4.2 - Known Issues

This topic provides information on the known issues, component title, issue, and their workaround.

Detect AI Known Issues

June 2, 2021

Components Title, Problem and Workaround Fixed Date
Detect AI Title: The pie chart displays inappropriate Detect AI data.
Issue: This happens because the NetWitness Platform on-premise is on a version prior to 11.6. In the on-premise version of 11.6. The pie chart has been replaced with the dotted chart.
Workaround: Upgrade the on-premise version to 11.6 to view the data in an optimal way.		 June 2, 2021

March 16, 2021

Components Title, Problem and Workaround Fixed Date
Cloud Link Service Title: Intermittent data loss was observed during data upload, after changing proxy configurations.
Issue: If you change the proxy configurations after registering the Cloud Link Service, you may experience intermittent data loss.
Workaround: Ensure that the proxy settings are applied before the Cloud Link Service is deployed. Data transfer resumes automatically once the new proxy configuration takes effect.		 June 2, 2021

1.4.3 - Copyrights

Copyrights

Contact Information

RSA Link contains a knowledge base that answers common questions and provides solutions to known problems, product documentation, community discussions, and case management.

Trademarks

RSA Conference Logo, RSA, and other trademarks, are trademarks of RSA Security LLC or its affiliates (“RSA”). For a list of RSA trademarks, go to https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks are trademarks of their respective owners.

License Agreement

This software and the associated documentation are proprietary and confidential to RSA Security LLC or its affiliates are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed on the product documentation page on RSA Link. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any RSA Security LLC or its affiliates (“RSA”) software described in this publication requires an applicable software license.

RSA believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” RSA MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

December, 2020.

2 -