Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP ArcSight
User Behavior Analytics
Tim Wenzlau, HP UBA Product Manager
#HPProtect

Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Insider Threat

Sensitive Data Access

Application Misuse

HP ArcSight
User Behavior Analytics

The challenge: How to detect and react quickly

Attack vector

Rogue users

Compromised
accounts

Security challenge

Expanding data
& scope

Many credentials
for each user

HP User Behavior Analytics overview

Workflow for UBA

Identity

Contextual Visual
Investigation
Learn
normal

Access

Identify
Weird

UBA
Events &
Applications

Abnormal Behavior
Detection
Risk scoring &
Prioritization
Active Monitoring of
Events

UBA Key solution areas

Application Security
Intelligence

Privileged Account
Intelligence
Privileged Account Threat
Monitoring
Service Account Threat
Monitoring
Key stroke monitoring

Data Security Intelligence

Data theft detection &
prevention
VIP snooping detection &
prevention

Identity Intelligence
User Centric Monitoring
Peer Group Context
Statistical Base lining
Centralized view of user context
and risk score
Insider Threat & Account
Compromise

Data theft detection

Data snooping detection
VIP snooping detection
Fraud detection
High-risk access detection
Privileged account threat
monitoring

Access Intelligence
Rogue Access Identification
Enable risk-based access
reviews
Enable risk-based access
requests

A potential threat, identified with User Behavior Analytics

John, a software engineer was targeted by foreign hackers for his access to the source code repository and exploit
trade secrets. Attackers steal Johns credentials, login to source code repository, and steal the IP.

Account Compromise
Target >>

John Doe: Senior Software Engineer

IAM

HR AD LDAP

What >>

What Was Seen

Phishing email
Account sending email to bad
destination email address

Appropriate Access to source

code repository

Has Privileged Access

Entitlements

Authorized access to code

repository

How >>

Behavior Anomaly

Peer Anomaly

What Was Missed

Suspicious Activity

Inappropriate application activity

compared to peers
Anomalous VPN log, unfamiliar IP per user
Privileged account access from unknown
source
Abnormal access times and frequency
Account accessing applications/
performing transaction never conducted
before
Abnormal file access compared to peers
Download high volume of sensitive data
Discrepancy between physical access and
IT access

What value does UBA bring to our customers?

Find the malicious

user

Faster event
resolution

Prioritization of high
risk users

Investigation
efficiency &
visualization

5-1 ROI
Impact

How HP UBA does It:

Tracking behavior

Step 1:
Calling out the abnormal behavior based on identity & behavior context

Identity context

Detecting the
abnormal

Behavior context

Peer Outlier

Event Rarity

Amount Spike

Frequency Spike

Risk scoring &

prioritization

Visualization

Step 2: Define normal for that user and those like him
Profile each users normal behavior in each application
and log source
Learn what
normal looks
like

Watch for
Deviations

I. Transaction Rates and Frequency

II. Transaction Types and Processes
III. Transaction Amounts and Time (totals
hourly/daily/weekly/monthly)
IV. Sources of transactions (normal hosts)
V. Learn and Correlate All User Identities Back to One Account

Make sure normal isnt already a compromised state

I.

Compare against Peers: Title, Manager, Department, Job Code,

System Type, OS, Location
II. If no one else is doing X or has privilege Y its an outlier and
potential problem

Step 3a: Detecting not normal for that user

+1

+1
Frequency
Spike

Behavioral Analysis
Behavior Profiles
Peer Group Profiles

Peer Analysis

Event Rarity

+1
Amount Spike

+1
Peer Group
Comparison

Suspicious Activities & Transactions

Suspicious Account Usage
Suspicious System Usage

Step 3b: Detecting not normal by comparing to peers

Outlier Classification
60%

Cohesiveness

JobKey
30003509

75%

80%

Division
SECURITIES
OPS

Dept.
INVESTMENT
MGMT

Jane Doe

Manager
J.Smith

SECOND VP

97%

92%

Peer Group Analysis

Logically group users based on roles
and responsibilities
Detect anomalous behavior of a user
compared to peers
Low Risk

Title

Statistical calculation of Peer

cohesiveness
Risk associated with outliers increases
with peer cohesiveness
13

High Risk

Step 4: Identify highest risk users through risk scoring & prioritization

Static Risk (Criticality)

Dynamic Risk (Derived)

Based on risk assessments

Critical assets, applications such as
mainframes and resources
High risk access permissions and
user groups

Based on the degree of outlierness

such as:
Policy Violation
Suspicious behavior
Peer comparison

Identity Risk (Risk Boosters)

Employee type such as contractor
and 3rd party vendor
Flight Risk and exit users
Bad performance reviews,
demotion HR data

Highest risk users

Step 5: Investigate highest risk users via Link Analysis

Graphical interface to perform link analysis
Ability to drill-down and investigate events and people of interest & cross entity association

15

How HP UBA does It:

Rule-based logic

Full Time
Employee Contractor

Step 1: Understand the user

Identity correlation
and attribution
Users
Apps

E
v
e
n
t

Over 150 Identity

Properties

JobKey
30003509

Employee Term Date

Data
Contract End

Host
Cloud

Perimeter

Manager
J.Smith

Division

Hire Date

Jane Doe

D
a
t
a

Title
SECOND VP

IP metadata

Lookup
Data
Active
Directory

SailPoint

THEN

Aveksa

User Watchlist
Asset Criticality

Oracle

Sentiment
Courion

IF

Part Time

Shared
Department
Properties Manager

Dept.
INVESTMENT
MGMT

Division
SECURITIES
OPS

Type

ELSE

Human

HR
Data

Resources

AND

WHERE

Phone/Address
Last Review

Microsoft Windows rule-based policies

18

Step 2: Identify highest risk users through risk scoring & prioritization

Static Risk (Criticality)

Based on risk assessments

Critical assets, applications such as mainframes
and resources
High risk access permissions and user groups

Identity Risk (Risk Boosters)

Employee type such as contractor and 3rd party

vendor
Flight Risk and exit users
Bad performance reviews, demotion HR data

Highest risk users

Step 3: Investigate highest risk users through UBA dashboards

20

Integration with SIEM

Investigate users from ESM to UBA via right-click

For information about the Source

User Name:
Risk Scorecard
Organization
Peer Groups
Monitor Access
Monitor Activities
Contact Details
Workflow Details
Employment History
Change History
22

Investigate users from ESM dashboards

Dashboards can be added
based on UBA attributes,
including:
Source hostname
Source IP address
Source user name
Policy name
Violation risk score
Violation time
Violation count
Destination host name
Destination IP address
Destination Zone

23

UBA Support of privacy & encryption

HP UBA has the industrys most advanced capabilities around Data Masking and Privacy Controls. HP UBA has been
approved by the German Workers Council.
Capabilities

Description

Data Masking at DB Level

HP UBA has the ability to mask user data and unmask only the exceptions .
HP UBA uses an AES encryption to mask the data.
Typically Privacy officers hold the password to decrypt

Audit Logs

HP UBA logs all use of the system and is auditable

Logs contain IP address, user SSO, detail description of the transaction
Complete audit trail and history maintained to review who is doing what within HP UBA

Role Based Access Control

Exception Monitoring

To avoid data snooping, Security analyst cannot view user activity unless there is an exception.
Only exceptions can be viewed with SSO, first name, last name masked
Privacy Officer with access can decrypt only users who have violation using decryption key provided.
Reports for DLP intelligence can only be generated by DLP team.

Email Notification

In an event an account has been identified with unusual activity, system has capability to notify the individuals and
their managers where there is a likely adverse affect on privacy.

Security Hardening

HP UBA integrates with AD to disable terminated users and allows SSO/ LDAP authentication enabled
HP UBA database is security hardened and even data base admins cannot login
Security assessment kit to remove unnecessary services, applications, open ports and network protocols

HP UBA obeys Role Based Access Control

Only Users with particular roles will be allowed access.
Roles are fine grained permissions that controls Menus, dashboard, reports..
HP UBA will use Site minder for authentication
Complete audit trail and history maintained to review who is doing what within HP UBA

Questions?

Please give me your feedback

Session B3926

Speakers Tim Wenzlau

Please fill out a survey.

Hand it to the door monitor on your way out.
Thank you for providing your feedback, which
helps us enhance content for future events.

Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Appendix:
Architecture

UBA Support of Privacy & Encryption

HP UBA has the industrys most advanced capabilities around Data Masking and Privacy Controls. HP UBA has been
approved by the German Workers Council.
Capabilities

Description

Data Masking at DB Level

HP UBA has the ability to mask user data and unmask only the exceptions .
HP UBA uses an AES encryption to mask the data.
Typically Privacy officers hold the password to decrypt

Audit Logs

HP UBA logs all use of the system and is auditable

Logs contain IP address, user SSO, detail description of the transaction
Complete audit trail and history maintained to review who is doing what within HP UBA

Role Based Access Control

Exception Monitoring

To avoid data snooping, Security analyst cannot view user activity unless there is an exception.
Only exceptions can be viewed with SSO, first name, last name masked
Privacy Officer with access can decrypt only users who have violation using decryption key provided.
Reports for DLP intelligence can only be generated by DLP team.

Email Notification

In an event an account has been identified with unusual activity, system has capability to notify the individuals and
their managers where there is a likely adverse affect on privacy.

Security Hardening

HP UBA integrates with AD to disable terminated users and allows SSO/ LDAP authentication enabled
HP UBA database is security hardened and even data base admins cannot login
Security assessment kit to remove unnecessary services, applications, open ports and network protocols

HP UBA obeys Role Based Access Control

Only Users with particular roles will be allowed access.
Roles are fine grained permissions that controls Menus, dashboard, reports..
HP UBA will use Site minder for authentication
Complete audit trail and history maintained to review who is doing what within HP UBA

Integration Architecture Overview

Integration
Command

5
ESM

CEF
Connector

3
HP UBA
CEF
Connector

2
Logger

1
Connectors

Identity &
Access

HP UBA hardware

31

Master / child scalable architecture

32

Process flow diagram

Security
Events
Context
Enrichment

Activity

Access
Privileges

Identity
Aggregation

Peer Group
Analysis

Behavioral
Profiles

Outlier
Detection

Risk
Aggregation

HP
ArcSight

Threat
Intelligence

Investigation
& Response

Event
Rarity
Model
Refinement

33

Anomaly
Amplification

2014 HP UBA

Threat
Modeler

A couple examples of behavior & peer based detection

Unusual Activity

Suspicious Database Access

Inappropriate Activity

Anomalous peer based HPA activity

Unusual Transaction
Never before seen IP address

1) Build Context
Poor HR Review, Upcoming Termination
Database username to identity correlation

Multiple user names to identity correlation

High privileged account to identity correlation

User name to identity correlation

IP address to user mapping
User IP to threat intelligence feeds

User profile of normal privileged account

activities
Peer profile of normal privileged account
activities

User profile of normal IP addresses accessed

User profile of normal VNP geo-locations and
times

Peer: Anomalous high privileged account

entitlement & commands

Behavior: Never before seen IP address, VPN

geo-location

Prioritize privileged account violations, Three

Strike rules, Multiple Indicators
Visualize user association with privileged
accounts

Investigate compromised account, IP associate

with other users
Identify activities associated with account after
compromise

2) Classify Normal
User profile of frequency and time of DB access
User/peer profile of common database
commands
User/peer profile of normal volume of
database files accessed and removed

3) Detect the Anomaly

Behavior: Monthly increase in DB access
Peer: Anomalous DB command-clear logs, wire
transfer, select *, Anomalous DB access activity

4) Clasify, Score & Visualize, Investigate

Toxic combination, amplify risk score
Trace user activity on separate systems and
accounts

34

Use case examples

UBA - Privileged Account Monitoring

Data Source : Host (Windows/Unix/Mainframes)

Terminated user analysis Anomalous activity from an account belonging to a terminated user

Dormant account usage Sudden spike in activity from an account that has been dormant for 90 days or more

Service account misuse Service account logs in from a new IP address (e.g., VPN) and performs activity never seen before; interactive
logon by service account

Rogue/Orphan account misuse Anomalous activity by accounts that could not be correlated to a user or identified as service/shared
accounts.

Suspicious account changes - Sudden increase in the number of account creations/deletions; large number of password resets or changes
in a short time period

Unusual login pattern - multiple failed login attempts from an IP address never used before

Account Misuse Privileged account executes commands not seen before e.g., zero day malware, backdoor

Suspicious sequence of activities - Creation, use and deletion of local admin account

Tampering of audit logs - Change or deletion of audit logs anomalous to peer behavior

Jump box violation - account logs in directly by-passing monitoring tools

UBA - Database Monitoring

Data Source : Databases (MS SQL, Oracle, Sybase)

Anomalous activity - spike in data read/write events (e.g., SELECT, COPY, UPDATE) on database tables with sensitive data (e.g., customer
PCI records)

Critical database activity (e.g., DROP, DELETE TABLE) that has never been performed before by the user or peers with similar roles/title

DBA account or service account logs in from an IP address or domain never seen before (e.g., login from Nation State IP location)

Suspicious login pattern during non-business hours (e.g., failed logins at odd times)

Critical admin activities performed at odd hours (e.g., admin in US location makes backups of sensitive dB tables at 2 am)

Anomalous usage of a service account (e.g., SELECT * on customer data; clearing of audit logs)

DBA access dB directly bypassing the jump box (e.g., non-citrix user)

DBA user has access privileges on database that are anomalous to peer group (e.g., edit refunds)

UBA Premium - Access Intelligence Use Cases

Data Source : Access Entitlements from Hosts/Applications/DB

Access outlier detection - Use advanced peer group analysis techniques to identify true outliers in access privileges assigned to a
user. Peer groups can be defined based on user HR attributes such as Manager, Dept., Division or other inputs as such project data,
timesheets, AD group membership, etc. Peer analysis can yield organizations a reduction of more than 90% in the access
privileges sent for review and an average of 60-80% revocation rates.

HPA account detection Automated identification of privileged service, shared, and human accounts through advanced
correlation

Segregation of duty (SOD) checks Detect segregation of duty violations based on access privileges assigned to users

Terminated account analysis Detect active access accounts belonging to terminated users

Rogue/Orphan accounts Identify human accounts which could not be associated with the active users in HR data source

Dormant user analysis Identify accounts that have not logged in for the past 90 days or more

Risk based access reviews Easy integration with access review tool using restful APIs to automate continuous risk based access
reviews

Glossary Provision to include English language definitions for access entitlements

HP UBA Premium - Data Exfiltration Use Cases

Sample Use Cases

Spike in download/copy of protected documents

Access to critical files/tables never accessed by peers

Unusual connections to confidential data store (e.g., login from new IP, use of PSExec never used before)

Spike in DLP violation count anomalous to normal behavior

Emails with protected information sent to non-corporate/white listed recipient domains

Large number of emails to personal email address

Suspicious emails send to competitor (e.g., user sending email attachment to competitor when peers are not)

Unusual volume of document uploaded to non-corporate domains (e.g., dropbox)

Repeat offenders across different types of DLP violations

Large number of protected document printed

Suspicious copy of sensitive information to USB

FTP of sensitive documents to suspicious IP/domain

Flight risk analysis (risk booster only) User continuously accessing job, contractors with termination date within 30 days

Application Insight Packages- High Privileged Account Use Cases

Data Source : CyberArk/Lieberman

Suspicious SSH activity to critical servers (circumventing monitoring controls) Users authenticates outside PIM (Cyberarc/Liberman)
solution.

Suspicious FTP data transfer Use of insecure file transfer method for large volume of data transfer

XTERM, XWindows - User exports display terminal to another IP, where session is not able to be monitored

Insecure Connection - User connects without server identity being confirmed

Password Storage - User retrieved password from a file that was not secured

Telnet - Presence and attempted use of the telnet utility, which is a highly insecure remote access method

CP Use of cp command to send files to different server, insecurely

Clear-text Password - Password that is either visible to the user, making it searchable in command history, or the credentials are being
sent insecurely

Suspicious password retrieval/copy, forced password change

No Authentication - Authentication was not required for user action, where it should have been

HTTP Use of insecure file transfer method from critical servers

Password snooping (viewing password properties file, /etc/passwd files, etc.)

Logon with Unencrypted credentials

Risk Insight Packages

SAP: Ability to import detailed logs including Transaction Usage, FireFighter, Background Jobs, SAP_All activity and
associated Entitlement information from SAP ECC for the identification of high risk user behavior and rogue access using
out-of-the-box behavior and threat models specific to SAP.
CyberArk: Ability to connect to CyberArk and download detailed Password Vault data and session data. UBA uses the
detailed session data to conduct behavior analytics on individual user commands for use in identifying the misuse or
compromise of privileged credentials and the replacement of manual auditing requirements.

Lieberman: Ability to connect to Lieberman and download detailed Password Vault data and session data. UBA uses the
detailed session data to conduct behavior analytics on individual user commands for use in identifying the misuse or
compromise of privileged credentials and the replacement of manual auditing requirements
EPIC: Ability to import detailed logs from EPIC for the identification of high risk user behavior using out-of-the-box
behavior and threat models specific to EPIC and Healthcare environments such as data/VIP snooping and break-the-glass
privileged user sessions
Cerner: Ability to import detailed logs from Cerner using a Listener architecture for the identification of high risk user
behavior using out-of-box behavior models for Cerner and Healthcare environments such as data/VIP snooping
AWS: Ability to import Amazon Webservices events related to the services accessed on AWS - logon, logout, instances
started, edited stopped, IAM users added, edited etc. Detect privilege abuse for users managing the AWS instances
Box: Ability to import file sharing and administrative events from Box.com and analyze for data snooping/theft and
account abuse

41

Insider Threat Detection Use Cases

Tier 4

Tier 3

Tier 2

Tier 1

Kill Chain

42

RECON

Early Indicators

Data Gathering
Privilege
Escalation

Lateral
Movement
Maintain
Presence

Data
Compromise
Exfiltration

Attack Vectors

Negative Sentiment
Job Site Searches
Emailing Resumes
Negative Review

Increased Activity
Unusual File Access
Off Hours Activity
Unusual Transactions
Unusual Volume
Unusual File/Data
Access

Connect to shared
resources
Execute commands
on systems remotely
Connect to C&C server
Beaconing
connections
Upload data to C&C
via ftp, email, http
Multiple Exfiltration
Vector Detection
Unusual Transactions

Data Sources
-

User Sentiment
Human Resource
Mail Gateways
Proxy Server
IAM

- File Share Logs

- Badge Access
- Database
Monitor
- Application Logs
- Cloud Apps
- EPIC, CERNER,
- SAP, Oracle
Financials
- HIDS/HIPS
- Net flow
- FW

- DLP
- Third Party
Intelligence

UBA Basic/UBA/UBA Premium

IP attribution to User Identity

Privilege Outlier Detection
Intelligent Provisioning
Risk Based Decisions and Prioritization

Change in privileged account behavior

Access to never before used files outside of their department
Suspicious Activity (audit log manipulation)
Unusual After hours/weekend access
Login from never before used source IP
Unusual Transaction / Transaction Amount Analysis
Data/Account Snooping

Spike in lateral connections from infected host

Anomalous connections e.g., telnet, ftp
Connection to unknown/recently registered domain
Repeat activity to external IP/domain (e.g., malware beaconing)
Inappropriate File / Data Access

Spike in DLP violations

Emails to suspicious recipients or competitive Domains
Multiple attempted exfil methods
Large uploads to non-corporate hosts or domains
Anomalous traffic to newly registered IP/domains

2015 HP UBA

UBA - Privileged Account Intelligence

Threat Indicators

Anomalous
Login Pattern

Account
Compromise

Privilege
Misuse

Data Sources

HP UBA

IP attribution
Sudden spike in failed logins on VPN, DC, etc.
Login from a new IP address or location never seen before
Interactive logon by a service account
Jump box violations
Remote login when physically badged in

- CyberArk, Lieberman
- Active Directory
- Database/ Application
authentication

Suspicious account creation (useradd, groupadd, etc.)

Password snooping (viewing password properties file, /etc/passwd files, etc.)
Suspicious permission changes
Suspicious password retrieval/copy, forced password change
Suspicious connections by user never seen before (RDP, Telnet)
Tampering of monitoring tools, audit logs.

Service account misuse access dB files anomalous to normal behavior

Suspicious access on confidential data (anomalous to peer behavior) e.g. system admin
accessing profit-loss statements, client list
Large number of confidential document downloaded anomalous to historic behavior
Execute commands not seen before e.g., zero day malware, backdoor

Active Directory
CyberArk, Lieberman
VPN devices
FW/Application/DB
Badge

Database/ Application logs

FileShare, Printer, USB logs
Active Directory
SVN/Perforce

2015 HP UBA

UBA Premium - Data Security Intelligence

Data Sources

Threat Indicators

Data Compromise

FileShares
Applications
SharePoint/Documentum
Databases

HP UBA Premium

Spike in download/copy of protected documents

Access to critical files/tables never accessed by peers
Unusual connections to confidential data store (e.g., login from new IP, use of PSExec
never used before)
Anomaly in accessing VIP or other sensitive records records

DLP System (Rest and in-motion)

E-Mail Gateway
Proxy
HR data

Spike in DLP violation count anomalous to normal behavior

High volume of email attachments with sensitive data
Emails with protected information sent to non-corporate/white listed recipient domains
Large number of emails to own personal email address
Suspicious emails to competitors

Data Exfiltration
(Others)

Proxy
Printer
End-Point Security
FW/VPN

Large number of files uploaded to non-corporate domains (e.g., dropbox)

Large number of protected document printed
Anomalous pattern in copy of sensitive information to USB
FTP of sensitive documents to suspicious IP/domain

Situational
Awareness (Risk
Booster)

HR system
Proxy
Active directory

Contractor with upcoming termination date

Flight risk user visiting job sites (continuous pattern)
Users with bad performance reviews

HR data
Legal requirements

Data masking and encryption (256 bit AES)

Support for granular access control
Detailed audit trail of all activities performed by the use
Approved by German Works Council

Data Exfiltration
(Email)

Privacy

2015 HP UBA

HP UBA privacy and encryption

HP UBA privacy design

Czech Republic Act on Personal Data Protection

The Netherlands Personal Data Protection Act

Hungary Data Protection Act

United Kingdom Data Protection Act

France Data Protection Act

Poland Law on the Protection on Personal Data Protection

Norway Personal Data Act

Sweden Personal Data Act 1998

Italy Decree on Minimum Security Measures for Data Protection

Slovenia Personal Data Protection Laws

Israel Protection of Privacy Law

Estonia Personal Data Protection Act

Sweden Personal Data Act 1998

German Federal Data Protection Act

Portugal data protection law

Luxembourg Protection of Persons with Data Law

Slovakia Protection of Personal Data Act

Ireland Data Protection Acts

2013 HP UBA

HP UBA support of privacy

HP UBA has the industrys most advanced capabilities around Data Masking and Privacy Controls.

HP UBA uses 256 bit AES encryption to encrypt and store data in its database

Encryption can be limited to specific fields, group of users and/or systems

HP UBA supports granular role based access control to restrict access to authorized users

HP UBA supports detailed audit trail of all activities performed by the user

HP UBA support of privacy

Capabilities

Description

Data Masking at DB
Level

HP UBA has the ability to mask user data and unmask only the exceptions .
HP UBA uses an 256 bit AES encryption to mask the data.
Typically only the designated Privacy Officer holds the password to decrypt

Audit Logs

HP UBA logs all use of the system and it is auditable

Logs contain IP address, user SSO, detail description of the transaction
Complete audit trail and history maintained to review who is doing what within HP UBA

Role Based Access

Control

HP UBA supports Role Based Access Control.

Roles are used to provide fine grained access that controls menus, dashboard, reports.
HP UBA supports use of Single Sign-On solution such as SiteMinder for authentication

Exception Monitoring

To avoid data snooping, security analyst cannot view user data unless there is an exception.
Only exceptions can be viewed even then SSO, first name, last name can be masked/
Only designated Privacy Officer can decrypt users using decryption key provided.

Email Notification

In an event an account has been identified with unusual activity, system has capability to
notify the individuals and their managers where there is a likely adverse affect on privacy.

Security Hardening

HP UBA integrates with Active Directory to disable terminated users and allows SSO/ LDAP
authentication enabled.
HP UBA database is security hardened and even data base admins cannot login.

Masked user view on dashboard

Encrypt user attributes

Configurable encryption conditions

Data masking and exception monitoring

Access based decryption capabilities

Audit trail

RBAC in application
Define roles and give access to role

Defined roles

Role assignment

Investigation Workbench to track exceptions only

55