UEBA

User and Entity Behavior Analytics, or UEBA, uses machine learning models to determine the baseline behavior of users and entities across certain log sources. New activity is then compared to this baseline of activity and rated using a risk score. Entities can then be identified based on whether they are considered risky, and can be investigated further or be used to create an incident in Logpoint SIEM.

UEBA requires at least 30 days of logs to set a proper baseline. To prepare these logs through configuring normalization and enrichment, use the UEBA PreConfiguration Plugin Guide.

UEBA uses behavior analysis instead of predefined rules to define behavior. This ensures that the system only flags abnormal behaviors and reduces false positives.

For example, if user Bob needs an average of more than 300 GB of data for his job, an UEBA alert based on large data access could be triggered. This would be a false positive. Establishing a baseline for Bob’s normal behavior would trigger an alert only when his behavior deviates from the baseline.

UEBA Architecture

UEBA is deployed in the cloud. Logpoint sends the data to UEBA for threat analysis by different methods depending on the configured mode of operation. The modes of operation are:

  1. Standalone mode
  2. Distributed Logpoint mode

Standalone Mode

 

In Standalone mode, Logpoint collects the logs from the configured sources, normalizes and enriches them. It then encrypts all the data from the selected repos and sends them to the cloud.

In the cloud, UEBA matches the incoming logs with the previously established baselines. It then returns the information of the anomalies and the risk scores for each configured entity. Logpoint decrypts the output and displays the results in the UEBA dashboard.

Distributed Logpoint Mode

In Distributed Logpoint mode, all the Distributed Logpoints collect the logs from the configured sources, then normalize and enrich them. The Search Head then collects the logs from the selected repos of the Distributed Logpoints as well as the Search Head. Finally, it encrypts the data and sends them to the cloud.

In the cloud, UEBA matches the incoming logs with the previously established baselines. It then returns the information of the anomalies and the risk scores for each configured entity. The Search Head decrypts the output and displays the results in the UEBA dashboard.

Important Considerations

  1. Enabling UEBA in Distributed Logpoint (DLP): UEBA can be enabled exclusively in the Logpoint Search Head. However, if no repositories from the DLP are selected in the Search Head, you can also enable UEBA in the DLP. Once UEBA is enabled in the DLP, you cannot select the repositories of the DLP in the Search Head.
  2. Search Head downtime: If the Logpoint Search Head is offline or experiencing issues, you cannot enable UEBA in the DLP machine, even if no DLP repositories are selected in the Search Head.
  3. Disabling open door: If you have selected repositories from the DLP machine in the Search Head, you cannot disable the open door feature in the DLP machine. To disable open door and subsequently UEBA in the DLP, you must remove all selected DLP repositories from the UEBA Board in the Search Head. Disabling Open door effectively disables UEBA in the machine. If you wish to enable UEBA in the DLP machine again, you need to re-enable the Open Door and select the DLP repositories in the Search Head.
  4. UEBA dashboard: UEBA dashboard is not present in the DLP.
  5. Data Separation: Logpoint stores the data from each customer in separate logical containers in the cloud. The separation ensures that there is no association between your data and the data of other customers.