Version:

UEBA Configuration

You can enable UEBA, add the UEBA license, and select the repos and entities for UEBA analysis from the UEBA page. You can also view the health status of the system.

Installing UEBA License

You need a valid UEBA license to configure Fabric-enabled LogPoint. The license contains the UEBA validity period, the number of entities you can monitor, and the Client Configuration file necessary for UEBA configuration. Contact the vendor for more details on the configuration file.

../_images/dc_ueba_licenses.png

License Page

Adding a License

Before adding a license, contact the vendor to provide your Hardware Key. The vendor then sends you the license file based on the number of entities you want to monitor using UEBA. Once you receive a valid license file, follow the steps below to add the license:

  1. Go to Configure >> Settings and click UEBA.

  2. Select a machine and click Next.

  3. Select License.

../_images/dc_ueba_uploading_license.png

Adding a License

  1. Click to upload or drag and drop the license.

  2. Browse and upload the license key.

  3. Click Next.

  4. Review your changes. You can go Back to update the configuration if necessary.

  5. Click Finish.

../_images/dc_ueba_confirm_license_information.png

UEBA License Information

  1. Click Ok to install the UEBA license.

../_images/dc_ueba_confirming_license_upload.png

Confirming UEBA License Upload

Enabling UEBA

You can enable/disable UEBA in the selected Fabric-enabled LogPoint and see the health status of the system from the Overview page. However, you must upload the License before enabling UEBA.

  1. Go to Configure >> Settings and click UEBA.

  2. Select Overview.

  3. Check Enable UEBA.

../_images/dc_ueba_enable_UEBA.png

Enabling UEBA

  1. Click Next.

  2. Review your changes. You can go Back to update the configuration if necessary.

  3. Click Finish.

../_images/dc_ueba_overview_confirming_information.png

Enable UEBA Information

  1. Click Ok to enable UEBA.

../_images/dc_ueba_overview_confirm.png

Confirming Enable UEBA

Note

You can Download Report to save the task summary in .pdf.

Health Status

The Health Status section includes:

  1. The number of days UEBA has been enabled in Director.

  2. The number of Active Directory logs sent for UEBA analysis in the last 24 hours.

  3. The number of web proxy logs sent for UEBA analysis in the last 24 hours.

  4. The number of email logs sent for UEBA analysis in the last 24 hours.

  5. The number of VPN logs sent for UEBA analysis in the last 24 hours.

  6. The number of authentication logs sent for UEBA analysis in the last 24 hours.

  7. The number of resource access logs sent for UEBA analysis in the last 24 hours.

  8. The number of sap authentication logs sent for UEBA analysis in the last 24 hours.

../_images/dc_ueba_healthstatus.png

Health Status

Validation Summary

The Validation Summary section contains:

  1. The total number of historical and real-time logs analyzed for data validation in the last two days.

  2. The total number of invalid logs detected in the last two days while running the validation.

  3. The total number of invalid logs found according to the different data sources.

../_images/dc_ueba_validation_summary.png

UEBA Validation Summary

Managing UEBA Entities

Important

You can access the Entity Selection page only after uploading the license and enabling UEBA.

You can add, edit, and delete the entities for UEBA to monitor on the Entity Selection page. It shows:

  • The total number of licensed entities.

  • The total number of entities set for threat analysis.

  • The specifics of the configured entities.

  • The total number of users and machines chosen.

Adding UEBA Entities

  1. Go to Configure >> Settings and click UEBA.

  2. Select Entity Selection.

../_images/dc_ueba_selecting_entity.png

Selecting Entity

  1. In Add Entity:

  1. Enter the Group Name.

  2. Select a Group Type, either User or Machine. If you select Machine, choose whether the source contains the CIDR, the Hostname, or the IP address of the machine.

  1. In Enrichment Source, enter the source name to search the enrichment source.

  2. In the Enrichment Source section, select a specific enrichment source from the given list. It can be LDAP, CSV, or ODBC.

  3. In Select Unique Identifier For Entities, select the identifier from the drop-down. It is automatically provided as per the selected Enrichment Source.

  4. In Entities Filtering:

  1. Select a Field from the drop-down.

  2. Enter a Query. It is a parameter for filtering the enrichment source.

  1. Enable Update The Licensed Entity When The Content In The Source Is Changed.

../_images/dc_ueba_adding_entity.png

Adding UEBA Entities

  1. Click ADD ENTITY.

  2. Click Next.

  3. Review your changes. You can go Back to update the configuration if necessary.

../_images/dc_ueba_entity_selection_confrimation.png

Confirming Entity Selection Information

  1. Click Finish.

Note

You can Download Report to save the task summary in .pdf.

Editing UEBA Entities

  1. Go to Configure >> Settings and click UEBA.

  2. Select Entity Selection.

  3. Click the entity you want to edit.

../_images/dc_ueba_editing_entity.png

Editing UEBA Entities

  1. Make the necessary changes in all three panels.

  2. Click EDIT ENTITY.

  3. Click Next.

Deleting UEBA Entities

  1. Go to Configure >> Settings and click UEBA.

  2. Select Entity Selection.

  3. Click the Cross icon on the right end of the entity.

../_images/dc_ueba_deleting_entities.png

Deleting UEBA Entities

Prioritizing UEBA entities

UEBA process the prioritized entities based on Number of Entities Licensed.

  1. Go to Configure >> Settings and click UEBA.

  2. Select Entity Selection.

  3. Drag and drop the entity to re-order.

../_images/dc_ueba_entities_priority.png

Prioritizing UEBA entities

Configuring UEBA Settings

You can choose the LogPoint Search Head and Distributed LogPoint instances repositories for UEBA analysis in Fabric-enabled LogPoint instances from the Settings page. Similarly, you can enable or disable the history service.

Selecting Repos

You can select multiple repositories from the drop-down in the Repos section. The repos in the Repo Selector are grouped by Distributed LogPoint instances (DLP) or Repo.

  1. In Select Repos:

  1. Check Select Repos to choose all the repos of all machines.

  2. Check All Repos to choose all the repos of a machine.

  3. Click the All Repos drop-down to select specific repos for a machine.

  1. Click Next.

../_images/dc_ueba_confirmation_for_settings.png

Settings information

  1. Review your changes. You can go Back to update the configuration if necessary.

  2. Click Finish.

  3. Click Ok.

../_images/dc_ueba_confirming_settings.png

Confirming Settings

Note

You can Download Report to save the task summary in .pdf.

Enabling the History Service

Enable the history service for a better baseline and result. You can enable the history service only once for a machine.You can enable the history service to send 30 days of historical data to UEBA.

  1. Go to Configure >> Settings and click UEBA.

  2. Select Settings.

  3. Select the Enable History Service checkbox.

../_images/dc_ueba_enable_history.png

Enabling History Service

Defining the Risk Score

  1. Go to Configure >> Settings and click UEBA.

  2. Select Settings.

  3. In Risk Score, set the value of the risk score by dragging the slider.

../_images/dc_ueba_risk_score.png

Setting Risk Score

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support