Trigger Condition: UEBA module detects internal recon activites.
Query:
norm_id=UEBA threat="Possible Internal Recon" event_category=anomaly
Trigger Condition: UEBA module detects infected host.
Query:
norm_id=UEBA threat="Possible Infected Host" event_category=anomaly
Trigger Condition: UEBA module detects data exfiltration pattern.
Query:
norm_id=UEBA (threat="Possible Data Exfiltration" OR threat ="Possible Data Theft") event_category=Anomaly
Trigger Condition: UEBA module detects compromised account.
ATT&CK Category: Resource Development
ATT&CK Tag: Compromise Accounts
ATT&CK ID: T1586
Query:
norm_id=UEBA threat="Possible Compromised Account" event_category=anomaly
Trigger Condition: UEBA module detects account misuse patterns.
Query:
norm_id=UEBA threat="Possible Account Misuse" event_cateogry=anomaly
Trigger Condition: UEBA module detects exfiltration with a high-risk score.
Query:
norm_id=UEBA (threat="Possible Exfiltration" OR threat ="Potential Data Theft") event_category=anomaly
Trigger Condition: UEBA module detects collection with a high-risk score.
Query:
norm_id=UEBA threat="Possible Collection" event_category=anomaly
Trigger Condition: UEBA module detects credential access with a high-risk score.
Query:
norm_id=UEBA threat="Possible Credential Access" event_category=anomaly
Trigger Condition: UEBA module detects defense evasion with a high-risk score.
Query:
norm_id=UEBA threat="Possible Defense Evasion" event_category=anomaly
Trigger Condition: UEBA module detects discovery with a high-risk score.
Query:
norm_id=UEBA threat="Possible Discovery" event_category=anomaly
Trigger Condition: UEBA module detects execution with a high-risk score.
Query:
norm_id=UEBA threat="Possible Execution" event_category=anomaly
Trigger Condition: UEBA module detects impact activity with a high-risk score.
Query:
norm_id=UEBA threat="Possible Impact" event_category=anomaly
Trigger Condition: UEBA module detects initial access with a high-risk score.
Query:
norm_id=UEBA threat="Possible Initial Access" event_category=anomaly
Go to Reports >> Report Templates >> VENDOR REPORT TEMPLATES.
Click Use Vender Report from Actions of LP_Ueba Overview.
Adding LP_Ueba Overview¶
Click Run This Report from Actions.
Running LP_Ueba Overview¶
Select Repos, Time Zone, Time Range, Export Type, and enter the Email address.
Click Submit.
Running Report¶
To view the generating reports, click Report Jobs. Go to Inbox and click PDF or HTML from Download to download the generated reports.
Widgets in reports enable you to analyze data in various ways, like text, lists, graphs and time trends. Time-bound reports summarize incidents during a specific period, such as the last five minutes or 24 hours. While creating a report, you can customize the calendar period to suit your needs.
The LP_Ueba Overview report provides:
An overview of the risk distribution (Extreme, High, Medium and Low) detected.
An overview of the risk distribution (Extreme, High, Medium and Low) by Possible Defense Evasion, Possible Exfiltration, Possible Collection, Possible Execution, Possible Initial Access, Possible Credential Access, Possible Impact, Possible Discovery, Possible Internal Recon, Possible Infected Host, Possible Data Exfiltration, Possible Compromised Account and Possible Account Misuse.
In the case of risk distribution:
Risk Level |
Risk Count |
|---|---|
Extreme |
Above 74. |
High |
Below 74 and above 49. |
Medium |
Below 50 and greater than 24. |
Low |
Below 25. |