User and Entity Behavior Analytics, or UEBA, uses machine learning models to determine the baseline behavior of users and entities across certain log sources. New activity is then compared to this baseline of activity and rated using a risk score. Entities can then be identified based on whether they are considered risky, and can be investigated further or be used to create an incident in Logpoint SIEM.
UEBA requires at least 30 days of logs to set a proper baseline. After that, it is updated daily. To prepare these logs through configuring normalization and enrichment, use the UEBA PreConfiguration Plugin Guide.
UEBA uses behavior analysis instead of predefined rules to define behavior. This ensures that the system only flags abnormal behaviors and reduces false positives.
For example, if user Bob needs an average of more than 300 GB of data for his job, an UEBA alert based on large data access could be triggered. This would be a false positive. Establishing a baseline for Bob’s normal behavior would trigger an alert only when his behavior deviates from the baseline.