Version:

Overview

You can use Overview to enable UEBA, check the health status of the system, and see which Distributed Logpoints are connected to the Search Head for UEBA analysis. Logpoint communicates with the IP through the Search Head, even when you have two or more public IPs.

Important

Disabling UEBA or license expiration won’t delete selected entities and repositories. They’ll remain unchanged if you enable UEBA again or renew the license.

Enabling UEBA

To use UEBA, you need to enable it.

If you have enabled it but have not purchased a license, click the UEBA icon to view information about it. You can also use Book a Demo if you want to watch and understand how UEBA works.

  1. Go to Settings >> Configuration from the navigation bar and click UEBA Board.

    ../_images/UEBA_Board.png

    UEBA Board

  2. Click Overview.

  3. Click Enable UEBA.

    ../_images/UEBA_Board_Enable_UEBA.png

    Enabling UEBA

  4. Click Yes.

After enabling UEBA, you need to make sure Logpoint system settings use or apply the log timestamp. Go to System Settings for more details.

Disabling UEBA

  1. Go to Settings >> Configuration from the navigation bar and click UEBA Board.

  2. Click Overview.

  3. Click Disable UEBA.

    ../_images/UEBA_Board_Disable_UEBA.png

    Disabling UEBA

  4. Click Yes.

Health Status

Health Status contains the number of:

  • Days UEBA is used or active.

  • Active Directory logs sent in the last 24 hours.

  • Web proxy logs sent in the last 24 hours.

  • Email logs sent in the last 24 hours.

  • VPN logs sent in the last 24 hours.

  • Authentication logs sent in the last 24 hours.

  • Resource access logs sent in the last 24 hours.

  • SAP security audit logs sent in the last 24 hours.

  • Azure AD logs sent for in the last 24 hours.

../_images/UEBA_Board_Health_Status.png

Health Status

Validation Summary

Validation Summary displays the total number of:

  • Historical and real-time logs analyzed for data validation in the past two days.

  • Invalid logs detected in the past two days while running the validation.

  • Invalid logs found according to the different data sources.

../_images/UEBA_Post_Validation_Summary.png

UEBA Validation Summary

You can also view a Validation Summary Report for more details. Click Report to view:

S.N

Field

Description

1

Timestamp

Shows the date and time of the violation.

2

Source Type

Shows the data source of the violation: Active Directory, web proxy, email, VPN, authentication, resource access, SAP security audit, or Azure AD.

3

Type

Shows the violation type: whether the mandatory fields are missing or the field value is invalid.

4

Validation Message

Provides detail of the violation.

5

Actions

Enables you to search for the respective violation at the particular timestamp by clicking the Search Log icon.
../_images/UEBA_Post_Validation_Report1.png

UEBA Validation Report

Connected Nodes

Connected Nodess is a list of all Distributed Logpoints UEBA analyzes. A node is listed when a repo from within a Distributed Logpoint is selected.

../_images/UEBA_Board_Connected_Nodes.png

Connected Nodes

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support