UEBA matches the previously established baselines with the incoming event logs for each entity and provides the outputs in two different forms.
Anomalies
Risk Scores
UEBA uses baselines to establish what is normal behavior for a user or entity. It then evaluates whether a new behavior of an entity is consistent with the baselines. When the behavior of a user or an entity deviates from the established baseline, UEBA triggers an anomaly. The degree of the deviation determines the significance of the anomaly. These anomalies are then listed as Anomalies in the UEBA UI.
You can identify which users and entities require immediate attention through by their risk score. UEBA calculates a risk score, between 0 and 100, for each entity based on the number of significant anomalies it triggers. A high risk score indicates the entity is showing one or more extremely anomalous behaviors.
There are four different risk score types.
S.N. |
Risk Classification |
Risk Score Range |
Color |
|---|---|---|---|
1 |
Low Risk |
00 - 25 |
Gray |
2 |
Medium Risk |
26 - 50 |
Yellow |
3 |
High Risk |
51 - 75 |
Orange |
4 |
Critical Risk |
76 - 100 |
Red |
There are two risk scores:
Entity Risk Score: An individual entity. Example: Risk score of a specific user or specific website.
Anomaly Risk Score: Each anomaly. Example: Risk score for a attempted login.