Version:

Overview

The Overview page lets you enable or disable UEBA, displays the health status of the system, and shows a list of all the Distributed LogPoints connected to the Search Head for UEBA analysis.

In the Distributed LogPoint mode, you can enable UEBA only in the LogPoint Search Head. However, if you have not selected any repos of the Distributed LogPoints in the Search Head, you can enable UEBA in the Distributed LogPoints as well.

Note

Before enabling UEBA, you need appropriately normalized and enriched input logs of at least 30 days for proper baselines. LogPoint provides the UEBA PreConfiguration Plugin for easy configuration of the enrichment sources and the enrichment policy. Refer to the UEBA PreConfiguration Plugin Guide for details on preparing your input logs.

Enabling UEBA

  1. Go to Settings >> Configuration from the navigation bar and click UEBA Board.

    ../_images/UEBA_Board.png

    UEBA Board

  2. Select the Overview tab.

  3. Click Enable UEBA.

    ../_images/UEBA_Board_Enable_UEBA.png

    Enabling UEBA

  4. Click Yes.

Disabling UEBA

  1. Go to Settings >> Configuration from the navigation bar and click UEBA Board.

  2. Select the Overview tab.

  3. Click Disable UEBA.

    ../_images/UEBA_Board_Disable_UEBA.png

    Disabling UEBA

  4. Click Yes.

Health Status

The Health Status section contains the following information:

  1. The number of days UEBA has been enabled in the LogPoint.

  2. The number of Active Directory logs sent for UEBA analysis in the last 24 hours.

  3. The number of web proxy logs sent for UEBA analysis in the last 24 hours.

  4. The number of email logs sent for UEBA analysis in the last 24 hours.

  5. The number of VPN logs sent for UEBA analysis in the last 24 hours.

  6. The number of authentication logs sent for UEBA analysis in the last 24 hours.

  7. The number of resource access logs sent for UEBA analysis in the last 24 hours.

  8. The number of SAP security audit logs sent for UEBA analysis in the last 24 hours.

../_images/UEBA_Board_Health_Status.png

Health Status

Validation Summary

The Validation Summary section contains the following information:

  1. The total number of logs, both historical and real-time logs, analyzed in the last two days for data validation.

  2. The total number of invalid logs detected in the last two days while running the validation.

  3. The total number of invalid logs found according to the different data sources.

../_images/UEBA_Post_Validation_Summary.png

UEBA Validation Summary

LogPoint provides the following information regarding the invalid logs:

S.N

Field

Description

1

Timestamp

Shows the date and time of the violation.

2

Source Type

Shows the data source of the violation: Active Directory, web proxy, email, VPN, authentication, resource access or SAP security audit.

3

Type

Shows the violation type: whether the mandatory fields are missing or the field value is invalid.

4

Validation Message

Provides detail of the violation.

5

Actions

Enables you to search for the respective violation at the particular timestamp by clicking the Search Log icon.
../_images/UEBA_Post_Validation_Report1.png

UEBA Validation Report

Connected Nodes

The Connected Nodes section lists all the Distributed LogPoints connected to the LogPoint for UEBA analysis.

../_images/UEBA_Board_Connected_Nodes.png

Connected Nodes

You have to select at least one repo from a Distributed LogPoint to list it as a node in the Overview page.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support