UEBA Board Settings¶

Selecting Repos and Enabling the History Service¶

You can select multiple repos from the drop-down list in the Select Repos section. The repos in the Repo Selector are grouped either by Distributed LogPoints (DLP) or by Repo.

1. Go to Settings >> Configuration >> UEBA Board.

2. Select the Settings tab.

3. In the Select Repos section, click Change from the drop-down list to open the Repo Selector panel. From the panel, choose to change how to group the repos.

Selecting Repos¶

4. Click Fetch Remote to fetch the repos of all the connected DLPs.

Fetching Repos¶

5. Click Reload to make the repos visible in the panel.

6. Check All repos from all LogPoints to select all the repos from all the connected LogPoints.

Selecting All Repos from all LogPoints¶

7. Search for the desired repos from the search field next to the Select all current checkbox.

Searching for Repos¶

8. Click Done.

9. Check the Enable history service option if you have 30 days of enriched and normalized input data present in your system.

   

   Enabling the History Service¶

   Note

   Enable the history service for better baseline and result. You can enable the history service only once. If you do not enable the history service, LogPoint forwards input data from the date you configure the repos.

10. Click Update Repos.

Updating Repos¶

Defining the Risk Score to Prepare Anomalies for Alerts¶

LogPoint prepares the anomalies generated by UEBA with a risk score of more than or equal to 75 to use in the alert rules. However, you can change the value of the risk score by following the steps below:

1. Go to Settings >> Configuration >> UEBA Board.

2. Select the Settings tab.

3. In the Alert Logs Configuration section, click Edit and drag the slider to change the value of the risk score.

Changing the Risk Score¶

4. Click Save.