Version:

Important Considerations for UEBA

  1. In the Distributed LogPoint mode, you can enable UEBA only in the LogPoint Search Head. However, if you have not selected any repos of the DLP machine in the Search Head, you can enable UEBA in the DLP as well. Once you enable UEBA in the DLP, you cannot select the repos of the DLP in the Search Head.

  2. If the Search Head is down for some reason, you cannot enable UEBA in the DLP machine even if no repos of the DLP are selected in the Search Head.

  3. You cannot disable the Open door in the DLP machine if you have selected the repos of the DLP machine in the Search Head. To disable the Open door, remove all the selected repos of the DLP from the UEBA Board of the Search Head. Disabling Open door disables UEBA in the machine. If you want to enable UEBA in the machine again, re-enable the Open Door and select the repos of the DLP machine in the Search Head.

  4. The selected entities and repos remain unchanged even if you disable UEBA or the UEBA license expires. This means that once you re-enable UEBA or upgrade your license, the state of previously selected entities and repos remain unchanged.

  5. You cannot delete the enrichment sources used for entity selection in UEBA even if you disable UEBA. To delete the enrichment sources, you need to delete the entity group using the enrichment source from the Entity Selection page of the UEBA Board.

  6. If you have enabled UEBA, you must select Log Timestamp (log_ts) in the Apply Time Range On section of the Settings >> System >> System Settings >> General tab.

  7. You must enable the following outgoing ports and domains in the network before enabling LogPoint UEBA:

    S.N.

    Port

    URL

    IP

    1

    9095

    c3b1.euw1.prd.ueba.logpoint.cloud

    99.81.155.180

    2

    9095

    c3b2.euw1.prd.ueba.logpoint.cloud

    52.215.237.47

    3

    9095

    c3b3.euw1.prd.ueba.logpoint.cloud

    63.32.77.177

Note

  • All data processing will be handled in Ireland by default.

  • Make sure you add the DNS record to your local DNS server if you do not use a publicly available DNS server.

  1. We recommend you to use a standard screen resolution for a better user interface experience and report generation in UEBA.

  2. LogPoint maintains a cache of the Matrix of Anomalies and the Top Risky Entities of the UEBA dashboard enabling the dashboard to load faster each time you open it. However, LogPoint maintains a cache only when the dashboard completely loads the data.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support