UEBA matches the previously established baselines with the incoming event logs for each entity. It then provides the outputs in two different forms.
Anomalies
Risk Scores
UEBA classifies the behavior of a user or an entity as an anomaly if it deviates from the established baselines. The degree of the deviation determines the significance of the anomaly.
UEBA takes the established baselines for an entity as the normal behavior for the entity. It then evaluates whether a new behavior of the entity is consistent with the baselines. An anomaly is triggered if UEBA finds the entity’s activity inconsistent.
For example, if a user typically accesses a file three times a day, UEBA establishes this as the baseline for the user’s access behavior for the file. Now, on a particular day, if the user accesses the file several times, UEBA finds that this behavior is highly inconsistent with the established normal behavior and labels it as an anomaly.
Note
Refer to the Anomalies Panel section for more details.
UEBA highlights the users and entities that require immediate attention by assigning them different risk scores. A risk score is a number between 0 and 100. UEBA calculates the risk score for each entity based on the number of significant anomalies it triggers. A high risk score indicates that the entity is showing one or more extremely anomalous behaviors.
LogPoint classifies the risk scores into four different types.
S.N. |
Risk Classification |
Risk Score Range |
Color |
|---|---|---|---|
1 |
Low Risk |
00 - 25 |
Gray |
2 |
Medium Risk |
26 - 50 |
Yellow |
3 |
High Risk |
51 - 75 |
Orange |
4 |
Critical Risk |
76 - 100 |
Red |