UEBA is deployed in the cloud. LogPoint sends the data to UEBA for threat analysis by different methods depending on the configured mode of operation. The modes of operation are:
Standalone mode
Distributed LogPoint mode
Architecture in the Standalone Mode¶
In the Standalone mode, LogPoint collects the logs from the configured sources, then normalizes and enriches them. It then encrypts all the data from the selected repos and sends them to the cloud.
In the cloud, UEBA matches the incoming logs with the previously established baselines. It then returns the information of the anomalies and the risk scores for each configured entity. LogPoint decrypts the output and displays the results in the UEBA dashboard.
Architecture in the Distributed LogPoint Mode¶
In the Distributed LogPoint mode, all the Distributed LogPoints collect the logs from the configured sources, then normalize and enrich them. The Search Head then collects the logs from the selected repos of the Distributed LogPoints as well as the Search Head. It encrypts the data and sends them to the cloud.
In the cloud, UEBA matches the incoming logs with the previously established baselines. It then returns the information of the anomalies and the risk scores for each configured entity. The Search Head decrypts the output and displays the results in the UEBA dashboard.
Note
The UEBA dashboard is not present in the Distributed LogPoints.
LogPoint stores the data from each customer in separate logical containers in the cloud. The separation ensures that there is no association between your data and the data of other customers.