UEBA PreConfiguration adds the UEBA_ENRICHMENT_POLICY to Logpoint. You can view the added enrichment policy from Settings >> Configuration >> Enrichment Policies.
Installed Enrichment Policy¶
The UEBA_ENRICHMENT_POLICY enriches logs to make sure they are valid for UEBA analysis. The policy defines multiple enrichment specifications with their enrichment criteria as follows:
Two enrichment criteria to check if:
norm_id contains WinServer
event_id matches a valid event ID
If both criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of user in the log to sAMAccountName in the source to enrich the log.
First Specification of the Enrichment Policy¶
Note
The following table shows the Active Directory logs accepted by UEBA.
Event ID |
Description |
|---|---|
4624 |
An account was successfully logged on. |
4625 |
An account failed to logon. |
4648 |
A logon was attempted using explicit credentials. |
4768 |
A Kerberos authentication ticket (TGT) was requested. |
4769 |
A Kerberos service ticket was requested. |
4770 |
A Kerberos service ticket was renewed. |
4771 |
Kerberos pre-authentication failed. |
4772 |
A Kerberos authentication ticket request failed. |
4773 |
A Kerberos service ticket request failed. |
4776 |
The computer attempted to validate the credentials for an account. |
4777 |
The domain controller failed to validate the credentials for an account. |
4656 |
A handle to an object was requested. |
4663 |
An attempt was made to access an object. |
4664 |
An attempt was made to create a hard link. |
5145 |
A network share object was checked to see whether client can be granted desired access. |
Two enrichment criteria to check if:
norm_id contains WinServer
event_id matches a valid event ID.
If both criteria are met, the policy applies the UEBA_SourceAddrToHostname enrichment source to enrich the log.
Second Specification of the Enrichment Policy¶
One enrichment criterion to match the value of device_category with ProxyServer. If the value matches, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of user in the log to sAMAccountName in the source to enrich the log.
Third Specification of the Enrichment Policy¶
One enrichment criterion to match the value of device_category in a log with ProxyServer. If the value matches, the policy applies the UEBA_SourceAddrToHostname enrichment source to enrich the log.
Fourth Specification of the Enrichment Policy¶
One enrichment criterion to match the value of device_category in a log with email servers. If the value matches, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of sender in the log to mail in the source to enrich the log.
Fifth Specification of the Enrichment Policy¶
Two enrichment criteria to check if:
label contains VPN
The log contains source_address.
If both the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of user in the log to sAMAccountName in the source and enriches the log.
Sixth Specification of the Enrichment Policy¶
Two enrichment criteria to check if:
sub_category contains GlobalProtect or globalprotect
The log contains source_address.
If both the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of user in the log to sAMAccountName in the source to enrich the log.
Seventh Specification of the Enrichment Policy¶
Two enrichment criteria to check if:
label contains VPN
The log contains source_address.
If both the criteria are met, the policy applies the GeoIp enrichment source to the log. It then matches the value of source_address in the log to ip_address in the source to enrich the log.
Eighth Specification of the Enrichment Policy¶
Two enrichment criteria to check if:
sub_category contains GlobalProtect or globalprotect
The log contains source_address
If both the criteria are met, the policy applies the GeoIp enrichment source to the log. It then matches the value of source_address in the log to ip_address in the source to enrich the log.
Ninth Specification of the Enrichment Policy¶
Three enrichment criteria to check if a log contains user, object_name, and status. If all the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of user in the log to sAMAccountName in the source to enrich the log.
Tenth Specification of the Enrichment Policy¶
Three enrichment criteria to check if a log contains user, object_name, and status. If all the criteria are met, the policy applies the UEBA_SourceAddrToHostname enrichment source to enrich the log.
Eleventh Specification of the Enrichment Policy¶
Two enrichment criteria to check if:
label contains Authentication or Login
The log contains user
If both the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of user in the log to sAMAccountName in the source to enrich the log.
Twelfth Specification of the Enrichment Policy¶
One enrichment criterion to check if the value of label contains Authentication or Login. If the value matches, the policy applies the UEBA_SourceAddrToHostname enrichment source to enrich the log.
Thirteenth Specification of the Enrichment Policy¶
Note
Since enrichment is a resource-consuming process, UEBA PreConfiguration has predefined enrichment specifications so that the enrichment is applied only in the logs with specific events. Doing so results in better performance by ensuring that you enrich only the necessary logs. Therefore, we recommend you not to edit the specifications. However, you can add or remove any enrichment criteria as per your need.
If you edit any default enrichment specification, UEBA PreConfiguration adds the updated specification as a new one, and the default enrichment specification remains unchanged. However, changing only the enrichment source of the default specification does not add a new specification.