Version:

Enrichment Policy

The UEBA PreConfiguration Plugin adds the UEBA_ENRICHMENT_POLICY to the LogPoint. You can view the added enrichment policy from Settings >> Configuration >> Enrichment Policies.

../_images/UEBA_Config_Enrich_Policy.png

Installed Enrichment Policy

UEBA_ENRICHMENT_POLICY

The UEBA_ENRICHMENT_POLICY is an enrichment policy created to enrich the incoming logs to make sure they are valid for UEBA analysis. The policy defines the following enrichment specifications:

  1. The first specification contains two enrichment criteria to check if the value of the norm_id field in a log contains WinServer and if the value of the event_id field matches a valid Event ID. If both the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of the user field in the log to the sAMAccountName attribute in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_1_Spec.png

First Specification of the Enrichment Policy

Note

The following table shows the Active Directory logs accepted by UEBA.

Event ID

Description

4624

An account was successfully logged on.

4625

An account failed to logon.

4648

A logon was attempted using explicit credentials.

4768

A Kerberos authentication ticket (TGT) was requested.

4769

A Kerberos service ticket was requested.

4770

A Kerberos service ticket was renewed.

4771

Kerberos pre-authentication failed.

4772

A Kerberos authentication ticket request failed.

4773

A Kerberos service ticket request failed.

4776

The computer attempted to validate the credentials for an account.

4777

The domain controller failed to validate the credentials for an account.

4656

A handle to an object was requested.

4663

An attempt was made to access an object.

4664

An attempt was made to create a hard link.

5145

A network share object was checked to see whether client can be granted desired access.

  1. The second specification contains two enrichment criteria to check if the value of the norm_id field in a log contains WinServer and if the value of the event_id field matches a valid Event ID. If both the criteria are met, the policy applies the UEBA_SourceAddrToHostname enrichment source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_2_Spec.png

Second Specification of the Enrichment Policy

  1. The third specification contains an enrichment criterion to match the value of the device_category field in a log with ProxyServer. If the value matches, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of the user field in the log to the sAMAccountName attribute in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_3_Spec.png

Third Specification of the Enrichment Policy

  1. The fourth specification contains an enrichment criterion to match the value of the device_category field in a log with ProxyServer. If the value matches, the policy applies the UEBA_SourceAddrToHostname enrichment source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_4_Spec.png

Fourth Specification of the Enrichment Policy

  1. The fifth specification contains an enrichment criterion to match the value of the device_category field in a log with email servers. If the value matches, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of the sender field in the log to the mail attribute in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_5_Spec.png

Fifth Specification of the Enrichment Policy

  1. The sixth specification contains two enrichment criteria to check if the value of the label field contains VPN and if a log contains the source_address field. If both the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of the user field in the log to the sAMAccountName attribute in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_6_Spec.png

Sixth Specification of the Enrichment Policy

  1. The seventh specification contains two enrichment criteria to check if the value of the sub_category field contains GlobalProtect or globalprotect and if a log contains the source_address field. If both the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of the user field in the log to the sAMAccountName attribute in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_7_Spec.png

Seventh Specification of the Enrichment Policy

  1. The eighth specification contains two enrichment criteria to check if the value of the label field contains VPN and if a log contains the source_address field. If both the criteria are met, the policy applies the GeoIp enrichment source to the log. It then matches the value of the source_address field in the log to the ip_address field in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_8_Spec.png

Eighth Specification of the Enrichment Policy

  1. The ninth specification contains two enrichment criteria to check if the value of the sub_category field contains GlobalProtect or globalprotect and if a log contains the source_address field. If both the criteria are met, the policy applies the GeoIp enrichment source to the log. It then matches the value of the source_address field in the log to the ip_address field in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_9_Spec.png

Ninth Specification of the Enrichment Policy

  1. The tenth specification contains an enrichment criterion to check if the value of the device_category field in a log contains Firewall. If the value matches, the policy applies the UEBA_ProtocolTable enrichment source to the log. It then matches the value of the protocol field in the log to the protocol field in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_10_Spec.png

Tenth Specification of the Enrichment Policy

  1. The eleventh specification contains an enrichment criterion to check if the value of the device_category field in a log contains Firewall. If the value matches, the policy applies the UEBA_SourceAddrToHostname enrichment source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_11_Spec.png

Eleventh Specification of the Enrichment Policy

  1. The twelfth specification contains an enrichment criterion to check if the value of the device_category field in a log contains Firewall. If the value matches, the policy applies the UEBA_SourceAddrToDestHostname enrichment source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_12_Spec.png

Twelveth Specification of the Enrichment Policy

  1. The thirteenth specification contains three enrichment criteria to check if a log contains the user, object_name, and status fields. If all the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of the user field in the log to the sAMAccountName attribute in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_13_Spec.png

Thirteenth Specification of the Enrichment Policy

  1. The fourteenth specification contains three enrichment criteria to check if a log contains the user, object_name, and status fields. If all the criteria are met, the policy applies the UEBA_SourceAddrToHostname enrichment source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_14_Spec.png

Fourteenth Specification of the Enrichment Policy

  1. The fifteenth specification contains two enrichment criteria to check if the value of the label field contains Authentication or Login and if a log contains the user field. If both the criteria are met, the policy applies the UEBA_ActiveDirectoryUsers enrichment source to the log. It then matches the value of the user field in the log to the sAMAccountName attribute in the source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_15_Spec.png

Fifteenth Specification of the Enrichment Policy

  1. The sixteenth specification contains an enrichment criterion to check if the value of the label field in a log contains Authentication or Login. If the value matches, the policy applies the UEBA_SourceAddrToHostname enrichment source and enriches the log.

../_images/UEBA_Config_Enrich_Policy_16_Spec.png

Sixteenth Specification of the Enrichment Policy

Note

Since enrichment is a resource-consuming process, the UEBA PreConfiguration Plugin has predefined enrichment specifications so that the enrichment is applied only in the logs with specific events. Doing so results in better performance by ensuring that you enrich only the necessary logs. Therefore, we recommend you not to edit the specifications. However, you can add or remove any enrichment criteria as per your need.

If you edit any default enrichment specification, the plugin adds the updated specification as a new one, and the default enrichment specification remains unchanged. However, changing only the enrichment source of the default specification does not add a new specification.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support