UEBA Suspicious Activity Detected

UEBA Suspicious Activity Detected playbook detects and investigates unusual behavior and measures the likelihood of the suspicious activity being a threat. It leverages the UEBA Triage sub-playbook to aggregate and assess data including incident ID, alert, threat type and category. UEBA Suspicious Activity Detected then creates response tasks and compiles the result into a report sent to your security team.

1. Trigger - retrieves the start and end time, the query that runs the incident, rows_count, name and incident ID from the SIEM incident.

2. Query - runs the query in Logpoint SIEM. The $(orig_query) parameter takes the incident's query defined in the Trigger action block as the value and the whole query is run again using the count() command to give the number of user, category, threat, alert, detectorId, families, risk and templates_info fields in JSON format.

3. For Each - loops the query results from the Query action block through each element in user, category, threat, alert, detectorId, families, risk and templates_info fields and feeds them into the sub-playbook.

4. Playbook - UEBA Triage sub-playbook retrieves input for user, category, threat, alert, detectorId, families, risk, templates_info and share from the For Each action block and incident ID from the Trigger action block to check the permanent and temporary whitelisted users and emails them to the security analyst.

5. End - retrieves the parameters: user, category, threat, alert, detectorId, families, risk, templates_info and share from the sub-playbook whose values can be seen from Results in Monitoring. The values are further analyzed bythe security team.