UEBA
User and Entity Behavior Analytics for anomaly detection and insider threat identification.
The User and Entity Behaviour Analytics (UEBA) module provides an advanced approach to securing an organization’s infrastructure and personnel by leveraging machine learning algorithms. Powered by the UEBA Engine, it aggregates and processes events from devices used by employees to establish baseline behavior profiles and identify anomalies. The results of these analyses are visualized through intuitive UEBA Dashboards, enabling comprehensive monitoring and investigation of user and entity activities.
Events
The Events tab in the UEBA Dashboard presents data received from the UEBA Engine, visualized in a clear and structured manner. Data can be filtered by User, Computer name, Event, and Source to enhance analytical accuracy.
Data is visualized using the following graphs:
Count of Logon/off - Total count of
Logon,Logoff, andFailed to Logonevents within a specified time range.Login and authentication actions - Count of login and authentication events as a function of time.
Access and privilege management - Count of access and privilege management events as a function of time.
Configuration and system registry management - Count of configuration and system registry management events as a function of time.
Service and process management - Count of service and process management events as a function of time.
Management of facilities and access to resources - Count of facility management and access-to-resource events as a function of time.
Account and group management - Count of account and group management events as a function of time.
Top 10 reported events - Ranking of the most frequently occurring events.
Top users by document count graph - Ranking of users generating the most documents.
Top 5 users by document count - Table showing the top 5 users generating the most documents.
Event actions - Number of actions for each event based on the user.
Matrix User - Computer Name - A matrix showing which users are using which devices.
Empowered AI
The Empowered AI tab provides visualizations of AI-driven analysis results, offering insights into detected anomalies and potential threats.
Each case is presented with the following graphs:
All anomalies - Displays all anomalies on a timeline.
(D)DoS risk - Shows the results of analyses checking whether a (D)DoS attack has occurred.
(D)DoS risk table - Displays the results of the analysis for each user in the
Anomaly_scorefield and allows for the review of values for each field analyzed.APT risk - Displays the results of analyses checking for potential APT attacks.
APT risk table - Displays the results of the analysis for each user in the
Anomaly_scorefield and allows for the review of values for each field analyzed.Ransomware risk - Displays the results of analyses checking for potential ransomware attacks.
Ransomware risk table - Displays the results of the analysis for each user in the
Anomaly_scorefield and allows for the review of values for each field analyzed.All events anomaly - Displays the results of analyses for all fields provided by the UEBA Engine to identify abnormal user behavior.
All events anomaly table - Displays the results of the analysis for each user in the
Anomaly_scorefield and allows for the review of values for each field analyzed.Service installation anomalies - Displays the results of analyses related to service installation anomalies.
Logon anomalies - Displays the results of analyses related to
Logon,Logoff, andFailed to Logonevents.Affected users table - Displays the highest and average
Anomaly_scorefor each user and the type of analysis in which that score occurred.Affected users - Shows a pie chart highlighting the users most affected by anomalies.
Raw Logs
The Raw Logs tab displays the basic information provided by the UEBA Engine in an organized table, enabling verification of specific events, including the time, user, and device involved.
See also AI and Analytics for additional machine learning capabilities including anomaly detection rules and forecasting.