Advanced UEBA Quick Start
Advanced UEBA Quick Start
Once Advanced UEBA is enabled in your account, the recommended next step is to disable the Standard UEBA policies.
Machine Learning detections in Advanced UEBA will automatically learn the baselines for different users and raise individual alerts if there is anomalous behavior. Therefore, best practice is to disable the Standard UEBA policies.
The table below provides examples of the Advanced UEBA policies that will supersede the corresponding Standard UEBA policies.
Standard UEBA Policy | Advanced UEBA Equivalent Example | Improvements |
Bulk Failed Login | A user-based spike in failed login attempts | Advanced UEBA will build a baseline and alert when there is a deviation as opposed to a statically configured threshold. |
Bulk Delete | A user-based spike in files deleted detected from real-time protection | Advanced UEBA will build a baseline and alert when there is a deviation as opposed to a statically configured threshold. |
Bulk Upload | A user-based spike in sensitive data uploaded to personal apps | Advanced UEBA will build a baseline and alert when there is a deviation as opposed to a statically configured threshold. In addition, Advanced UEBA also takes into account the nature of the data being moved by looking at associated DLP policy violation alerts. |
Bulk Download | A user-based spike in sensitive files downloaded | Advanced UEBA will build a baseline and alert when there is a deviation as opposed to a statically configured threshold. In addition, Advanced UEBA also takes into account the nature of the data being moved by looking at associated DLP policy violation alerts. |
Proximity | First access from an IP block for the organization | Advanced UEBA identifies a compromised credential being used when authentication or an admin activity happening from a network that has never been used before. This is higher fidelity compared to using ‘impossible travel’ to find possibly malicious activity because it hones in on specific malicious activity. |
Risky Countries | First access from an IP block for the organization | Advanced UEBA identifies compromised credentials using a more precise and baseline-based policy that uses IP blocks as opposed to a static country list. |
Suspicious Data Movement | Potential sensitive data movement | Advanced UEBA will build a baseline as well as monitor a wider range of application and app instances with no pre-configuration. In addition, Advanced UEBA policies do not require labeling of instances by the customer. |
Rare Event | The 16+ policies beginning with “First access” | Advanced UEBA uses a more precise set of policies to identify compromised credentials and insiders while significantly reducing the false positives from rare events that aren’t indicative of an insider threat or compromise. |
Shared Credentials | No direct advanced rule, but numerous other policies that cover ‘Compromised credentials’ and ‘Insider Threats’ |
Setup a Low UCI Threshold Alert
Admins should ensure that an alert is generated every time a UCI score drops below a threshold. A low UCI alert is a signal that there is a user whose activity warrants analyst review. You can configure this by going to the Incidents > Behavior Analytics page and clicking the small pen on the top right.
Best practice is to set the threshold to 651 so an alert is generated whenever a user’s UCI threshold drops below the “good” range and into the “moderate” range.
Setup a Process to Regularly Review Low UCI Users
A low UCI alert should trigger an analyst investigation. This alert will contain the user and information on the Key Detection Scenario that describes the likely cause for this low confidence score. In the low UCI example alert below, daniel@company.com had a low UCI due to Compromised device – Malware.
The investigation begins by clicking the user’s name on the Incidents > Behavior Analytics page. This page lists all users and their UCI scores in increasing order.
For the selected user, the page will display a timeline of their UCI score. Click the day that their UCI score dropped to see the individual anomalies contributing to the score. In this example, the list of anomalies indicates that daniel@company.com is likely infected with ransomware. Clicking each individual anomaly will show additional context and an event timeline.
If an anomaly or set of anomalies are not an indicator that the user has a compromised device, compromised account, or is acting as an insider threat, you can use the ‘Mark as Allowed’ feature to remove the impact on the UCI as shown below. Marking an anomaly as allowed will suppress this anomaly from recurring for the same user and the same feature for 45 days.