This guide assumes the following:
- The UEBA Module has been imported and the necessary AI Engine rules have been enabled following the steps in the User and Entity Behavior Analytics Module Deployment Guide.
- Appropriate log sources, such as LogRhythm Sysmon, Windows Security Events, Firewalls, Intrusion Detection Systems, Anti-Virus and others have been configured to work with LogRhythm.
- In order to identify internal and external sources for directional traffic, the network entity structure has been configured.
- The LogRhythm Lists referenced by rules in this Module have been configured to the organization’s environment.
The LogRhythm TrueIdentity feature is fully configured.
Enabling the UEBA Module without configuring TrueIdentity may result in many false positive alarms.
How to Use This Guide
This guide is meant to be used as a day-to-day reference for the User and Entity Behavior Analytics Module content. All the content included in this module is listed here along with a detailed explanation, suggested response, and configuration and tuning notes.
- Suppression Multiple. The Suppression Multiple, in conjunction with the Suppression Period, defines how much time must pass before the same AI Engine rule can be triggered again for the same set of criteria.
- Environmental Dependence Factor. EDF is a high level quantification of how much effort is required in configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.
- False Positive Probability. The False Positive Probability is used in Risk-Based Priority (RBP) calculation for AI Engine Rules. It estimates how likely the rule is to generate a false positive response. A value of low indicates the pattern the rule matches is almost always a true positive. However, a value of high indicates the pattern the rule matches is very likely to be a false positive. Options range from 0 to 9 with:
- 0 indicating the pattern the rule matched is almost always a true positive
- 9 indicating the pattern the rule matched is very likely to be a false positive