To avoid a data breach, your organization must detect and respond quickly to anomalous activity. User and entity behavior analytics (UEBA) can help you monitor for known threats and behavioral changes in user data, providing critical visibility to uncover user-based threats that might otherwise go undetected.

LogRhythm UEBA and CloudAI can:

  • Collect and prepare data from diverse sources to provide clean sets for effective analytics.
  • Obtain a true view of the identity of users and hosts — not just disparate identifiers.
  • Detect known and unknown threats by applying full-spectrum analytics.
  • Accelerate threat qualification and investigation with powerful data visualizations and direct access to underlying data.
  • Streamline response using integrated playbooks, guided workflows, and approval-driven task automation.
  • Use artificial intelligence (AI) and machine learning (ML) technologies to improve time to detect and respond to threats.

The User and Entity Behavior Analytics Module (UEBAM) is a collection of AI Engine rules designed to detect unusual or malicious user activity that is occurring within your organization.

The UEBA Module contains licensed content that is available only to customers with a valid subscription.

Module Revisions

The following table summarizes the changes that have been made since the last release (v2) of the User and Entity Behavior Module.

AIE Rule ID

AIE Rule Name

New

1490

Exfiltration: CloudAI and File (NGFW) Detection

1491

Exfiltration: CloudAI and Sensitive Data (NGFW) Detection

Modified

1245

Attainment: Abnormal File Access

1246

Attainment: Corroborated Account Anomalies

1247

C2: Abnormal Origin Location

1248

Compromise: Abnormal Process Activity

1249

C2: Blacklist Location Auth

1250

Compromise: Concurrent Authentication Success from Multiple Locations

1251

Recon: Linux sudo Privilege Escalation

1252

Compromise: Windows RunAs Privilege Escalation

1253

Compromise: Auth After Numerous Failed Auths

1254

Compromise: Auth After Security Event

1255

Compromise: Distributed Brute Force

1256

Compromise: External Brute Force Auths

1257

Compromise: Lateral Movement With Account Sweep

1258

Corruption: Audit Disabled by Admin

1259

Disruption: Files Deleted by Admin

1260

Lateral: Abnormal Auth Behavior

1261

Compromise: Account Added to Admin Group

1262

Lateral: Admin Password Modified

1263

Lateral: Auth After Dispersed Failed Auths

1264

Lateral: Brute Force Internal Auth Failure

1265

Lateral: External Attack then Account Creation

1266

Lateral: Failed Auths then Success

1267

Lateral: Internal Attack then Account Creation

1268

Lateral: Internal Recon then Account Creation

1269

Lateral: Multiple Account Passwords Modified by Admin

1270

Lateral: Numerous and Dispersed Internal Failed Auths

1271

Lateral: Numerous Internal Failed Auths

1272

Lateral: Password Modified by Admin

1273

Lateral: Privilege Escalation after Attack

1278

Compromise: CloudAI Multiple User Threat Events

1279

Recon: Disabled Account Auth Failures

1281

Recon: Failed External Auth to Multiple Hosts

1282

Recon: Failed External Auth from Multiple Hosts

1283

Recon: Multiple Lockouts

1284

Progression: to Initial Compromise

1285

Progression: to Command and Control

1286

Progression: to Lateral Movement

1287

Progression: to Target Attainment

1288

Progression: to Exfil, Corruption, Disruption

1289

Progression: to Initial Compromise

1290

Progression: to Command and Control

1291

Progression: to Lateral Movement

1292

Progression: to Target Attainment

1293

Progression: to Exfil, Corruption, Disruption

1294

Progression: to Initial Compromise

1295

Progression: to Command and Control

1296

Progression: to Lateral Movement

1297

Progression: to Target Attainment

1298

Progression: to Exfil, Corruption, Disruption

1299

Compromise: Log Cleared

1300

Compromise: Security Event then Process Starting

1301

Compromise: System Time Change

1302

Compromise: Unusual Auth then Unusual Process

1303

Compromise: Security Event then Scheduled Task

1304

Lateral: Locally Created and Used

1305

Compromise: Change to Host File

1306

Disruption: Critical Windows Binaries Modified/Deleted

1307

Compromise: CloudAI and Recent User Location

1308

Compromise: CloudAI and Location Watch List

1309

Compromise: CloudAI and User Recently Added to a Privileged Group

1310

Compromise: CloudAI and User related Security Classification Event

1336

Compromise: CloudAI Threat Event and Identity Lists

 Unchanged

1312

Compromise: CloudAI Threat Event

Removed

N/A