Skip to main content
Skip table of contents

UEBA Deployment Guide - Upgrade Considerations


By default, updating the Knowledge Base does not update the user-customizable settings in AIE rules such as Rule Block Time Limit settings, Unique Value Rule Block occurrences, and Threshold Rule Block values. The default behaviour is intended to preserve user customizations made to the AIE rules.

You may want to have the latest rule settings overwrite the existing settings as part of the Knowledge Base sync. To do so, select the Enable Advanced Synchronization Settings checkbox in the Knowledge Base Manager Synchronization Settings. Enabling this option does so for all enabled Knowledge Base modules, not just the UEBA Module.

For more details on how the Knowledge Base synchronization settings can affect AIE rules, see Configure Knowledge Base Synchronization Settings.

Configure Microsoft Windows Audit Logging Levels

It is highly recommended that you follow Microsoft’s guidance on “Audit Policy Recommendations.” Perform a search on Microsoft’s website for the latest recommendations.

Configure Linux Audit Logging

By default, most recent Linux distributions log the “user NOT in sudoers file” event when a user tries to sudo without permission. The only requirement here is that LogRhythm collects the Auth.log via Syslog, flat file or syslog file log sources. The most common collection method is configuring the Syslog to send all facilities and severities to a LogRhythm Sysmon Agent.

Data Collection Requirements

For a list of the log source types that should be collected to make effective use of each AIE rule in the UEBA Module, see the AI Engine Rule matrix.

Gather the Following Information Before Deploying the Module

The following information should be gathered prior to implementing the User and Entity Behavior Analytics Module. This information is needed when populating lists and configuring individual AI Engine Rules.

  • Critical Hosts
  • Critical Process Names/IDs
  • Organization Domain Names
  • Vulnerability Scanners
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.