By default, updating the Knowledge Base does not update the user-customizable settings in AIE rules such as Rule Block Time Limit settings, Unique Value Rule Block occurrences, and Threshold Rule Block values. The default behavior is intended to preserve any user customizations made to the AIE rules.
You may want to have the latest rule settings overwrite the existing settings as part of the Knowledge Base sync. To do so, select the Enable Advanced Synchronization Settings checkbox in the Knowledge Base Manager Synchronization Settings. Enabling this option does so for all enabled Knowledge Base modules, not just the UEBA Module.
For more details on how the Knowledge Base synchronization settings can affect AIE rules, see Configure Knowledge Base Synchronization Settings.
Configure Microsoft Windows Audit Logging Levels
It is highly recommended that you follow Microsoft’s guidance on “Audit Policy Recommendations.” Perform a search on Microsoft’s website for the latest recommendations.
Configure Linux Audit Logging
By default, most recent Linux distributions log the event of “user NOT in sudoers file” when a user tries to sudo without permission. The only requirement here is that LogRhythm collects the Auth.log via syslog, flat file or syslog file log sources. The most common collection method is to configure rsyslog to send all facilities and severities to a LogRhythm Sysmon Agent.
Data Collection Requirements
For a list of the log source types that should be collected to make effective use of each AIE rule in the UEBA Module, see the AI Engine Rule matrix.
Gather the Following Information Before Deploying the Module
The following information should be gathered prior to implementing the User and Entity Behavior Analytics Module. This information is needed when populating lists and configuring individual AI Engine Rules.
- Critical Hosts
- Critical Process Names/IDs
- Organization Domain Names
- Vulnerability Scanners