UEBA Deployment Guide – Configure the Module

Configure Lists

There are user-configurable lists included with the module. Use these lists to narrow the scope of AI Engine Rules and to filter events. Refer to the Description section of the List Properties to verify what should be added to the list.

1. Open the LogRhythm Console and click List Manager on the main toolbar.
2. Use the Name or List ID column filter to find the list you want.
3. To open the List Properties window, double-click the list.
4. Click on the List Items tab, and then click Add Item.
5. Use the Add Item dialog to add items to the list individually, or click Import to import a text file or clipboard contents.
6. Click Apply and then click OK.

To identify which lists need to be configured in the environment, see the Lists Guide.

Configure Individual AI Engine Rules

This module contains a collection of AI Engine Rules. Some rules require additional configuration to ensure that they will work properly. For configuration steps, see the AI Engine Rules Guide.

Enable AI Engine Rules

1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
2. Click the AI Engine tab.
3. Filter in the Rule Group column for Core Threat Detection to find AI Engine rules tied to this module.
4. Select the Action check box of each rule you want to configure.
5. Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.

6. If the Restart column displays “Needed” for a rule, you must restart the AI Engine service to load the new rules. Click Restart AI Engine Servers at the top of the window. (This action only restarts the necessary services, not the appliance itself.)

   

   You must select the AI Engine instance in the View field to see the Restart column.

To view tuning and configuration notes for a rule, right-click the rule, click Properties, and then click the Information tab.

Your LogRhythm Professional Services Engineer can also provide assistance with tuning AI Engine Rules for your environment.

Enable AI Engine Rule Alarming

There are several AI Engine rules which have alarms enabled by default. LogRhythm believes that these rules provide immediate insight into threats in your environment. Depending on your environment, there might be a higher quantity than normal of false positive alarms. You can disable alarms on rules that are excessively alarming. You can also tune the rule to reduce false positives. Reach out to users on the LogRhythm Community to discuss your experience with rules that alarm by default as well as any AI Engine rule from LogRhythm.

The following table lists the rules that are set to Alarm by default.

Even with disabled alarms, events are generated when the rule is enabled and its criteria are satisfied. These events are displayed in the Web Console Dashboard and they can be seen by running an Investigation or Tail against the Platform Manager.

Before enabling Alarming, review these events and tune rules as necessary to meet an acceptable level of false positives. Refer to the User and Entity Behavior Analytics Module User Guide for information about tuning individual AI Engine Rules. When finished tuning, enable alarming on the rules to bring events to the alarm layer, providing visibility to the monitoring team and allowing for notification and SmartResponse.

1. Open the LogRhythm Console and click Deployment Manager.
2. Click the AI Engine tab.
3. Filter in the Rule Group column for Network Threat Detection to find AI Engine rules tied to this module.
   The value in the Alarm Status column indicates whether alarm is enabled for a rule.
4. Select the Action check box of each rule you want to configure.

5. Right-click the grid, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
   

   

   Alarm settings are located on the Settings tab of the Alarm Properties dialog box.

Disable Local Windows Account Using a SmartResponse Plugin

Using SmartResponse, LogRhythm can automatically disable a local Windows account after malicious activity has been identified.

1. Go to the LogRhythm Community.
2. On the top menu bar, click Sharables.
3. Click the SmartResponses tab, and then click the Disable Local Windows Account plugin and user guide. You may need to click View more articles.
4. Follow the instructions in the guide to import the plugin and make it available to the AI Engine rules.
5. In the LogRhythm Console, open Deployment Manager.
6. Then click Tools, Administration, and Advanced Intelligence (AI) Rule Manager.
7. Filter the Rule Group column to only contain User and Entity Behavior Analytics rules.
8. Open the first rule and click on the Actions tab. In the Action drop-down list, select the Disable Local Windows Account plugin.
9. As described in the Disable Local Windows Account Plugin User Guide, fill in the appropriate fields: Target Host, Target Account, Administrator Account, and Administrator Password.

Import the Web Console Dashboard Layout

Layouts currently cannot be imported as part of the KB. Instead, you must manually download and apply them.

1. Go to the LogRhythm Community.
2. On the top menu bar, click Sharables.
3. Click the Dashboards tab, and then click UEBA Dashboards . You may need to click View more articles.
4. Download the UEBA dashboards.
5. Start a supported Web browser and log in to the LogRhythm Web Console.
6. On the upper-right side of the page, click the Dashboard Layout icon.
7. At the bottom of the dashboard layouts list, do one of the following depending on your user permission level:
   • Global Administrators. Click either Add Public or Add Private depending on the type of view that you want to create from the import.
   • All other users. Click Add Private.
8. In the edit area, click Import.
   The Open dialog box appears.
9. Navigate to and select the dashboard layout file (.wdlt) that you want to import, and then click the Open button.
   The selected dashboard layout is imported into your dashboard layout menu.

Collect SysMon Data

Most of the content in this module used with a variety of network security and monitoring devices from a range of vendors. A portion of the content is written specifically to take advantage of data collected by the LogRhythm Sysmon, and without modification will not function unless LogRhythm Sysmon data is being collected by the SIEM. The table below lists objects that need the LogRhythm Sysmon. It is possible to use this content as a starting point to write a custom rule which works with data from other devices.