UEBA Deployment Guide – Upgrade Considerations

By default, updating the Knowledge Base does not update the user-customizable settings in AIE rules such as Rule Block Time Limit settings, Unique Value Rule Block occurrences and Threshold Rule Block values. The default behavior is intended to preserve any user customizations made to the AIE rules.

You may want to have the latest rule settings overwrite the existing settings as part of the Knowledge Base sync. To do so you must select enable advanced Synchronization Settings in the Knowledge Base Manager Synchronization Settings. Enabling this option does so for all enabled Knowledge Base modules, not just the UEBA Module.

Configure Microsoft Windows Audit Logging Levels

It is highly recommended that you follow Microsoft’s guidance on “Audit Policy Recommendations.” Perform a search on Microsoft’s website for the latest recommendations.

Configure Linux Audit Logging

By default, most recent Linux distributions log the event of “user NOT in sudoers file” when a user tries to sudo without permission. The only requirement here is that LogRhythm collects the Auth.log via syslog, flat file or syslog file log sources. The most common collection method is to configure rsyslog to send all facilities and severities to a LogRhythm Sysmon Agent.

Data Collection Requirements

For a list of the log source types that should be collected to make effective use of each AIE rule in the UEBAM, see the AI Engine Rule matrix.

Gather the Following Information Before Deploying the Module

The following information should be gathered prior to implementing the User and Entity Behavior Analytics Module. This information is needed when populating lists and configuring individual AI Engine Rules.

• Critical Hosts
• Critical Process Names/IDs
• Organization Domain Names
• Vulnerability Scanners