User and Entity Behavior Analytics Module
To avoid a data breach, your organization must detect and respond quickly to anomalous activity. User and entity behavior analytics (UEBA) can help you monitor for known threats and behavioral changes in user data, providing critical visibility to uncover user-based threats that might otherwise go undetected.
LogRhythm UEBA module and CloudAI:
- Use metadata processed by the SIEM from diverse sources to provide clean sets for effective analytics.
- Offer a true view of the identity of users and hosts — not just disparate identifiers.
- Detect potential threats by applying full-spectrum analytics
- Seamlessly integrate with the other LogRhythm tools so you can streamline the response using integrated playbooks, guided workflows, and approval-driven task automation.
The User and Entity Behavior Analytics Module (UEBAM) is a collection of AI Engine rules (deterministic rules) designed to detect potential malicious user activity that is occurring within your organization. CloudAI is an advanced UEBA solution that leverages machine learning (ML) to perform anomaly detection in order to surface potential threats that could otherwise go undetected due to its complexity.
The UEBA Module contains licensed content that is available only to customers with a valid subscription.
Module Revisions
The following table summarizes the changes that have been made since the last release (v2) of the User and Entity Behavior Module.
AIE Rule ID | AIE Rule Name |
|---|---|
New | |
1490 | Exfiltration: CloudAI and File (NGFW) Detection |
1491 | Exfiltration: CloudAI and Sensitive Data (NGFW) Detection |
Modified | |
1245 | Attainment: Abnormal File Access |
1246 | Attainment: Corroborated Account Anomalies |
1247 | C2: Abnormal Origin Location |
1248 | Compromise: Abnormal Process Activity |
1249 | C2: Blacklist Location Auth |
1250 | Compromise: Concurrent Authentication Success from Multiple Locations |
1251 | Recon: Linux sudo Privilege Escalation |
1252 | Compromise: Windows RunAs Privilege Escalation |
1253 | Compromise: Auth After Numerous Failed Auths |
1254 | Compromise: Auth After Security Event |
1255 | Compromise: Distributed Brute Force |
1256 | Compromise: External Brute Force Auths |
1257 | Compromise: Lateral Movement With Account Sweep |
1258 | Corruption: Audit Disabled by Admin |
1259 | Disruption: Files Deleted by Admin |
1260 | Lateral: Abnormal Auth Behavior |
1261 | Compromise: Account Added to Admin Group |
1262 | Lateral: Admin Password Modified |
1263 | Lateral: Auth After Dispersed Failed Auths |
1264 | Lateral: Brute Force Internal Auth Failure |
1265 | Lateral: External Attack then Account Creation |
1266 | Lateral: Failed Auths then Success |
1267 | Lateral: Internal Attack then Account Creation |
1268 | Lateral: Internal Recon then Account Creation |
1269 | Lateral: Multiple Account Passwords Modified by Admin |
1270 | Lateral: Numerous and Dispersed Internal Failed Auths |
1271 | Lateral: Numerous Internal Failed Auths |
1272 | Lateral: Password Modified by Admin |
1273 | Lateral: Privilege Escalation after Attack |
1278 | Compromise: CloudAI Multiple User Threat Events |
1279 | Recon: Disabled Account Auth Failures |
1281 | Recon: Failed External Auth to Multiple Hosts |
1282 | Recon: Failed External Auth from Multiple Hosts |
1283 | Recon: Multiple Lockouts |
1284 | Progression: to Initial Compromise |
1285 | Progression: to Command and Control |
1286 | Progression: to Lateral Movement |
1287 | Progression: to Target Attainment |
1288 | Progression: to Exfil, Corruption, Disruption |
1289 | Progression: to Initial Compromise |
1290 | Progression: to Command and Control |
1291 | Progression: to Lateral Movement |
1292 | Progression: to Target Attainment |
1293 | Progression: to Exfil, Corruption, Disruption |
1294 | Progression: to Initial Compromise |
1295 | Progression: to Command and Control |
1296 | Progression: to Lateral Movement |
1297 | Progression: to Target Attainment |
1298 | Progression: to Exfil, Corruption, Disruption |
1299 | Compromise: Log Cleared |
1300 | Compromise: Security Event then Process Starting |
1301 | Compromise: System Time Change |
1302 | Compromise: Unusual Auth then Unusual Process |
1303 | Compromise: Security Event then Scheduled Task |
1304 | Lateral: Locally Created and Used |
1305 | Compromise: Change to Host File |
1306 | Disruption: Critical Windows Binaries Modified/Deleted |
1307 | Compromise: CloudAI and Recent User Location |
1308 | Compromise: CloudAI and Location Watch List |
1309 | Compromise: CloudAI and User Recently Added to a Privileged Group |
1310 | Compromise: CloudAI and User related Security Classification Event |
1336 | Compromise: CloudAI Threat Event and Identity Lists |
| Unchanged | |
1312 | Compromise: CloudAI Threat Event |
Removed | |
| N/A | |