Thanks
Looking for visibility into Advanced UEBA with machine learning detections that automatically learn the baselines for different users and raise alerts when there are anomalous behaviors? Our latest Advanced UEBA Dashboard is here to help!
This dashboard provides detailed visibility into the alerts generated by Advanced UEBA policies, which helps you perform user investigation & alert validation on this topic. With the dashboard, you can better understand why these alerts are being triggered and if your policies are working effectively.
By default, the dashboard starts with a summary of Advanced UEBA alerts triggered in the last 30 days, including # alerts triggered, # apps with these alerts, and # users triggering these alerts. The # UCI Threshold Alerts triggered are highlighted, which is a starting point for your user investigation.
Advanced UEBA automatically computes the User Confidence Index (UCI) score for every user on the platform. Users with the lowest UCI scores represent the highest risk to your organization. Manually monitoring all users is not scalable, and this is why we have implemented UCI Threshold Alerts. A UCI Threshold Alert is generated any time a user’s UCI score drops below a particular threshold, which is an indicator of security concerns in your environment.
To learn more about who are the top users triggering these alerts, use the “top user” table below. Select any single user from the table to view all the data based on this user only. If you have implemented controls/coaching on risky user behaviors, use the trend line to understand if your effort is working as expected.
Another trend line below provides visibility into how the Advanced UEBA policies are generating alerts over time. Use this widget to understand if your policies are working effectively.
The second half of the dashboard provides visibility into Key Detection Scenarios, which is a starting point for your alert validation. The Key Detection Scenario shows the predominant reason for each user’s moderate or poor UCI score, which helps you recognize “why” the user’s UCI score is dropping.
With this part of the dashboard, you can better understand what Advanced UEBA policies are being triggered in your environment, which users are triggering these policies, and “why” they’re triggering these policies (Key Detection Scenarios).
E.g. We see the Key Detection Scenario is “Insider threat - Data movement” above. This means the user is moving data from a corporate managed app to an unmanaged app/instance. The user may be exfiltrating sensitive data to a personal cloud storage app, which is an incident that should be further investigated.
Note: Key Detection Scenarios are manually mapped to Advanced UEBA policies through custom fields in this dashboard. If there are new Key Detection Scenarios and/or policies added, an updated version of this dashboard will be provided.
The dashboard template is attached below. Feel free to import and view it in your own environment. Let us know if you have any questions & feedback!