In case you missed the latest webinar in our Inside Netskope series—where Netskope experts show you how we protect our users, applications, and data using our own cloud-based architecture—a recording and recap of our recent session on Operationalizing UEBA UCI Alerts can be found below. Feel free to comment and continue the discussion!
Watch on-demand 
Q: How can UEBA be used to detect when someone may be looking to leave the company. Can they automatically be added to a “watch list"?
A: This is one of those cool ones. I've always thought UEBA has the potential to predict when someone's leaving the company before they've fully made up their mind.
The two custom alerts that Uday talked about are some of the key features. For example, if those types of things start happening where a user is uploading to personal spaces instead of going to the corporate environment, which is not normal for them, this would definitely be a trigger. The automations that Uday talked about when the UCI score drops, you can automatically move people to different groups, and those groups can have different real time or API policies associated with them where you can start locking things down a little more. So you definitely can!
Q: Are there Netskope Dashboards for UCI SCORE or is that something we build on our own?
A: Yes, we try to always have Advanced Analytics dashboards for any of the topics we cover in the Inside Netskope series. Please see this post for the Advanced UEBA Dashboard.
Q: How do you manage the resigning users group? Can it be automated?
A: Absolutely! We actually covered this topic in a past Inside Netskope webinar, please see this recap post for more information.
Q: Are UEBA logs able to be streamed to a SIEM?
A: Yes! You can stream in UEBA alerts, not logs, to your SIEM of choice.
Q: Can UEBA differentiate between living off the land and normal user BAU? Or, is it safe to assume the severity rating is the differential (Low UCI is more likely user & High is more likely a threat actor)?
A: Not a threat actor, but it's based on risk. They're not threat actors, I would assume. UEBA natively cannot differentiate between living off the land and normal users. It can create leads based on the activities observed and it is up to the analyst to investigate further and arrive at a conclusion.
Q: Can we leverage this UEBA UCI capability through Netskope integration with a SIEM/SOAR tool?
A: Absolutely! The big takeaway for me is because there are so many alerts built into the UEBA platform, you can't action all of those types of alerts. The UCI alert is the key—when it drops below a threshold.
We've taken it down a few different notches as we go. For example, "Let's only action everything below 300." I think there's a couple of default settings in the system, but when we get that alert that says they're below 300 into the SIEM, that's where our ticket kicks off and we start the activities after that.
Q: How can we show only domain users in UEBA Incidents? Our Zendesk CASB API populates UEBA with customer emails from tickets.
A: You can create a watch list within your UEBA platform and you can set who you want to be held within your UEBA. So if you only want to watch your domain, you can set your watch list to that.
If you want to watch everything that happens within your tenant, then that's when you can sometimes get customer and vendor emails as well.
Q: What are some of the top ways you see customers leveraging UEBA from an “action/actionable" standpoint?
A: We are the customer in this case, but working the UCI alerts is our key way. The webinar covers this in detail if you're looking for additional information!
Q: Volume can be overwhelming and can be discouraged when flooded with high volume. How do you suggest companies to deploy UEBA to control the volume in a more manageable manner?
A: That's the action on the UCI alerts. This was the key for us because we did the same thing.
We turned it on and we're like "Oh my gosh, what do we do with this?" So leveraging the UCI alerts vs the individual indicators keeps the system from overwhelming us.
Q: I am trying to get my internal Blue team interested in what UEBA can offer. How can I "sell" it to them?
A: I definitely think that the UEBA can help a blue team not only with user investigations or actioning on the UCI score, but it can help in other departments based on the policies that you may have set up or that we can share such as threat hunting. The UEBA can be super helpful for specific user events—such as bulk downloads/uploads, exfiltration to a personal instance from an unmanaged instance, or personal instance from a managed instance. We can also see C2 communication traffic and tour node traffic, and then we can take action on that as well.
So, the UEBA is that tool to help fill those gaps that an EDR or a SIEM won't be able to see or cover all the time and it can give you a little bit more assurance, especially leveraging behavioral analysis and machine learning. With the adaptation of machine learning, it just continuously adapts and learns based on a user's normal day. We can then go from there to see a potential incident or data exfiltration before another normalized security application may get to it. It's just a really good tool that helps provide full visibility for you during an investigation.
Q: Do you need to have a full CASB license to leverage UEBA? We currently are SWG licensed only, but do see UEBA—I just am not sure how much of it can be leveraged?
A: Great question! Base SWG licensing comes with Standard UEBA, NG SWG Enterprise has Advanced UEBA.
Q: Is UCI score predefined or can we customize it?
A: Well the way it works is predefined. However, you can customize how much each event impacts the UCI score.
So if something, like a bulk download, is more of a normalized thing, you can reduce the impact to that score or you can increase it just depending on what you need. So there's definitely some customization that can go into that!
View past events in this series!
Some responses above contain roadmap items. These are intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Netskope’s products remains at the sole discretion of Netskope.