Skip to content

UEBA Module

In order to spot possible security threats, UEBA is a security technology that examines user and entity behavior across a network. When anomalous activity is found, UEBA can generate alerts, enabling security teams to rapidly investigate and take action.

You can access UEBA module by pressing Alt Image button and you will find them in the left side section of Web Interface.

UEBA Module (User and entity behavior analytics) - in this module you can analyze the user's activity in your enterprise.

1 - The number of users, computers and events, which have a risk score greater than zero.

2 - You can select the period in what interval you want to see the riskiest events (Today, Yesterday and Last Week).

3 - Top 10 riskiest alerts.

If you want to view the risk score details from an recent alerts, you can press button, and the page will open:

4 - Top 10 riskiest events:

  • with green color, are events that don't represent a major risk.
  • with yellow color, are events that represent a medium risk.
  • with red color, are events that represent a major risk.

If you want to view the event, you can press button, and the page will open:

5 - The Events / Risks / Alerts graphic, shows the number of events, maximum and average risk detected in the selected time intervale, in samples:

You also have the option to choose how often to Refresh the graphic (1min/5min) or disable it (OFF):

6 - In Quick Stats graphic, you will see the Maximum, Minimum, Average Risk (in percent). You have the option to choose how often to Refresh the graphic (1min/5min) or disable it (OFF).

7 - This graphic shows a Number of Events Grouped by Risk. You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

8 - The Top 10 Riskiest Events. You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

9 - You can see all the Most Frequent Alerts. You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

From the Recent Alerts and Most Recent Riskiest Events, you can analyze in more detail the activity of an user or computer, by clicking on it.

By pressing button, you will be redirected to another page, where you will be able to see the Activity Stream of User or Computer, depending on which one you have selected.

Entity View

User Entity Summary

In first page, in Entity Summary you can see an overview of the user activity:

1 - The number of events, alerts, assets, locations that have the user in the selected period.

2 - You can select the period in what interval you want to see the risk events (Today, Yesterday and Last Week).

3 - This graphic shows the Number of alerts on User, in the selected time interval:

You have also, the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF):

4 - In Quick Stats on User graphic, you will see the Maximum, Minimum, Average Risk (in percent). You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).q

5 - This graphic shows the number of alerts that are generated by User, in the selected time interval (1m/10m/1h/6h/8h/24h).

You have also, the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

6 - The Top 10 Riskiest Events on User. You have the option to choose in how often to Refresh the graphic (1min/5min) or not to refresh (OFF).

7 - The graphic shows the Number of Events that are grouped by Risk on User. You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

8 - You can see all the most frequent alerts on user. You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

User Entity Timeline

In Entity Timeline you will see the Activity Stream for the user.

1 - The number of events, alerts,assets, locations that have the user in the selected period.

2 - You can select the period in what interval you want to see the risk events (Today, Yesterday and Last Week).

3 - Represents the total events that have a risk factor, that are sorted chronologically. If you want to view the event, you have to press click on button.

4 - Using predefined patterns, each event is assigned a risk factor based on a logical method. These risk factors have an assigned score.

If you want to view the risk score details, you can press button, and the page will open:

In Rule Name you will see the patterns that are created in Ueba Manager.

Computer Entity Summary

In first page, in Entity Summary you can see an overview of the computer activity:

1 - The number of events, alerts, users, locations that have the user in the selected period.

2 - You can select the period in what interval you want to see the risk events (Today, Yesterday and Last Week).

3 - This graphic shows the Number of alerts on Computer, in the selected time interval:

You have also, the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF):

4 - In Quick Stats on Computer graphic, you will see the Maximum, Minimum, Average Risk (in percent). You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

5 - This graphic shows the number of alerts that are generated by Computer, in the selected time interval (1m/10m/1h/6h/8h/24h).

You have also, the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

6 - The Top 10 Riskiest Events on Computer. You have the option to choose in how often to Refresh the graphic (1min/5min) or not to refresh (OFF).

7 - The graphic shows the Number of Events that are Grouped by Risk on Computer. You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

8 - You can see all the Most Frequent Alerts on Computer. You have the option to choose in how often to Refresh the graphic (1min/5min) or disable it (OFF).

Computer Entity Timeline

In Entity Timeline you will see the Activity Stream for the computer.

1 - The number of events, alerts,users, locations that have the user in the selected period.

2 - You can select the period in what interval you want to see the risk events (Today, Yesterday and Last Week).

3 - Represents the total events that have a risk factor, that are sorted chronologically. If you want to view the event, you have to press click on button.

4 - Using predefined patterns, each event is assigned a risk factor based on a logical method. These risk factors have an assigned score.

If you want to view the risk score details, you can press button, and the page will open: