analytics – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Tue, 05 Nov 2024 11:03:07 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp analytics – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 User Behavior Analytics https://www.sgbox.eu/en/knowledge-base/user-behavior-analytics/ Wed, 28 Aug 2019 10:16:35 +0000 https://10.253.1.90/sgbox/EN/?post_type=epkb_post_type_1&p=2339 User Behavior Analytics (UBA)

The behavior analysis is an extension of the Risk Analysis and takes into consideration all the events related to the user and performs a series of evaluations to define whether the behavior of a certain user is considered “normal” or not.
Statistical algorithms analyze the historical data related to the user, the actions performed and the hosts on which these actions took place.

Requirements:

  • SGBox Version 4.2.1.
  • The User Behavior Analytics must be unlocked. Contact us for more information.

Examples of anomalies:

  • the user Mario always connects in VPN every morning at 9 AM. One day starts the VPN at 3AM.
  • the user Giovanni has never accessed to the core switch. One day he access.
  • the user Luigi has never seen before. One day he login to a Windows system.

Evaluations performed:

  • is the user known?
  • has the user already performed this particular action?
  • has the user already performed this particular action in this time interval?
  • has the user already performed this particular action on this host?
  • how do other users behave about this particular action?

The purpose of this analysis, as said, is to define if a behavior can be considered ’normal’. All the different algorithms applied to the historical data, will define the score (risk level) that will be assigned to the user.

UBA Configurations

Only few parameters can be modified to fine tune the user behavior analysis algorithms. In the “advanced options” section, you can:

User Behavior Analytics

  • enable or disable the learning mode. If unchecked the learning mode is disabled, and the analysis will be performed. If you enable this flag you should also define an expiration date of the learning mode, when the learning mode will be automatically disabled. If you enable this flag with few events it is possible that you start receiving a lot of warning messages, since there’s no history.
  • define an email address that will receive all the messages coming from the behavior analysis
  • by default everything that happens during the last (by default) 15 days represent the analysis base. Meaningful values varies from 15 to 30 days
  • You can define a retention time for the users baseline. This is generally two times the analysis base and the acceptable range is between the analysis base value and 60.
  • last option represents the minimum percentage beyond which the event is considered to be at risk.

You can also specify with events are involved in UBA by enable them in LM > User Behavior Analytics.
Here is also required to select the User Parameter.
User Behavior Analytics

Dashboards
Results should be accessed by dashboards. The application will deploy four new dashboards called “User Behavior Analytics – *”. Please take a look at the dashboards and don’t forget that while the application is in learning mode, nothing will be displayed.
The application also enables a new widget called “User Behavior analytics”. You can create your own dashboards by mixing different views enabled by this widget.
User Behavior Analytics

Lists
The application will modify also the Lists view (SCM > Actions > Lists) by adding a new column called “UBA”. When a list file is selected, this will be used in the user behavior analysis application to match the current user with other users. List file should contain a set of users that should belong to the same group (or role) of the current user. You can use a group to include and/or exclude a user from a group. If both include and exclude flag are selected, the list is used first as an include list and if there is no match, it will be used as an exclude list (compare user behavior against users not present in that list).

]]>