UEBA Configuration

Set up User and Entity Behavioural Analytics (UEBA) to automatically detect anomalous connections, such as connections from unusual source addresses, and connections at unusual times.

For more information about UEBA, see also:

Training Anomaly Recognition

After you have set up your UEBA server, UEBA must be trained to distinguish normal/anomalous connections. Training is done using previous connection data from PrivX.

To train UEBA:

  1. At Administration→Deployment→User Behavior Analytics, click Add Model.

  2. Specify the interval from which to analyze connection data. The interval should be selected so that:

    • The interval should contain as many normal connections as possible, while containing as few anomalous connections as possible.
    • To ensure successful training, the interval must include data from at least 5000 connections.
    • Including more data in the model generally allows more accurate anomaly detection.

    Click Save to create the model.

  3. New models must be trained before they can be used. To train the model, click next to the model, then click Train.

    Wait for the training to complete. Models with lots of connection data may take considerable amounts of time to complete training .

    You may verify the training status back on the User Behavior Analytics page. The status should be Ready after the model is successfully trained.

  4. Activate your Ready model to start distinguishing anomalous connections. To do this, click next to your model, then click Activate.

    📘

    Note

    If you already have an active model, you must Deactivate it before you can Activate another one. Model deactivation may take a few minutes. Active datasets cannot be deleted or updated.

    If you change a model's time interval, you will need to retrain it before it can be activated again.

    PrivX will now log any connections that are considered potentially anomalous. You may find such logs on Monitoring→Events by searching for Connection-unusual-behavior-by-ueba or Connection-blocked-by-ueba. Each such event comes with a UEBA confidence level, where higher confidence means greater likelihood that the connection is anomalous.

PrivX Behavior on Anomalous Connections

To configure PrivX UEBA behavior, go to Administration→Deployment→User Behavior Analytics and click Edit. The following UEBA configurations are available:

  • Action: Whether anomalous connections are only audited, or also blocked.

  • Policy: Set the strictness of the policy. Stricter policy means connections are more likely to be considered anomalous.

    For example, when set to (very) strict, even slightly-suspicious connections (UEBA confidence low) are considered anomalous. When set to (very) loose, only very suspicious connections (UEBA confidence high) are considered anomalous.

📘

Note

You will need to determine the best policy level for your network: We recommend starting with Normal, then increasing strictness if anomalous connections are not correctly audited/blocked, or reduce strictness if normal connections are being audited/blocked.

For best results after significant changes in the corporate network, we recommended retraining your model(s) for better accuracy. You may set the policy to Very loose. After that, allow 1 to 2 weeks of data gathering, then retrain the model with the new connection data included.