Dave Glover

Troubleshooting UEBA Event Collection

Discussion created by Dave Glover Employee on Jun 22, 2020

After setting up UEBA You need to make sure you are collecting the following Event IDs from  Hosts as well as Network Events

 

Active Directory Model -> device.class = 'windows hosts' && reference.id = '4741','4742','4733','4734','4740','4794','5376','5377','5136','4764','4743','4739','4727','4728','4754','4756','4757','4758','4720','4722','4723','4724','4725','4726','4738','4767','4717','4729','4730','4731','4732'

 

Authentication Model -> Windows, RHlinux as well as RSA AceSrv->  reference.id = ('4624','4625','4769','4648') || (device.type = 'rsaacesrv' && ec.activity = 'Logon') || ((action = '/usr/sbin/sshd' || action='/usr/bin/login') && device.type = 'rhlinux')

 

File Model -> Event ID 4663, 4660, 4670, 5145

 

Packet SSL Data Model ->  service=443 && direction='outbound' && analysis.service!='quic' && ip.src exists && ip.dst exists && tcp.srcport!=443

 

Endpoint Models -> 

 

               REGISTRY
                  category='Registry Event' && device.type='nwendpoint'

               PROCESS
                  category='Process Event' && device.type='nwendpoint'

 

 

 

The included App rules will tag the events coming in and will populate the "alert" meta key with the model name

 

This will make troubleshooting easier to identify the log messages coming in and which models they belong to

Attachments

Outcomes