Versions Compared

Version Old Version 2 New Version Current
Changes made by

Virginia Camuñas Núñez

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel1
include
outlinefalse
indent
exclude
typeflat
printabletrue
class
separatorbrackets

User Entity Behavior Analytics (UEBA)

UEBA is an acronym for User Entity Behavior Analytics. UEBA is a category of cybersecurity in which we look for abnormal behavior by entities. By "entity" we refer to not only users (for example, john.smith@corp.com) but also devices (for example, corp-server-1) and domains (for example, g00gle.com). UEBA typically leverages sophisticated analytics, such as statistical analyses and machine learning, in order to detect abnormal behavior.

...

From a first glance at the Overview dashboard above, one may surmise that Devo Behavior Analytics tracks entities and assigns them risk scores. The concepts in this document help describe how this process works.

Behavior Models & Signals

One of the core concepts in Devo UEBA is the behavior model. The behavior model is essentially a piece of software which looks for some sort of abnormal behavior in your Devo data tables. You may ask, what specific behavior does it look for? That depends on the model. Each model is designed to look for one specific type of behavior. If the model detects that behavior, then it generates a behavior signal. The behavior signal is a record of the what, when, and who: what behavior was detected, when did the detection occur, and who were the entities involved (for example, the user, device and/or domain). Each behavior signal also has a risk score from zero to 100.

...

Internally, behavior signals are stored in the Devo table entity.behavior.signals.filtered.

Risk Calculator

The behavior signals produced by the behavior models are read by the risk calculator. The risk calculator's job is to output a list of entities with a risk score computed for each entity. The list of entities and scores is updated hourly.

...

Past results from the risk calculator are not overwritten by newer results; instead, the records are preserved for historical analysis.

Risk Groups

Risk groups are an optional feature that can be leveraged by the risk calculator. A risk group is a configurable list of entity names (i.e., the group members) and a single risk score multiplier. If an entity is a member of a risk group, then that risk group’s multiplier will be applied to the entity’s risk score as a final step in the risk calculator.

...

Internally, the list of risk group names & score multipliers is stored in the Devo table entity.behavior.list.groups. The list of members for each of the groups is stored in the Devo table entity.behavior.list.members.

Alerts with Entity Info

Note that alerts are not required in order for the risk calculator to function properly. Although they are not required, alerts can optionally be used by the risk calculator as input.

...

There are certain types of alerts which are ignored by the risk calculator, namely Behavior Alerts and Risk Based Alerts. Although these alerts may contain entity info, they are still excluded from the risk calculator by design. For more details, see the sections on Behavior Alerts and Risk Based Alerts in this document.

Entity Risk Scoring

Every hour, the risk calculator generates a list of entities with risk scores. This is a multi-step process, known as entity risk scoring, which begins with the risk calculator reading the latest behavior signals, alerts, and risk group configurations.

...

Since the risk score calculation uses a 7-day sliding window, risk scores can decay over time; that is, an entity's risk score can decrease as its alerts & signals drop out of the 7-day window, as illustrated in the example below.

...

Entity Relative Risk

In addition to computing risk scores, the risk calculator also computes a relative risk for each entity. An entity’s relative risk is the entity’s risk score normalized against all the entities within the organization.

...

To help distinguish the relative risk from the risk score, relative risk values are typically shown in the Behavior Analytics UI as fractions with a denominator of 100 (for example, 55/100).

...

Behavior Signal Risk Scoring

When the risk calculator discovers behavior signals, it must sum up the risk scores for those signals. Each signal record has a risk score value from zero to 100. The value is assigned by the behavior model that generated the signal. You may configure the signal risk score for each behavior model in the Behavior Analytics UI under the Content Manager > Behavior Models page.

Alert Risk Scoring

When the risk calculator discovers triggered alerts with entity info, it must determine a risk score for each alert. By default, the risk calculator will follow an internal multi-step process to derive a meaningful risk score value. However, the process is configurable through several methods as described below.

Using a Custom Alert Risk Score

You may set a custom risk score for a given alert definition. This custom risk score will override the default logic of the risk calculator for any alerts triggered by that alert definition. To set a custom risk score, you may use a select X as risk statement in the alert definition’s LINQ query, where X is the custom risk score number from zero to 100. For example:

...

For convenience, you can also set a custom risk score in the Behavior Analytics UI under the Content Manager > Alert Risk Scores page. In that page you can browse a list of alert definitions. Simply open the dropdown menu next to the alert you wish to customize and click “Edit Risk Score”. You will be prompted to enter a value from 0 to 100. This will add the select X as risk statement to the alert LINQ for you.

Using the Alert Technique Risk Score

The Alert Technique Risk Score (TRS) is the out-of-the-box alert risk score framework that dictates the risk contribution of a specific alert. The TRS is determined by the Devo SciSec threat research team based on research conducted around common attack patterns for MITRE ATT&CK techniques. Through the research each technique has its technique awareness, cut vertex to other techniques, technique closeness, and technique actionability evaluated to determine the risk score. The Alert Technique Risk Score represents the default model of alert risk within Devo today and is available for all SecOps alerts out of the box. TRS is additionally modulated by the priority set with an alert to drive higher risk for what an organization says is higher priority for their environment.

...

select "4" as alertPriority 

Excluding an Alert from Risk Scoring

If you wish to exclude an alert from the risk calculation, add the following select statement to the alert definition’s LINQ query and it will be ignored by the risk calculator.

select “Risk” as alertType

Behavior Alerts

When a behavior model detects abnormal behavior, it generates a behavior signal. In addition, you have the option of generating an alert for each signal as well. These alerts are called behavior alerts because they are generated by the behavior models.

...

If behavior alerts are excluded from risk calculation, then why are they supported? They are available for the convenience of the security analyst. Some analysts prefer to work with alerts rather than signals. For example, an analyst may use Activeboards, Case Management, custom reporting or other legacy tools which are designed to work with alerts. Additionally, alerts support properties which signals do not, such as priority, MITRE tactic & technique.

Risk Based Alerts

A risk based alert is an alert which can be triggered by changes in an entity’s risk score. For example, a risk based alert could be configured to trigger whenever a user’s risk score exceeds some given value.

...