Logon Settings
With the right logon settings, you can ensure that Log360 UEBA remains secure at all times.
General
CAPTCHA Settings
A login CAPTCHA serves as a security measure against bot-based brute force attacks. Enabling this setting will display a CAPTCHA image on the login page. End-users must enter the characters shown in the CAPTCHA image to log into the Log360 UEBA web portal.
You can configure whether you want the user to always input a CAPTCHA, or you want them to input a CAPTCHA only after a certain number of invalid login attempts. Apart from the CAPTCHA image, you can also enable Audio CAPTCHA to assist visually impaired users.
Steps to enable CAPTCHA
- Log into Log360 UEBA as an administrator.
- Go into the Settings tab
- Navigate to Settings → Logon Settings, and click the General tab.
- Select the option Enable CAPTCHA on the login page.
- Select Always show CAPTCHA if you want users to go through CAPTCHA verification every time they login.
- Select Show CAPTCHA after invalid login attempts if you want only those users who failed at login to go through the CATPCHA verification process.
- Enter the number of invalid login attempts after which the CAPTCHA verification should appear.
- Enter the threshold (in minutes) to reset the invalid login attempts. After the specified time period, the invalid login attempts will be reset.
- Example: Consider the following limits:
- Invalid login attempts limit is set to ‘3’ times
- Reset limit after is set to ’30’ minutes
- In this example, if a user fails to login 3 consecutive times in a 30-minute time interval, then a CATPCHA image will be displayed. The user now has to enter the correct credentials, plus the characters shown in the CAPTCHA image, to successfully log into Log360.
- Select Enable Audio CAPTCHA to assist visually impaired users.
Note: When audio CAPTCHA is enabled, only digits will be shown in the CAPTCHA image. If a browser doesn’t support audio CAPTCHA, then the default CAPTCHA image (with letters and digits) will be shown.
- Click Save Settings.
Block Users Settings
Using this option you can block users from accessing Log360 UEBA after a certain number of invalid login attempts for a defined time interval. A blocked user cannot log into Log360 UEBA.
Steps to block users:
- Log into Log360 UEBA as an administrator.
- Navigate to Settings → Logon Settings, and click the General tab.
- Select the option Block users after invalid login attempts.
- Enter the number of invalid login attempts after which users should be blocked.
- Enter the threshold (in minutes) to reset the invalid login attempts. After the specified time period, the invalid login attempts will be reset.
- Enter the number of minutes users should be blocked.
- Example: Consider the following limits:
- Invalid login attempts limit ‘3’ (times) within ‘5’ minutes.
- Reset the invalid attempts limit after ’30’ minutes
- In this scenario, if a user fails login 3 times in a 5-minute time interval, then the user will be blocked from logging into Log360 UEBA for 30 minutes.
- Click Save Settings.
Two-Factor Authentication
To strengthen user logon security, Log360 UEBA supports two-factor authentication. Once enabled, Log360 UEBA will require users to authenticate using one of the authentication mechanisms below, in addition to the Active Directory credentials whenever they log in:
Setting up 2-factor authentication
- Log in to Log360 UEBA as an administrator.
- Navigate to Settings → Settings → Logon Settings.
- Click the Two-factor Authentication tab.
- Toggle the Two-factor Authentication switch to the ON position.
- Select the authentication methods of your choice from the list provided.
Note:
- If multiple authentication options are enabled, then the user will be asked to choose one at the time of logging in.
- Make sure you configure the authentication option you’ve chosen by entering all the required details.
- Click Save Settings.
Email Verification
When this option is selected, Log360 UEBA sends a verification code via email to the user’s email address. The user has to enter the verification code to successfully login.
Configuration steps
- Configure mail server settings if not done already.
- Enter a Subject for the email.
- Enter the Message in the box provided.
- Set the priority as per your requirement.
- Click Macros link at the bottom to insert them in the email message.
- Once you are done, click Save Settings.
Once enabled, users will be asked to enroll for two-factor authentication by entering their email address during login.
SMS Verification
When this option is selected, Log360 UEBA sends a verification code via SMS to the user’s phone number. The user has to enter the verification code to successfully login.
Configuration steps:
- Configure SMS server settings if not done already.
- Enter the Message in the box provided.
- Click Macros link at the bottom to insert them in the SMS message.
- Once you are done, click Save Settings.
Google Authenticator
Google Authenticator adds an extra layer of protection to the reset password/unlock account process. Once enabled, users will be required to enter a six-digit security code generated by the Google Authenticator app for identity verification.
Configuration Steps:
- Just click Enable Google Authenticator
- Click Save Settings.
Once enabled, users can enroll themselves for two-factor authentication using the Google Authenticator app.
RSA SecurID
RSA SecurID is a mechanism developed for performing two-factor authentication for a user to a network resource. Users can use the security codes generated by the RSA SecurID mobile app, hardware tokens, or tokens received via mail or SMS to log in to Log360 UEBA.
Configuration Steps:
- Log in to your RSA admin console (e.g., https://log360-rsa.testdomain.com/sc).
- Go to Applications. Under Authentication Agents, Click Add New.
- Add Log360 UEBA Server as an authentication agent and click Save.
- Go to Access. Under Authentication Agents, click Generate Configuration File.
- Download AM_Config.zip (Authentication Manager config).
- Extract sdconf.rec from the ZIP file.
- In Log360 UEBA, under RSA SecurID configuration, click Browse and select the sdconf.rec file.
- Click Save Settings.
Duo Security
If your organization uses Duo Security for two-factor authentication, it can be integrated with Log360 UEBA to secure logins. Users can approve or deny the Log360 UEBA login requests using a push notification or by entering the six-digit security code generated by the Duo mobile app. Authentication via Duo Security can be configured in two ways in Log360 UEBA: Web v2 SDK and Web v4 SDK.
Web v2 SDK uses a traditional Duo prompt which will be displayed in an iframe in Log360 UEBA, whereas Web v4 SDK uses Duo's OIDC-based universal prompt with a redesigned UI that redirects users to Duo for authentication.
Note: Duo Security has phased out Web v2 SDK, so it is recommended to switch to Web v4 SDK, which features the new Universal Prompt.
Prerequisites
- Add the API hostname and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted site or intranet site in the users' machine if they are using older versions of Internet Explorer.
- Please follow these steps in the Duo Admin Panel to migrate from Web v2 SDK, which uses the traditional prompt, to Web v4 SDK, which employs the new Universal Prompt.
Web v4 SDK configuration steps
Note: It is required to have a secure connection to set up the Web v4 SDK authentication. Please make sure that you have enabled HTTPS connection.
- Log in to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or sign up for a new account and log in.
- Go to Applications and click Protect an Application.
- Search for Web SDK and click Protect.
- Copy the Client ID, Client secret, and API hostname values.
- In Log360 UEBA, navigate to Settings > Logon Settings > Two-Factor Authentication > Duo Security.
- Check the Enable Duo Security box and select Web v4 SDK for Integration Type.
- Paste the Client ID, Client secret, and API hostname obtained from the Duo Admin Panel in the respective fields.
- Enter the same username pattern used in Duo Security in the Username Pattern field.
- Click Save.
Steps to migrate to the new Universal Prompt
- In the Duo Admin Panel, select the Web SDK application, which was previously configured for Log360 UEBA, and copy the Integration key, Secret key and API hostname values.
- Scroll down to the Universal Prompt section. The App Update Ready message will be displayed, indicating that Universal Prompt can now be activated for Log360 UEBA.
- In Log360 UEBA, navigate to Settings > Logon Settings > Two-Factor Authentication > Duo Security.
- Click Web v4 SDK and paste the Integration key, Secret key, and API hostname values in the Client ID, Client Secret, and API Host name fields respectively.
- Once the Web v4 SDK is configured in Log360 UEBA and a user authenticates through the frameless Duo v4 SDK, the App Update Ready message in Duo Admin Panel will be updated and the New Prompt Ready message will be displayed.
- Select Show new Universal Prompt to activate the universal prompt for Log360 UEBA.
RADIUS Authentication
Remote Authentication Dial-In User Service (RADIUS) is an industry standard client/server authentication protocol that enhances security by protecting networks from unauthorized access.
RADIUS based two-factor authentication for Log360 UEBA can be configured in just two simple steps.
Configuration Steps:
Step 1: Integrate RADIUS with Log360 UEBA
- Log in to RADIUS server.
- Navigate to clients.conf file.(/etc/raddb/clients.conf).
- Add the following snippet in the clients.conf file.
- client Log360ServerName
{
ipaddr = xxx.xx.x.xxx
secret = <secretCode>
nastype = other
}
- Restart RADIUS server.
Step 2: Configure Log360 UEBA for RADIUS
- Select RADIUS Authentication option.
- Enter the IP address or the name of the RADIUS server.
- Enter the port number for RADIUS authentication.
- Select the protocol used for RADIUS authentication from the drop-down list.
- Provide the security key that was added to the clients.conf file in RADIUS server.
- Set the RADIUS user name pattern.
- Set a duration for authentication request time-out duration.
- Click Save Settings.
Note: Username Pattern is case sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.
Backup Verification Codes
Backup verification codes allow users to log in when they don’t have access to their phone or face issues with one of the second-factor authentication method. When enabled, a total of five codes will be generated. A code once used will become obsolete and cannot be used again. Users also have the option to generate new codes.
Enabling backup verification code
- To enable backup verification code, put a check against the Backup Verification Code box.
Registering for backup verification code
- Once enabled, users will be notified to configure their codes when they log in to Log360 UEBA. On clicking Configure Now, they will be taken to the two-factor authentication settings page.
- Users need to click the Manage Backup Verification Codes link to view the codes.
- Users can also download the codes as a text file, print them, get it delivered to their personal email address, or generate new codes.
Using the backup verification code to login
- To use backup verification codes during login, users need to click the Use backup verification codes link in the second-factor authentication page.
- In the backup verification code page, they need to enter one of their backup verification codes and click Verify Code to login.
Managing users for two-factor authentication
As an admin, you can view which authentication method users have enrolled for and remove users’ enrollment for two-factor authentication using the Manage Users option.
To do so, follow the steps below:
- Under the Two-factor Authentication tab, click Enrolled Users.
- In the TFA Enrolled Users pop up, you can view the list of users enrolled for two-factor authentication and the authentication method they have chosen.
- To remove a user, select the user and click the Delete icon.
To personalize two-factor authentication method for domain users
Domain users enrolled for two-factor authentication can modify their preferred authentication method and manage trusted browsers by following the steps below:
- Go to the My Account profile icon at the top left corner.
- Select the Two Factor Authentication option.
- To modify authentication mode, click Modify Authentication mode.
- To manage trusted browser, click Manage Trusted Browsers.
Allow/Restrict IPs
The security layer of Log360 UEBA can be reinforced by restricting inbound connection requests to the product. This feature of Log360 UEBA can be configured to only allow connections from trusted IPs and IP ranges, and block other unnecessary and malicious traffic. This restriction can apply to APIs used to access the product and certain URLs of the product that are critical in nature, for which access should be restricted.
Steps to allow or restrict IPs
Controlling access to APIs and product URLs
- Login to Log360 UEBA.
- In the Settings tab, select Logon settings.
- Select Allow/Restrict IPs tab.
- Under the Actions column, click the [
] icon to enable IP restriction.
- In the pop up, check the Enable API/URL Access for Selected IPs box.
- Enter the API/Product URLs in the box provided.
Sample URL paths: /Admin.do, /Configuration.do, /Dashboard.do
Sample API paths: /RestAPI/WC/Integration, /RestAPI/WC/LogonSettings
Note:
- Use * as a wildcard character to restrict access to a broader range of APIs or URLs. For example, use /RestAPI/WC/* to restrict all API calls that start with /RestAPI/WC/.
- The API/URL path should start with /. For example, /Admin.do and /RestAPI/WC/.
- Enter only the path of the API or URL. For example, if the entire product URL is https:testserver:8082/Admin.do, then enter only /Admin.do.
- Only alphanumeric (A-Z,a-z, 0-9) and special characters—period (.), slash (/) and asterisk (*)—are allowed.
- To specify an IP range, enter the start and end IP addresses of the range in the Allow IP Range field. To add another range, click the [+] icon.
- Click Save to save the settings.
- If you have changed the proxy settings for which you are enabling IP-based restriction, then:
-
Add the following line to the server.xml file (default location:
<InstallationDirectory>/conf/server.xml).
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.0\.10|192\.168\.0\.11"
trustedProxies="172\.168\.0\.10|176\.168\.0\.11" />
- Edit the values of internalProxies and trustedProxies as per your environment.
- Enter IP address while specifying the values for internalProxies and trustedProxies, and use the vertical bar (|) character to enter multiple values.
- Restart UEBA for the changes to take effect.
- Repeat steps a and b for the integrated components as well.
Managing IP restrictions
- Disable/enable IP-based restriction: Use the icon under the Actions column to enable or disable IP-based restriction. [
] icon means IP-based restriction is enabled for a component and [] icon means IP-based restriction is disabled.
- Edit IP-based restriction settings: Click [] icon to add, delete, or edit the IP ranges and individual IP addresses.
- Summary details: Click [
] the link under the Allow/Restrict IPs column to view the IPs that are allowed or restricted from accessing a component.
Appendix
- Use * as wildcard character: Individual IP addresses can include wildcard characters, so that all addresses within a certain class of address will be restricted. For example, denying access to address 192.168.2.* denies access to all addresses for that subnet.
- You can also enter hostname instead of IP addresses.
- You can allow or restrict only IPv4 addresses. IPv6 is not supported.
