Help Document

Risk Scoring

There are five categories of threats for which risk scoring is done in Log360 UEBA. These are:

  • Insider threats: Activities such as data deletion, logon success anomalies, abnormal file permission changes, and Windows application whitelisting anomalies are classified as insider threats.
  • Data exfiltration: Activities such as malicious software installations, logon failure anomalies, logon success anomalies, data hoarding, data upload anomalies, and abnormal file creations are classified as data exfiltration.
  • Compromised accounts: Logon failure anomalies, malicious software installations, system file changes, clearing of event logs, etc are classified as compromised accounts.
  • Logon anomalies: Both logon failure and logon success anomalies are detected.
  • Overall anomalies: Various other abnormal activities that occur on cloud infrastructures, databases, file servers, etc are detected to come up with overall anomalies. The other anomaly types such as insider threats, data exfiltration, compromised accounts and logon anomalies also contribute to risk scoring for overall anomalies.
  • Risk Scoring Risk scoring in Log360 UEBA

Any time a user's or entity's observed activity deviates from its baseline of expected activities, the risk score of the user or entity associated with one or more of the above threat categories will be increased.

Dynamic peer grouping analysis: Users and entities are automatically placed into peer groups based on behavioral traits. The security administrator has the option to enable Dynamic Peer Grouping Analysis when calculating the risk score. A user's or entity's peer group then be considered when calculating the risk score. This will provide better security context and decrease false positives.