Risk Scoring

There are five categories of threats for which risk scoring is done in Log360 UEBA. These are:

• Insider threats: Activities such as data deletion, logon success anomalies, abnormal file permission changes, and Windows application whitelisting anomalies are classified as insider threats.
• Data exfiltration: Activities such as malicious software installations, logon failure anomalies, logon success anomalies, data hoarding, data upload anomalies, and abnormal file creations are classified as data exfiltration.
• Compromised accounts: Logon failure anomalies, malicious software installations, system file changes, clearing of event logs, etc are classified as compromised accounts.
• Logon anomalies: Both logon failure and logon success anomalies are detected.
• Overall anomalies: Various other abnormal activities that occur on cloud infrastructures, databases, file servers, etc are detected to come up with overall anomalies. The other anomaly types such as insider threats, data exfiltration, compromised accounts and logon anomalies also contribute to risk scoring for overall anomalies.

Risk scoring in Log360 UEBA

Any time a user's or entity's observed activity deviates from its baseline of expected activities, the risk score of the user or entity associated with one or more of the above threat categories will be increased.

Risk score customization

You will have the flexibility to assign weights and the time decay factor for each activity that affects the risk score of the threat categories. In addition to this, you can:

• Choose the anomalous activities that need to be considered under each threat category
• Add new activities that you wish to consider under each threat category

Dynamic peer grouping analysis

Users and entities are automatically placed into peer groups based on behavioral traits. The security administrator has the option to enable Dynamic Peer Grouping Analysis when calculating the risk score. A user's or entity's peer group then be considered when calculating the risk score. This will provide better security context and decrease false positives.

Contextual risk scoring

You can enable contextual risk scoring to get a better sense of the risk posed by a user at the current time. By enabling this, you get to view the user's contextual risk score besides their peak and average risk scores on the dashboard. The contextual risk score will consider all the subsequent anomalies after the time range chosen by you to provide a more dynamic measure of the risk. This will give you a better sense of the risk posed by the user currently.