User Behaviour Analytics

UBA engine creates a dynamic baseline based on each user's activity and will monitor for anomalies. The baseline will be updated every day based on the user's activity. Currently, we monitor 3 kinds of anomalies:

  • Unusual Count: If a user's activity count exceeds a dynamic threshold that was calculated based on his previous activity behaviour - an alert will be triggered.
  • Unusual Time: Based on user's activity time a normal allowed activity time will be generated by the engine (like a dynamic working hour - based on each user, activity) and any activity occurs after the calculated normal activity hours will be alerted.
  • New resource access: If a new resource was accessed (a new user access on a computer, new remote to a server from a client, new process ran on a server) it will be alerted.

UBA Configurations

  • After the addition of a domain. The data will be monitored for 7 days and normal behaviour profile will be generated.
  • After 7 days of domain addition, Analytics normal behaviour profile generation will happen every day around 5am and Analytics checking engine will start to check for unusual activities.
  • for ppm applied build - for already presented domain, last 1 month unarchived data will be crunched and using that data, normal behaviour profile will be generated on the next day 5 am and Analytics checking engine will start to check for unusual activities.
  • To know about the status of the normal behaviour profile generation: go to 'configuration' -> 'analytics configuration'
  • To generate normal activity time for a user/host - analytics engine requires a minimum of 15 unique hour data for that user/host
  • To generate normal activity count - one data is enough for that user/host
  • More data will give you more prediction accuracy
  • for unusual count and unusual time last 3 months data will be used for normal behaviour profile generation
  • for unusual activity count if the user's normal activity count < 10 or if the user didn't have any normal behaviour, then 10 will be used as default threshold count for that user.
  • some users can have all 24 hours as normal activity hour(based on his past data). this means the user doesn't have any normal activity hour and won't have any anomaly activity time.

Anomaly Reports List

Logon Activity Reports:

  • Unusual Volume of Logon Failures.
  • Unusual Logon Activity Time.
  • First Time Host Accessed By User.
  • Unusual Volume of Logon Failure on Host.
  • First Time Remote Access on Host.

User Management Activity Reports:

  • Unusual Volume of User Management Activity
  • Unusual User Activity Time
  • Unusual Volume of Lockout
  • Unusual Lockout Activity Time

Process Activity Reports:

  • New Process on Server

File Activity Reports:

  • Unusual Volume of File Failure Activity
  • Unusual Volume of File Activity
  • Unusual File Activity Time
  • Unusual Volume of File Modification
  • Unusual Volume of File Delete
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine
Get download link