Static and Dynamic Peer Grouping
Log360 UEBA now comes with anomaly detection based on static peer grouping, in addition to dynamic peer grouping. Admins can now choose to enable the peer grouping configuration of their choice. Log360 categorizes anomalies based on time, count, pattern and seasonality. For time, count and pattern anomalies, Log360 UEBA will also give information about a user's peer behavior. In case the user under consideration has a peer who exhibits similar behavior, there will be a downward impact on the confidence level of the anomaly. This risk score will also then be adjusted downward. This helps to decrease the occurrence of false positives and improves the security context.
In Dynamic Peer Grouping configuration, users are grouped into peer groups based on behavior. A security admin can choose to enable Dynamic peer Grouping to calculate risk score of a user. This can provide better security context and reduce false positives. Admins have to train the UEBA module with user's events so that Log360 UEBA can generate clusters and identify anomalies.
In the Static Peer Grouping configuration, users are logically grouped based on shared LDAP attributes that pertain to roles responsibilities and functions within the organization.
To configure Static Peer Grouping for your organization, go to the Settings tab in the Log360 UEBA module.
Please Note: Peer Group Configurations both Dynamic and Static Peer Grouping now have their own section called Peer Groups (earlier it was present in the Risk Score Customization section) which can be found under the Settings tab in Log360 UEBA.
- On the left pane click the Configuration tab and select Peer Groups.
- If you've already configured a domain, then you will be able to enable Static Peer Grouping.
- You can follow the link that says "Click here" to configure a domain. To enable Static Peer Grouping configuration you need to have atleast one domain configured.
- After this, Enable Static Peer Grouping. A popup will appear when you enable this, and you need to select atleast one attribute to configure Static Peer grouping.
- You'll see a list of selected attributes displayed on screen. These default attributes that are configured cannot be deleted.
- You can edit attributes, by clicking the pen icon near the attribute to modify the Display Name.
- You can also see the "No. of Peer Groups" and the "No. of Users" related to each attribute. For example for the "Title" attribute, you might have 2 peer groups (Manager and Executive) and 2 users (user 1 and user 2 ) who belong to each peer group respectively based on their designation.
- You can also add your own new attributes by clicking "Add Attribute" on the left and entering the "Display Name" and LDAP attribute in the popup box. Also make sure that you add group attributes and not unique attributes.
- You can configure Static Peer grouping for configured domains. Incase you want to create a new domain you can click the "Add a new domain" button. The drop-down list on the right display a list of all configured domains.
After enabling Static/Dynamic Peer Grouping, you can view details related to anomalies that were found in Anomaly reports.
- Navigate to Anomaly Reports tab in Log360 UEBA and click More [ ] and select Peer Group Detail.
- This takes you to a popup where you can view peer group details related to Static or Dynamic configuration.
- In Static Configuration you can select the desired sub-category to view related peer groups.
- Similarly you can click on the Dynamic to view Cluster details. This will give information about the different peer group clusters and the members who are part of those clusters.