Defining And Management - Identity & Assets For UEBA

Introduction

UEBA solutions use various data sources, such as log files, network traffic data, and user activity logs, to analyze and detect unusual behavior that could indicate a security threat. By comparing current behavior against historical patterns and peer group behavior, UEBA can identify anomalies that may indicate a potential insider threat, compromised account, or other security risk.

UEBA can help organizations detect and respond to security incidents more quickly and effectively by automating the analysis of large volumes of data and providing security teams with prioritized alerts based on the level of risk.

To utilize the UEBA feature in Logsign Unified SecOps Platform, defining assets and identities is necessary. This requires an LDAP connection to be established.

In this document, establisment of Ldap Connection and Defining Identities will be explained.

Ldap Connection

LDAP is a protocol used to access and manage directory information services, such as user accounts, email addresses, and other network resources. An LDAP connection allows an LDAP client to communicate with an LDAP server to retrieve or modify information stored in the directory.

To establish an LDAP connection, an LDAP client sends an LDAP request to the LDAP server using a specific port number (default is 389 for LDAP and 636 for LDAP over SSL). The server then responds to the request by providing the requested information or by indicating that the requested information is not available.

LDAP connections can be secured by using SSL/TLS encryption to protect the data being transmitted between the client and server. LDAP connections can also be authenticated using various mechanisms, such as simple authentication or bind authentication, to ensure that only authorized users can access the directory information.

1.png

To configure LDAP, navigate to Settings > Integration > Responses > LDAP, and click on the 'configure' button.

2.png

To add the device to which the LDAP connection will be provided, click on the '+ Device' button.

3.png

Device Name : In the 'Device Name' field, enter the name that you want to give to the relevant device.

BaseDN : BaseDN (base distinguished name) is an important concept in LDAP (Lightweight Directory Access Protocol) that defines the starting point for a search within a directory. It specifies the top-most point in the directory tree where the LDAP search should begin.

Port : Default is 389 for LDAP and 636 for LDAP over SSL

 

Defining and Management Assets for UEBA

To perform this step, it is necessary to have already established an LDAP connection.

4.png

Settings > Enrichment > Assets > Sync Ldap

Once this process is complete, Logsign Unified SecOps Platform will learn the Assets that are included in the Active Directory (AD) connected via LDAP.

5.png

To manually add an Asset, click on the ‘+Asset’ button located to the right of the 'Sync LDAP' button.

 

Defining and Management Identity for UEBA

To perform this step, it is necessary to have already established an LDAP connection.

Settings > Enrichment > Identities > Sync Ldap

Once this process is complete, Logsign Unified SecOps Platform will learn the identities that are included in the Active Directory (AD) connected via LDAP.

To manually add an identity, click on the '+ Identity' button located to the right of the 'Sync LDAP' button.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.