UEBA

Hi,

I had added a device into the logpoint and I have done all the steps of this documentation Devices — Data Integration latest documentation (logpoint.com) .

However, the logpoint didn’t collect any log from this host. In addition I checked in this host and I didn’t find lpagent. Could you please tell why it not works ? And what should I do ?

Regads,

Siawash

Hi!

I’m wondering how LogPoints UEBA handle nested AD groups? Nesting of AD groups for selection of specific users that I wont to point to the UEBA cloud for AI intelligence.

Is this possbile?

I monitor for failed authentications on DC’s.

labels: Authentication | Fail | Kerberos | User

My top failed authentications is on one client/one account that I can’t hunt down. I have looked at all process’es and their “credential’s” + installed sysmon on the client. But I can’t find the process or user. Any ideas how I could hunt this down?

Hi All,

We are excited to share the release of GoogleCloudPlatform v.6.0.0.

Google Cloud Platform (GCP) is a suite of cloud computing services that provides infrastructure as a service, platform as a service and serverless computing environments.

Alongside a set of management tools, it offers a series of modular cloud services including computing, data storage,  data analytics and big data processing.

To read more on this release, please follow the link below:

https://servicedesk.logpoint.com/hc/en-us/articles/8956510332061

Known by many names, including ALPHV, AlphaV, ALPHVM, and Noberus, BlackCat ransomware made headlines for its successive attacks on high-profile targets. Like Black Basta and Lockbit , it also operates under the Ransomware-as-a-Service (RaaS) model and uses double and sometimes triple extortion techniques.

BlackCat uses its public leak site to intimidate victims, where anyone can search and access the leaked victim information easily. The highest ransom they have demanded so far is $14 million and it’s speculated that it has similarities with ransomware families like Darkside, Blackmatter, and REvil in regard to the tools, filenames, and techniques they use. To read more about means of protecting your organisation against Black Cat, read our blog on the link below.

https://www.logpoint.com/en/blog/hunting-and-remediating-blackcat-ransomware/#detecting-blackcat

Hi,

I´m struggeling with the integration of the Cisco Ironport eMail Security Appliance as UEBA source.

The LogPoint documenation - Data Sources For UEBA — UEBA Guide latest documentation (logpoint.com) - indicates the ESA is supported.

The corresponding UEBA matching query is  - device_category=Email* sAMAccountName=* receiver=* datasize=* | fields,log_ts,sender,receiver,userPrincipalName,sAMAccountName,datasize,subject,status,file,file_count

The ESA never sends a combination of receiver and datasize. The ESA only logs a combination auf sender and datazize.   The ESA´s  sender & receiver logs are linked only via the MID “message_identifier”

Has anyone seen or did  this integration with Cisco´s ESA and UEBA?  Is it running in the correct way?

Thanks.

BR

Johann

How are the User Risk Scores being calculated (“weighted totals”, “fuzzy logic”, ...)?

Does anyone have some examples of the models that are used for the “Active Directory Authentication” data source? For example, does this depend on certain Event IDs being present in the logs, and if so how do they map to the models?

One of our customers was asking if it's possible to add VPN logs as a data source for UEBA.

Hi, how long it takes for UEBA to perform initial baseline after enabling the data collection ?

Hi

My customer just purchased a UEBA license for 500 users and they would like to know when the earliest it will be active in their LogPoint dashboard, and when they will start to see “value“.

Any experiences?

Kind regards,

I am currently onboarding a logpoint instance on UEBA, and I have completed the entity selection. However, I am seeing a lot of “violated logs” in the UEBA Dashboard. What should I do about this?

Hi Team,

Going through our user manual, it states that the entities could be selected either using LDAP OU group as an enrichment source or a CSV as an enrichment source. What are some tried and true considerations that I can help my customer decide which enrichment source to choose?