UEBA Settings

The integration with FortiInsight brings User Entity Behavior Analysis (UEBA) to FortiSIEM. Previous versions provided the integration via an API, requiring two separate installations. This integration needs only a single installation with no overlapping functionality.

AI alerts can be monitored in the UEBA View in the INCIDENTS page. See UEBA View.

For more information on FortiInsight, see the FortiInsight Administration Guide.

Setting UEBA Higher Risk Entities

UEBA Higher Risk Entities allow you to prioritize AI alerts that are most relevant to you by increasing the weight of events to High. This weighting will influence the AI model, similar to UEBA Tags. You can identify high-risk or business-critical entities, including file types, file paths, users, and groups.

Follow these steps to specify important entities:

  1. Click ADMIN > Settings > Analytics > UEBA Higher Risk Entities.
  2. The UEBA Higher Risk Entities dialog box contains the following fields. All of the fields are optional. In each field, use the + and - buttons to add or remove entries.
    • File Types - Enter the type of file you want to monitor, for example, .exe.
    • File Paths - Enter the path to the folder you want to monitor.
    • User Accounts - Enter the name of the Windows Agent-side user account you want to monitor.
    • Group Names - Enter the name of the Windows Agent-side group you want to monitor.
  3. Click Save.

Setting Tags

FortiInsight attempts to categorize anomalous events using tags. AI inspects the events for specific characteristics, as defined in the AI tag definitions, and applies the appropriate tags to events that match. Setting tags in FortiSIEM allow you to identify the FortiInsight tags that you want FortiSIEM to monitor.

Follow these steps to set tags:

  1. Click ADMIN > Settings > Analytics > UEBA Tags.
  2. Provide values for the following fields:
    1. Enabled - Select this option to allow FortiSIEM to monitor the alert.
    2. ID (required) - A user-defined ID. Only these characters are allowed: a-z, A-Z, 0-9, and the underbar character (_).
    3. Name (required) - The user-defined name for the entity. Only these characters are allowed: a-z, A-Z, 0-9, and white space.
    4. Description - An optional description of the alert.
    5. Weight - Select a value from the drop-down list. The values follow the categories defined for FortiInsight. The values can range from Never Alert (-5) to Always Alert (+5).
    6. Rules
      1. Field - Choose a value from the drop-down list. Available values are Machine ID, User, Application,  Activity, Resource, and Resource Filename.
      2. Relation - Choose a value from the drop-down list. Available values are =, !=, CONTAIN,  NOT CONTAIN, MATCH, NOT MATCH, START WITH, NOT START WITH, END WITH, and NOT END WITH.
      3. Value - A comma-separated list of values. These values can be user-defined or you can use values found in the FortiInsight AI alerts.
      4. Click + or - to add or delete rows in the Rules list.
  3. Click Save.