UEBA Settings
The AI module runs on Super and Worker nodes. All Agent activity is routed to one node in a sticky manner. If a Worker is down, Agent events are routed to another Worker. If a Worker is added, then new Agents are routed to that Worker. Additionally, AI models are now persisted across AI module restarts.
AI alerts can be monitored in the UEBA View in the INCIDENTS page. See UEBA View.
Setting UEBA Higher Risk Entities
UEBA Higher Risk Entities allow you to prioritize AI alerts that are most relevant to you by increasing the weight of events to High. This weighting will influence the AI model, similar to UEBA Tags. You can identify high-risk or business-critical entities, including file types, file paths, users, and groups.
Follow these steps to specify important entities:
- Click ADMIN > Settings > Analytics > UEBA Higher Risk Entities.
- The UEBA Higher Risk Entities dialog box contains the following fields. All of the fields are optional. In each field, use the + and - buttons to add or remove entries.
- File Types - Enter the type of file you want to monitor, for example,
.exe
. - File Paths - Enter the path to the folder you want to monitor.
- User Accounts - Enter the name of the Windows Agent-side user account you want to monitor.
- Group Names - Enter the name of the Windows Agent-side group you want to monitor.
- File Types - Enter the type of file you want to monitor, for example,
- Click Save.
Setting UEBA Tags
AI inspects the events for specific characteristics, as defined in the AI tag definitions, and applies the appropriate tags to events that match.
Follow these steps to set tags:
- Click ADMIN > Settings > Analytics > UEBA Tags.
- Provide values for the following fields:
- Enabled - Select this option to allow FortiSIEM to monitor the alert.
- ID (required) - A user-defined ID. Only these characters are allowed: a-z, A-Z, 0-9, and the underbar character (_).
- Name (required) - The user-defined name for the entity. Only these characters are allowed: a-z, A-Z, 0-9, and white space.
- Description - An optional description of the alert.
- Weight - Select a value from the drop-down list. The values can range from Never Alert (-5) to Always Alert (+5).
- Rules
- Field - Choose a value from the drop-down list. Available values are Machine ID, User, Application, Activity, Resource, and Resource Filename.
- Relation - Choose a value from the drop-down list. Available values are =, !=, CONTAIN, NOT CONTAIN, MATCH, NOT MATCH, START WITH, NOT START WITH, END WITH, and NOT END WITH.
- Value - A comma-separated list of values. These values can be user-defined.
- Click + or - to add or delete rows in the Rules list.
- Click Save.