How to Build Effective Event Analysis Policies

What is an Event Analysis Policy?

Event Analysis policies monitor UEBA activities.  As a "Build-Your-Own" policy, these policies can have multiple which also allows for more than one of its kind to cover various UEBA activities.  Below will take you though the different options available when creating one of these policies.

Criteria in Policy Configuration

Severity

The Severity of the policy is dependent on what is being monitored and its importance to the environment.  For example, a policy monitoring failed logins might classify the event as critical if they had sensitive data and need to know of any possible breaches.  The Severity of the policy is completely up to the discretion of the admin creating or modifying the policy.

Platform

The platforms in your environment are listed so you can choose to monitor all platforms or only certain platforms.  If for example, you were creating a policy to monitor Box users' download activity, you would want to specify Box as the platform. Multiple platforms can also be selected for monitoring.

Allow/Block Lists

Under Countries you have the option to list countries that might be considered risky or could cause incidents in a velocity policy (if someone logs into another country just minutes after being logged in across the globe).  This would be useful if a company had offices abroad with VPN access and did not want incidents triggered every time users logged in through their legitimate connections.  Block listing countries is for listing any countries you definitely want to trigger incidents if any activities at all take place there.

Events 

Events are listed by platform that Cisco Cloudlock pulls in as raw events from the respective APIS. You can choose to monitor all possible user behavior or specific types of events.  Equally so you can choose to exclude certain activities instead if you want most behavior monitored but not all of it.

Velocity

Velocity allows you to monitor user activity across the globe when two separate events take place in separate, distant locations within a short period of time.  Once enabled you can use the default or set your own velocity by modifying the speed, distance and time range of the events.

Users

You can choose to monitor all users within a domain (or monitoring scope) or specific users, groups and OUs. This would be useful in a policy where only a specific department belonging to an OU needed to be monitored instead of the entire domain. You can also choose to exclude users from monitoring by individual, groups or OUs.  Similarly to monitoring specific users, you would exclude users or groups if they were an exception to the case.  For example, a certain department may not need monitoring for the policy you are creating and can be left out.

Trusted IPs

Just like the trusted countries, you can also add a list of specific IP addresses that do not need to be monitored.  This could include international office VPNs or IPs or sometimes even platform servers.  Enabling the Trusted IP Library adds a list of IPs added by the user and Cisco Cloudlock's own library of trusted IPs.

Risky IPs

Similarly to the risky countries you can add to the library of risky IPs or specify certain IPs within that library that you want monitored.  You can auto-populate a list provided by the CyberLab team of Cisco Cloudlock and add any IPs you have verified or suspect to be malicious.