Reference Guide
...
User and Entity Behavior Analy...
Threat Analytics and Response Engine Configuration
the threat analytics and response engine comes pre installed with default settings, which include anomaly weights used for score calculations various anomalies found in the data, such as user session times, access protocol, executed commands, connected users, and devices, can contribute to the score calculation in distinct ways the threat analytics and response engine employs advanced machine learning algorithms to identify deviations from expected user and device behavior instead of relying on static rule based threat detection, this system dynamically detects anomalies by statistically analyzing user and device interactions within your network environment it's important to note that the calculated risk scores and the number of anomalies detected can vary based on system usage and network conditions to optimize its effectiveness, it is strongly recommended to continuously monitor the system's performance and make necessary adjustments as per your specific requirements the configuration parameters along with their descriptions for the threat analytics and response engine are listed below parameter key description value range user user weight parameters used in user based anomaly detection these parameters are used to calculate the risk score for anomalies regarding users host this parameter quantifies the statistical influence of the anomaly detection algorithm on the computation of the anomaly risk score associated with host information it requires a value within the range of 0 to 1 to be specified when this value approaches 0, the significance of host information in determining the risk score diminishes conversely, as it approaches 1, the impact of host information on the risk score calculation intensifies 0 1 access protocol this parameter quantifies the statistical influence of the anomaly detection algorithm on the computation of the anomaly risk score associated with the access protocol it is used to detect an anomaly, especially when there is a connection with a different protocol to devices with the same ip address it requires a value within the range of 0 to 1 to be specified when this value approaches 0, the significance of access protocol information in determining the risk score diminishes conversely, as it approaches 1, the impact of host information on the risk score calculation intensifies 0 1 client ip this parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with the ip address information to which the user connects a value in the range 0 to 1 is required to be specified as this value approaches 0, host information becomes less important in determining the risk score conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies 0 1 date this parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with session start date information a value in the range 0 to 1 is required to be specified as this value approaches 0, host information becomes less important in determining the risk score conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies 0 1 command this parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with commands run in the session or operations within the session a value in the range 0 to 1 is required to be specified as this value approaches 0, host information becomes less important in determining the risk score conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies 0 1 parameter key description value range host host weight parameters used in device based anomaly detection these parameters are used to calculate the risk scores according to the connected devices user name this parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with linked username information a value in the range 0 to 1 is required to be specified as this value approaches 0, username information becomes less important in determining the risk score conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies 0 1 access protocol this parameter quantifies the statistical influence of the anomaly detection algorithm on the computation of the anomaly risk score associated with access protocol it is used to detect an anomaly, especially when there is a connection with a different protocol to devices with the same ip address it requires a value within the range of 0 to 1 to be specified when this value approaches 0, the significance of access protocol information in determining the risk score diminishes conversely, as it approaches 1, the impact of host information on the risk score calculation intensifies 0 1 client ip this parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with the ip address information to which the user connects a value in the range 0 to 1 is required to be specified as this value approaches 0, host information becomes less important in determining the risk score conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies 0 1 date this parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with session start date information a value in the range 0 to 1 is required to be specified as this value approaches 0, host information becomes less important in determining the risk score conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies 0 1 command this parameter measures the statistical impact of the anomaly detection algorithm on the calculation of the anomaly risk score associated with commands run in the session or operations within the session a value in the range 0 to 1 is required to be specified as this value approaches 0, host information becomes less important in determining the risk score conversely, as it approaches 1, the influence of host information on the risk score calculation intensifies 0 1 parameter key description default value max fit size this parameter specifies the amount of data used by the "threat analytics and response engine" for anomaly detection it determines how much historical data will be retained for anomaly detection purposes increasing the default value can enhance accuracy by incorporating more data into anomaly detection, but it may lead to performance issues it is recommended to keep the default value for optimal performance 100000 port port of threat analytics and response engine 5011 contamination "contamination" indicates the number of anomalies that can be statistically detected within the data specified by the "max fit size" parameter increasing this number enhances the sensitivity of anomaly detection, resulting in the identification of more anomalies conversely, decreasing it reduces sensitivity, leading to the detection of fewer anomalies 0 01 to change the weight of anomalies log in to threat analytics and response engine cli navigate to /u01/loganomaly/loganomaly/config folder open the config json file with a text editor and edit weights to finetune anomaly detection set values between 0 and 1 { "weightofkeys" { "user" { "host" 0 5, "access protocol" 0 05, "client ip" 0 05, "date" 1, "command" 1 }, "host" { "user name" 0 5, "access protocol" 0 05, "client ip" 0 05, "date" 1, "command" 1 } }, "max fit size" 100000, "port" 5011, "contamination" 0 01 } save the config json file and restart the anomaly detection service ]# systemctl restart uba log anomaly