Internal Destination Ports by Peer Group

The Internal Destination Ports by Peer Group model determines if a user's access to internal destination ports is significantly different from that user's defined group. If the user's access is deemed suspicious, a Sense Event is generated to increase the user's risk score.

Enable the Internal Destination Ports by Peer Group to determine if a user's access to internal destination ports is significantly different from that user's defined group. If a user's access to internal destination ports is significantly different from the user's defined group, it is deemed suspicious and a Sense Event is generated to increase the user's risk score. Users are grouped and analyzed based on the Group by field.
Important: You must have a minimum of two defined groups that each contains 5 or more users. If you change the group selection, a new model needs to be constructed. A significant amount of time and computer resources are required to complete the model creation. It is not recommended to change this value frequently.

Event name

UBA : Abnormal usage of internal destination port for peer group

sensevalue

5

Required configuration

Select a group from the group by field, such as job title, department, or custom group in order to enable the model. Groups are defined in the user import tuning configuration originating from the user import data. For more information, see Tuning user import configurations.

Configure the Network Hierarchy to help with the accuracy of determining internal destination ports.

Log source types

All events that have a defined username and local destination port.