UEBA common challenges

User Coalescing – Multiple LDAP fields are used for aliases

Complete the procedure to address this challenge:

1. Identify one or two aliases/attributes for users that are unique across all ADs.
2. Start small and then add more attributes if needed.
3. Recommended attributes:
   • sAMAccountName
   • uid
   • userPrincipalName
   • cn
   • mail
   Note: The procedure can also improve UEBA performance due to less user records.

Display Fields – Multiple fields are configured for Display name and Full name

The inconsistent use of Display name and Full name can cause confusions. Complete the procedure to address this challenge:

1. Identify the correct attribute against each field which should display in the user profile.
2. If distinguishedname and displayname attribute are used for Display name then the Display name will use distinguishedname attribute if available.
3. Display name uses first available attribute in order.

User Discovery – users discovered from events vs users imported from active directory

Complete the procedure to address this challenge:

• Enable the Monitor imported user only setting in QRadar Settings, if your use case requires you to monitor AD imported users.

LDAP Filters – Setting a wrong filter or no filter could lead to a large amount of identities getting imported to UEBA

Complete the procedure to address this challenge:

1. Set LDAP filters in LDAP server configuration. For example:
   • (objectClass=person) : All users and service accounts will be coalesced.
   • (objectClass=user) : Only user accounts will be coalesced.
2. For more information about constructing LDAP filters, see https://ldap.com/ldap-filters/.

Enabling Index – Having this disabled could lead to search performance issues and overall app slowness

Complete the procedure to address this challenge:

• Enable Index in QRadar® to optimize system performance.