2.5 Configuring Behavioral Analytics

You can integrate Risk Service with Micro Focus Interset to leverage its User and Entity Behavioral Analytics (UEBA) capability. Using the organization's data, Interset establishes the normal behavior for the organizational entities. Interset then, using advanced analytics and machine learning, identifies the anomalous behaviors that constitute potential risks. For example, compromised accounts, insider threats, or other cyber threats.

How It Works

Risk Service periodically fetches risk scores for all entities from Interset and keeps the latest scores in the cache. While configuring Interset, you need to configure it to receive data from various applications used in your organization. Interset analyzes the behavior of entities and users using this data.

The following diagram illustrates how this integration works:

  1. A user tries to log in to a protected resource.

  2. Risk Service checks the behavioral risk score for this user in the risk score cache.

    Risk Service keeps retrieving the latest behavioral risk scores for all entities at a regular interval and updates the cache.

  3. Risk Service assesses the score and takes appropriate action.

For more information about Interset UEBA, see User and Entity Behavioral Analytics.

For step-by-step details for integrating Risk Service with Interset, see the following resources:

Prerequisites for Configuring Interset Details

Before you start configuration, ensure that you have the following information with you:

  • An ArcSight Intelligence (formerly Interset) account on AWS is available. For more information, see ArcSight Intelligence.

  • AWS S3 Interest URL from where you want to get the data

  • AWS region name

  • AWS access key and access secret required to access AWS S3 Interset URL

Configuring Interset Details

  1. On the Risk Settings page, click Configuration () icon > Behavioral Analytics.

  2. Select Enable.

  3. Specify the following details:

    Field

    Description

    Interset Data URL

    The AWS S3 bucket URL from where you want to get the Interset data.

    AWS Region

    The AWS region where Interset is deployed.

    Access Key ID

    The AWS access key ID to access the Interset URL.

    Secret Access Key

    The AWS secret access key to access the Interset URL.

    Update every

    The interval for syncing the data from Interset. The recommended value is 360 minutes (sync four times a day).

    NOTE:To prevent disruption of service, ensure that Access Key ID and Secret Access Key specified here are up to date when these are rotated as per AWS guidelines.

  4. Click Save.

    An external parameter rule is configured using the appropriate Interset-specific values. The rule is named as BehavioralAnalyticsRule.

  5. Go to Risk Rules. Click BehavioralAnalyticsRule, verify, and edit it if required.

    This rule is configured with the default behavior to consider any user with Interset score less than 50 as a low-risk user. You can modify this rule to change how the score from Interset is interpreted. You can modify Negate Result and the value for the score (the default value for the score condition is < 50). Do not modify any other field.

    Field

    Details

    Negate Result

    Select this option to reverse the result of the rule evaluation.

    Parameters Set 1

    Modify the value for the score parameter, if required.

  6. Add BehavioralAnalyticsRule to a risk policy. Assign the risk score and the levels to configure appropriate weightage to the behavioral risk score.

    See Configuring a Risk Policy.