UEBA Tags
The AI module runs on Super and Worker nodes. All Agent activity is routed to one node in a sticky manner. If a Worker is down, Agent events are routed to another Worker. If a Worker is added, then new Agents are routed to that Worker. Additionally, AI models are now persisted across AI module restarts.
AI alerts can be monitored in the UEBA View in the Incidents page. See UEBA View.
AI inspects the events for specific characteristics, as defined in the AI tag definitions, and applies the appropriate tags to events that match.
Follow these steps to set tags:
- Click Admin > Settings > Analytics > UEBA Tags.
- Click + to create a new tag.
- Provide values for the following fields:
- Enabled - Select this option to allow FortiSIEM to monitor the alert.
- ID (required) - A user-defined ID. Only these characters are allowed: a-z, A-Z, 0-9, and the underbar character (_).
- Name (required) - The user-defined name for the entity. Only these characters are allowed: a-z, A-Z, 0-9, and white space.
- Description - An optional description of the alert.
- Weight - Select a value from the drop-down list. The values can range from Never Alert (-5) to Always Alert (+5).
- Rules
- Field - Choose a value from the drop-down list. Available values are Machine ID, User, Application, Activity, Resource, and Resource Filename.
- Relation - Choose a value from the drop-down list. Available values are =, !=, CONTAIN, NOT CONTAIN, MATCH, NOT MATCH, START WITH, NOT START WITH, END WITH, and NOT END WITH.
- Value - A comma-separated list of values. These values can be user-defined.
- Click + or - to add or delete rows in the Rules list.
- Click Save.
The following functions are also available for UEBA tags:
Note: System UEBA tags cannot be edited or deleted. If you wish to edit a System UEBA tag, you can clone it and then enable it.
- Edit (
) - Modify a user UEBA tag. - Delete (
) - Delete a user UEBA tag. - Clone (
) - Duplicate a UEBA tag.