USM Anywhere™

User Behavior Analytics

User behavior analytics (UBA) extends your USM Anywhere Sensor's awareness by enabling it to track actors as well as assets within your environment. With UBA, USM Anywhere can help you identify malicious or compromised usersIn UBA, users are the authenticated people (or service accounts) taking actions in your environment., and enable you to better prioritize alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. with the addition of user data.

In addition to analyzing users, UBA also analyzes each of a user's separate accounts, and enables you to manually combine detected users to ensure that your user analytics are accurate. EventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. and alarms can thus be enhanced with user data, including user entities and their individual accounts, as either the source user or the destination user.

To incorporate UBA into your USM Anywhere instance, you must provide information about all users acting in your environment. Each user must be identified by a unique username and account type.

Once users have been identified, there are several tasks that you must complete to ensure that complete and actionable data is being captured and acted upon. This chapter describes these necessary tasks, and covers topics such as user discovery and merging, user scans, user monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity., and configuration.

This topic discusses these subtopics: