Forum Discussion

-jmn-'s avatar
-jmn-
Copper Contributor
Aug 09, 2022

Feature Request: Entity Annotation

So I was investigating an incident where a user had signed in from a TOR exit node on an AAD Joined device. After investigating, I had found that they had a commercial VPN, and their endpoints also served as exit nodes. So they weren't actually using TOR, but their traffic was coming from an exit node. The device is part of a group with more lax controls, so this is absolutely allowed (I can't really explain more, I would love to go to town with this stuff and remove it, but that isn't my call).

 

So I was in a situation where I can't tune, because I need Defender device logs to see if its the VPN (too high ingestion), and I can't just allow the IPs as they are TOR exit nodes.

 

Which gave me the idea of having annotations on the entities in UEBA. So in this case, I could say "known to use a VPN which also acts as TOR exit nodes, check source IP" or something similar. It saves having to create a separate knowledge base and keep it up to date with data from all security products.

 

Would also be useful for users too. I have a user who frequently mass deletes files on a certain time on a certain day which triggers DLP rules. I could add the conditions of that behaviour as an annotation, rather than having to write a crazy analytics rule which has to check the day and time, user and Sharepoint site, plus other exclusions. 

 

Something like the comments thread on incidents will suffice.  

No RepliesBe the first to reply

Resources