"User and Entity Behavior Analytics (UEBA) offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) and advanced analytics (e.g., supervised and unsupervised machine learning). Vendors use packaged analytics to evaluate the activity of users and other entities (hosts, applications, network traffic and data repositories) to discover potential incidents […]." - Gartner definition for UEBA

To put it simply, UEBA involves the creation of a baseline for the normal behavioral patterns of various entities (including users) tracked by your security monitoring apparatus - and flagging deviations from the same with varying degrees of confidence.

Despite what some UEBA vendors would have one believe through their marketing, these solutions will not work with your environment automagically. In practice, a significant effort is required to supplement existing data sources or (procure and?) enable new specialized data sources - to make available structured, complete logging for all entities of interest that can be consumed by your UEBA solution.

Take for example, processes. A process as a concept spans all operating system platforms and can be described with a similar set of attributes (process id, path, parent, user, hashes ..) and behaviors (start, terminate, fork, interact with files and sockets). As part of UEBA or any threat hunting program, one might want to model non-system processes by their names, paths, hashes, parents or even remote connections. The modelling could help flag deviations - like a known process being started from an unusual path/parent or having an unseen hash - or simply perform process white-listing. Implementing this would require instrumentation for process monitoring.

For Windows endpoints, that could mean enabling native process auditing or deploying sysmon across your domain. Both of these should be supported (parseable and usable for correlation) by major SIEM/UEBA vendors by now. IBM QRadar provides a sysmon content pack with an extensive set of use-cases including those for process baselining.

For Mac and Linux devices, you will have to configure and maintain native auditing capabilities to generate logs with the necessary attributes. These logs are non-standard and usually require parsing, custom property extraction as well as tweaks to the UEBA solution.

The Solution

Once again, osquery to the rescue. With distributed fleet management in place, one can instrument cross-platform process monitoring logs by simply configuring differential logging of the following query across all your endpoints. If you don't have to deal with Windows, you may prefer to use the process_events table instead.

This would generate simple structured JSON logs that could be shipped to your SIEM using any available protocol or log forwarding agent.

Given the format, it should be a cake-walk to have them parsed in your system.

All you need to do is match the extracted property names to those used by your existing sysmon-based process baselining use-cases in your SIEM/UEBA solution and you should be good to go with one-time use-case tuning for all your platforms.

This approach leveraging osquery can similarly be used to implement cross-platform correlation or modelling for a host of endpoint-based entities and their behaviors.