How should I decide UEBA Entity Selection, LDAP vs CSV?

  • 4 May 2021
  • 1 reply

Userlevel 3
Badge +7

Hi Team,

Going through our user manual, it states that the entities could be selected either using LDAP OU group as an enrichment source or a CSV as an enrichment source. What are some tried and true considerations that I can help my customer decide which enrichment source to choose?


Best answer by Rupsan Shrestha 4 May 2021, 08:00

View original

1 reply

Userlevel 2
Badge +3

If you have a properly set LDAP, i would recommend using LDAP OUs. To be precise, if you have your LDAP configured for all the users/machine in you organization that you want to monitor as entities. Doing this will also sync if any users or entities have changed or been removed. 

Using custom CSV would be a static approach, i.e if there are changes you have to edit it in the CSV and upload it again.

However if you use LDAP and you have users configured in it that you do not want to be a part of the UEBA analysis, CSV is the way to go as you’ll have the limitations in entity license. (If entity count is more than the license count, the bottom entities will be rejected from participating in UEBA Analysis)