User Behavior Analysis
On This Page:
Objective
This document provides instructions on how to enable User Behavior Analysis (UBA) using the F5® Distributed Cloud Services Artificial Intelligence (AI) and Machine Learning (ML) features. The user behavior analysis covers the following:
-
Clear suspicious behavior - This is based on security events such as the following:
- WAF security events generated by a user
- Login failures
- L7 policy denies
-
Anomalous behavior - This is identified by analyzing behavioral aspects of user activity.
Note: The user in this context is mapped by the requesting IP address.
Using the instructions provided in this document, you can enable the user behavior for your application and monitor the related anomalies and events in the load balancer monitoring.
Prerequisites
Note: If you do not have an account, see Create an Account.
- One or more applications deployed on Distributed Cloud site and services configured.
Note: See App Management for more information. See Site Management for site creation instructions.
Configuration
Configuration Sequence
The following table presents the sequence of activities in enabling the UBA:
Activity | Description |
---|---|
Create App Type | Create app type and configure the user behavior analysis features. |
Create App Settings | Create the app settings object and associate with the app type. |
Monitor User Behavior | Monitor the load balancer to check for anomalies detected and reported for user behavior. |
Create App Type
To enable user behavior analysis for your application services, it is required to first enable it for those services using the app type object.
The app type object is created in the shared
namespace. The load balancers of that app type in different namespaces need to be assigned with the label of the app type object.
Perform the following to create app type and enable generating the user behavior model.
Step 1: Navigate to the App Types page.
- Select the
Shared Configuration
service. - Navigate to
Security
->AI & ML
->App Types
.
Step 2: Configure app type object settings.
Click Add app type
and enter the configuration in the app type object creation form using the following guidelines:
-
Enter a name for the app type. This is the value for the app type label to be assigned to the load balancers for which the API discovery needs to be enabled.
-
Click
Add item
in theFeatures
field of theApplication Type Features
section. SelectUser Behavior Analysis
for theAI/ML Feature Type
field. -
Optionally, select
Enable learning from redirect traffic
in theBusiness Logic Markup Setting
section. This enables the AI engine to learn the endpoints from redirected traffic. -
Click
Save and Exit
to complete creating the app type object.
Assign App Type Label to Load Balancers
After creating the app type, it is required to assign the app type label to the load balancers for which you want to enable UBA detection.
Note: Enabling UBA detection for all load balancers in a namespace requires you to apply the app type label to all load balancers in that namespace.
Perform the following to assign the app type label to your load balancers.
Step 1: Navigate to load balancer management.
- Select the
Load Balancers
service. - Select the desired namespace from the
Namespace
drop-down menu. - Navigate to
Manage
->Load Balancers
->HTTP Load Balancers
. - Click
...
->Manage Configuration
for the load balancer for which the app type label needs to be assigned. - Click
Edit Configuration
in the upper right corner.
Step 2: Assign the app type label.
- Click
Add label
in theLabels
field. - Select
ves.io/app_type
for theLabels
field.
- Type the name of the app type object created in the previous step and click
Assign a Custom Value
to add the app type label.
- Click
Save and Exit
to apply the label to the load balancer.
Note: The Distributed Cloud Services AI model learns from all namespaces where the load balancers or vK8s services are applied with the app type label. You can turn off learning from specific namespaces using the app settings object.
Create App Settings
After creating an app type with the UBA feature enabled, it is required to associate it with the metrics and sources for which the user behavior analysis is required. This is done by configuring the app settings object.
Perform the following to create the app settings object:
Step 1: Navigate to the App Settings page.
- Select the
Load Balancers
service. - Select the desired namespace from the
Namespace
drop-down menu. - Navigate to
Security
->AI & ML
->App Settings
. - Click
Add App setting
for the load balancer for which the app type label needs to be assigned.
Step 2: Enter basic configuration for the app setting object.
- Enter a name for the app setting.
- Go to the
Application Type Feature Configuration
section and clickAdd item
to configure an AppType.
- In the
AppType
field, select the created app type object from the drop-down list. - Click
Add Item
.
Note: Optionally, click
Configure
for theUser Behavior Analysis Setting
field and selectDisable learning from this namespace
option for the displayed fields. With this, the Distributed Cloud Services AI engine does not include data from this namespace for user behavior analysis.
Step 3: Complete creating app settings object.
Click Save and Exit
to complete creation of app settings object.
Monitor User Behavior
You can monitor the user behavior for anomalies and also inspect alerts using the HTTP load balancer monitoring.
Perform the following to monitor user behavior:
Step 1: Navigate to the load balancer monitoring.
- Select the
Load Balancers
service. - Select the desired namespace from the
Namespace
drop-down menu. - Click
Manage
->Virtual Hosts
->HTTP Load Balancers
. - Hover over your load balancer from the displayed list, and click
Security Monitoring
under the load balancer name. Or click your load balancer from the displayed list to load itsPerformance Monitoring
view, and then use the pulldown to change to theSecurity Monitoring
view.
Step 2: Load the app firewall view.
The Dashboard
is loaded by default. Click the Malicious Users
tab to inspect malicious user events. The graph shows a timeline over of malicious activity for the time period specified. Below the graph is a timeline of suspicious and malicious activity.
Click on one of the timeline links to see details for that time period, or click on the Security Events
tab to dive into any time period.