To enable the UEBA feature from SIEM, a valid UEBA and Agent license are required. Therefore, go to Admin -> License -> General and review the device, agent and UEBA license section.
Difference between Agent license, UEBA license, and license counting when enabling UEBA feature:
When the Windows agent is Registered and the Host status is Approved in CMDB, it will count as 1 device license
When the template is applied, and the configuration includes Windows events AND NOT UEBA enabled, it will count 1 device + 1 agent license.
When the template configuration includes Windows events, and the UEBA is enabled, it will count 1 device + 1 agent + 1 UEBA license.
When the template configuration only has the UEBA feature enabled, and the Host status is changed to UEBA in CMDB, it will consume only 1 UEBA license.
UEBA AI needs to see two weeks of a user's behaviour to form an effective baseline and learn what 'normal' behaviour looks like for that user. The more data AI gathers, the more detailed a picture it builds, and each user's behaviour profile becomes more detailed over time. The baseline training period will commence from the first event received and last two weeks (14 days). Then, UEBA will automatically switch to Anomaly Detection mode.
From v6.5.0, the UEBA analytic function is extended to some Windows Security events and Sysmon logs. See the link for the complete list: What's New in 6.5.0
