After setting up UEBA You need to make sure you are collecting the following Event IDs from Hosts as well as Network Events
Active Directory Model -> device.class = 'windows hosts' && reference.id = '4741','4742','4733','4734','4740','4794','5376','5377','5136','4764','4743','4739','4727','4728','4754','4756','4757','4758','4720','4722','4723','4724','4725','4726','4738','4767','4717','4729','4730','4731','4732'
Authentication Model -> Windows, RHlinux as well as RSA AceSrv-> reference.id = ('4624','4625','4769','4648') || (device.type = 'rsaacesrv' && ec.activity = 'Logon') || ((action = '/usr/sbin/sshd' || action='/usr/bin/login') && device.type = 'rhlinux')
File Model -> Event ID 4663, 4660, 4670, 5145
Packet SSL Data Model -> service=443 && direction='outbound' && analysis.service!='quic' && ip.src exists && ip.dst exists && tcp.srcport!=443
Endpoint Models ->
REGISTRY
category='Registry Event' && device.type='nwendpoint'
PROCESS
category='Process Event' && device.type='nwendpoint'
The included App rules will tag the events coming in and will populate the "alert" meta key with the model name
This will make troubleshooting easier to identify the log messages coming in and which models they belong to
