Help Document

Available reports

Log360 UEBA offers comprehensive reports that can help identify anomalies in activity of devices, databases, and more. Each anomaly can be classified as time-based, count-based and pattern-based. In addition to this, anomalies can be analyzed for users and systems separately.

ueba-anomalies-reports

Option Event Sources Anomaly Reports
Devices Windows devices
  • Startup and shutdown
  • Installation of services and software
  • USB activity
  • Registry activity
  • Application whitelisting
  • Logons
  • File changes
  • Network share activity
  • Firewall changes
Unix devices
  • USB activity
  • Cron jobs
  • Logons
  • VMware logons
  • File transfer
Routers
  • Configuration changes
  • Logons
Applications Active Directory auditing
  • Logons
  • Process activity
  • User management
Microsoft SQL Servers
  • DDL and DML activity
  • Logons
  • Startup and shutdown
  • Password changes
  • Account management
FTP servers
  • File transfer
  • Logons
  • File activities
Firewall Devices -
  • Allowed and denied traffic
  • Logons
  • Policy activities
  • VPN Logons
  • VPN IP Assigned
  • VPN connection status
  • VPN users
Cloud Services Azure
  • User Activity
  • Network Security Group changes
  • Public IP address
  • Virtual Machines/Compute
  • Database
  • Storage Accounts
  • Resource Locks
  • Virtual Network changes
  • Application Gateway changes
  • DNS changes
  • Traffic Manager
AWS
  • Logons
  • IAM activity
  • User Activity
  • Network Security Group changes
  • VPC Activity
  • WAF changes
  • Security Token Services
  • AWS Config Reports
  • Amazon Auto Scaling Reports
  • Amazon ELB Reports
  • RDS Reports
  • S3 Bucket Activity Reports
  • EC2 Reports
  • Route 53
Google
  • User Activity
  • IAM activity
  • Network Security Changes
  • VPC Activity
  • Network Services
  • Hybrid Connectivity
  • Virtual Machines/Compute
  • Cloud Functions
  • App Engine
  • Google Storage
  • GCP Resource Management

Anomaly Reports

Anomaly reports can be generated for the following:

  • Windows, Unix, and Cisco devices.
  • Applications such as Active Directory, SQL server, PAM360 and FTP server.
  • Firewall devices from various vendors.
  • Cloud services such as AWS, Azure, and Google.

In addition to the above, Log360 UEBA also detects anomalies in privileged access by integrating tightly with ManageEngine PAM360, a comprehensive privileged access management solution.

For every report, Log360 UEBA gives Dynamic Peer Group Details. This will give information about the different peer group clusters and the members who are part of those clusters. Peer groups are built for both users and entities.

An example of peer grouping for logon anomalies An example of peer grouping for logon anomalies based on users

Anomalies can be tracked for both users or entities (machines). Furthermore, anomalies can be:

  • Time-based: There is a deviation between the expected time an activity would usually occur, and the time it actually occurred. E.g. User A usually logs on between 11:00 and 11:15 pm, but strangely exhibits a logon at 5:16 am.
  • Sample time-based anomalies for Windows logons Sample time-based anomalies for Windows logons

  • Count-based: There is a deviation between the expected number of activities, and the actual number of activities. E.g. A file server which usually has 73 file modifications in a day, shows an unexpected 399 file modifications.
  • Sample time-based anomalies for Windows logonsSample count-based anomalies for file modifications

  • Pattern-based: There is an unexpected sequence of events that take place. Each event, taken in isolation may not be anomalous, but when they are all considered together as a sequence, it is a deviation from what is expected. E.g. A software is installed at 4:19 pm on Server A by the user ueba_user1; this would have been an expected sequence of events in case it was the user ueba_user2 who had done this activity.
  • Sample time-based anomalies for Windows logons Sample pattern-based anomalies for software installation

  • First Time Access-based: There is an association between a user and a host for the very first time, depicting a deviation from the expected behavior of the user. For example, the administrator has tried to access the remote host log360-w10 for the first time, which is a deviation from the normal behavior of the administrator.
  • Sample time-based anomalies for Windows logons Sample first time access-based anomalies

Anomaly Visualization

Anomaly visualization enables administrators to view a graphical representation of every analyzed anomaly. It shows how far the observed values are from the expected values.

To visualize anomalies:

  • Navigate to the anomaly report of your choice.
  • Click on View Details under the Column View Details.
  • A widget will open up to show the graphical representation of the anomalies.

Here is a sample anomaly visualization chart for a time anomaly. In this example, a particular user has an expected logon time between 11 and 11:15 pm, but shows an actual logon time between 5:15 and 5:30 am.

Sample time-based anomalies for Windows logons Anomaly visualization for a logon time anomaly

Here is a sample anomaly visualization chart for a count anomalies. In this example, 1383 file deletes have been observed on the host Log360QA-W12-2, while the threshold is only 1033 such activities.

Anomaly visualization for a count anomaly Anomaly visualization for a count anomaly

Log360 UEBA also provides anomaly visualization charts for pattern anomalies. In the example below, the user DWM-3 is logging onto the host itsl360-2k12-1 with an interactive logon (logon Type 2). This is identified as a rare pattern and is marked as an anomaly.

Anomaly visualization for a pattern anomaly Anomaly visualization for a pattern anomaly

Peer group details: For time, count and pattern anomalies, Log360 UEBA will also give information about a user's or entity's peer behavior. In case the user or entity under consideration has a peer who exhibits similar behavior, there will be a downward impact on the confidence level of the anomaly. This risk score will also then be adjusted downward. This helps to decrease the occurrence of false positives and improves the security context.

Peer Behavior information under Anomaly Details Peer Behavior information under Anomaly Details