Available reports

Log360 UEBA offers comprehensive reports that can help identify anomalies in activity of devices, databases, and more. Each anomaly can be classified as time-based, count-based and pattern-based. In addition to this, anomalies can be analyzed for users and systems separately.

ueba-anomalies-reports

Option	Event Sources	Anomaly Reports
Devices	Windows devices	Startup and shutdown Installation of services and software USB activity Registry activity Application whitelisting Logons File changes Network share activity Firewall changes
	Unix devices	USB activity Cron jobs Logons VMware logons File transfer
	Routers	Configuration changes Logons
Applications	Active Directory auditing	Logons Process activity User management
	Microsoft SQL Servers	DDL and DML activity Logons Startup and shutdown Password changes Account management
	FTP servers	File transfer Logons File activities
Firewall Devices	-	Allowed and denied traffic Logons Policy activities VPN Logons VPN IP Assigned VPN connection status VPN users
Cloud Services	Azure	User Activity Network Security Group changes Public IP address Virtual Machines/Compute Database Storage Accounts Resource Locks Virtual Network changes Application Gateway changes DNS changes Traffic Manager
	AWS	Logons IAM activity User Activity Network Security Group changes VPC Activity WAF changes Security Token Services AWS Config Reports Amazon Auto Scaling Reports Amazon ELB Reports RDS Reports S3 Bucket Activity Reports EC2 Reports Route 53
	Google	User Activity IAM activity Network Security Changes VPC Activity Network Services Hybrid Connectivity Virtual Machines/Compute Cloud Functions App Engine Google Storage GCP Resource Management

Anomaly Reports

Anomaly reports can be generated for the following:

Windows, Unix, and Cisco devices.
Applications such as Active Directory, SQL server, PAM360 and FTP server.
Firewall devices from various vendors.
Cloud services such as AWS, Azure, and Google.

In addition to the above, Log360 UEBA also detects anomalies in privileged access by integrating tightly with ManageEngine PAM360, a comprehensive privileged access management solution.

For every report, Log360 UEBA gives Dynamic Peer Group Details. This will give information about the different peer group clusters and the members who are part of those clusters. Peer groups are built for both users and entities.

An example of peer grouping for logon anomalies based on users

Anomalies can be tracked for both users or entities (machines). Furthermore, anomalies can be:

Time-based: There is a deviation between the expected time an activity would usually occur, and the time it actually occurred. E.g. User A usually logs on between 11:00 and 11:15 pm, but strangely exhibits a logon at 5:16 am.

Sample time-based anomalies for Windows logons

Count-based: There is a deviation between the expected number of activities, and the actual number of activities. E.g. A file server which usually has 73 file modifications in a day, shows an unexpected 399 file modifications.

Sample time-based anomalies for Windows logons Sample count-based anomalies for file modifications

Pattern-based: There is an unexpected sequence of events that take place. Each event, taken in isolation may not be anomalous, but when they are all considered together as a sequence, it is a deviation from what is expected. E.g. A software is installed at 4:19 pm on Server A by the user ueba_user1; this would have been an expected sequence of events in case it was the user ueba_user2 who had done this activity.

Sample time-based anomalies for Windows logons Sample pattern-based anomalies for software installation

First Time Access-based: There is an association between a user and a host for the very first time, depicting a deviation from the expected behavior of the user. For example, the administrator has tried to access the remote host log360-w10 for the first time, which is a deviation from the normal behavior of the administrator.

Sample time-based anomalies for Windows logons Sample first time access-based anomalies

Anomaly Visualization

Anomaly visualization enables administrators to view a graphical representation of every analyzed anomaly. It shows how far the observed values are from the expected values.

To visualize anomalies:

Navigate to the anomaly report of your choice.
Click on View Details under the Column View Details.
A widget will open up to show the graphical representation of the anomalies.

Here is a sample anomaly visualization chart for a time anomaly. In this example, a particular user has an expected logon time between 11 and 11:15 pm, but shows an actual logon time between 5:15 and 5:30 am.

Sample time-based anomalies for Windows logons Anomaly visualization for a logon time anomaly

Here is a sample anomaly visualization chart for a count anomalies. In this example, 1383 file deletes have been observed on the host Log360QA-W12-2, while the threshold is only 1033 such activities.

Anomaly visualization for a count anomaly

Log360 UEBA also provides anomaly visualization charts for pattern anomalies. In the example below, the user DWM-3 is logging onto the host itsl360-2k12-1 with an interactive logon (logon Type 2). This is identified as a rare pattern and is marked as an anomaly.

Anomaly visualization for a pattern anomaly

Peer group details: For time, count and pattern anomalies, Log360 UEBA will also give information about a user's or entity's peer behavior. In case the user or entity under consideration has a peer who exhibits similar behavior, there will be a downward impact on the confidence level of the anomaly. This risk score will also then be adjusted downward. This helps to decrease the occurrence of false positives and improves the security context.

Peer Behavior information under Anomaly Details