Help Document

Available reports

Log360 UEBA offers comprehensive reports that can help identify anomalies in activity of devices, databases, and more. Each anomaly can be classified as time-based, count-based and pattern-based. In addition to this, anomalies can be analyzed for users and systems separately.

ueba-anomalies-reports

Option Event Sources Anomaly Reports
Devices Windows devices
  • Startup and shutdown
  • Installation of services and software
  • USB activity
  • Registry activity
  • Application whitelisting
  • Logons
  • File changes
  • Network share activity
  • Firewall changes
Unix devices
  • USB activity
  • Cron jobs
  • Logons
  • VMware logons
  • File transfer
Routers
  • Configuration changes
  • Logons
Applications Active Directory auditing
  • Logons
  • Process activity
  • User management
Microsoft SQL Servers
  • DDL and DML activity
  • Logons
  • Startup and shutdown
  • Password changes
  • Account management
FTP servers
  • File transfer
  • Logons
  • File activities
Firewall Devices -
  • Allowed and denied traffic
  • Logons
  • Policy activities
  • VPN Logons
  • VPN IP Assigned
  • VPN connection status
  • VPN users
Cloud Services Azure
  • User Activity
  • Network Security Group changes
  • Public IP address
  • Virtual Machines/Compute
  • Database
  • Storage Accounts
  • Resource Locks
  • Virtual Network changes
  • Application Gateway changes
  • DNS changes
  • Traffic Manager
AWS
  • Logons
  • IAM activity
  • User Activity
  • Network Security Group changes
  • VPC Activity
  • WAF changes
  • Security Token Services
  • AWS Config Reports
  • Amazon Auto Scaling Reports
  • Amazon ELB Reports
  • RDS Reports
  • S3 Bucket Activity Reports
  • EC2 Reports
  • Route 53
Google
  • User Activity
  • IAM activity
  • Network Security Changes
  • VPC Activity
  • Network Services
  • Hybrid Connectivity
  • Virtual Machines/Compute
  • Cloud Functions
  • App Engine
  • Google Storage
  • GCP Resource Management

Anomaly Reports

Anomaly reports can be generated for the following:

  • Windows, Unix, and Cisco devices.
  • Applications such as Active Directory, SQL server, PAM360 and FTP server.
  • Firewall devices from various vendors.
  • Cloud services such as AWS, Azure, and Google.

In addition to the above, Log360 UEBA also detects anomalies in privileged access by integrating tightly with ManageEngine PAM360, a comprehensive privileged access management solution.

Anomalies can be tracked for both users or entities (machines). Furthermore, anomalies can be:

  • Time-based: There is a deviation between the expected time an activity would usually occur, and the time it actually occurred. E.g. User A usually logs on between 11:00 and 11:15 pm, but strangely exhibits a logon at 5:16 am.
  • Sample time-based anomalies for Windows logons Sample time-based anomalies for Windows logons

  • Count-based: There is a deviation between the expected number of activities, and the actual number of activities. E.g. A file server which usually has 73 file modifications in a day, shows an unexpected 399 file modifications.
  • Sample time-based anomalies for Windows logonsSample count-based anomalies for file modifications

  • Pattern-based: There is an unexpected sequence of events that take place. Each event, taken in isolation may not be anomalous, but when they are all considered together as a sequence, it is a deviation from what is expected. E.g. A software is installed at 4:19 pm on Server A by the user ueba_user1; this would have been an expected sequence of events in case it was the user ueba_user2 who had done this activity.
  • Sample time-based anomalies for Windows logons Sample count-based anomalies for software installation

Anomaly Visualization

Anomaly visualization enables administrators to view a graphical representation of every analyzed anomaly. It shows how far the observed values are from the expected values.

To visualize anomalies:

  • Navigate to the anomaly report of your choice.
  • Click on View Details under the Column View Details.
  • A widget will open up to show the graphical representation of the anomalies.

Here is a sample anomaly visualization chart for a time anomaly. In this example, a particular user has an expected logon time between 11 and 11:15 pm, but shows an actual logon time between 5:15 and 5:30 am.

Sample time-based anomalies for Windows logons Anomaly visualization for a logon time anomaly

Here is a sample anomaly visualization chart for a count anomalies. In this example, 1383 file deletes have been observed on the host Log360QA-W12-2, while the threshold is only 1033 such activities.

Anomaly visualization for a count anomaly Anomaly visualization for a count anomaly

Log360 UEBA also provides anomaly visualization charts for pattern anomalies. In the example below, the user DWM-3 is logging onto the host itsl360-2k12-1 with an interactive logon (logon Type 2). This is identified as a rare pattern and is marked as an anomaly.

Anomaly visualization for a pattern anomaly Anomaly visualization for a pattern anomaly