Version:

Raw Events

You can explore the raw events that triggered the anomaly by clicking Explore Raw Events. The link redirects you to Logpoint’s search page where you can further explore the event. You can view the latest risk score and entity type of the anomalous entities as an enriched data in the raw event logs.

  1. Click on an entity tab in the UEBA page.

  2. You can explore raw events in two ways:

    1. Hover over the More (kebab) icon and click Explore Raw Events.

    ../_images/UEBA_Page_Explore_Raw_Events.png

    Exploring Raw Events

  1. Click the Expand (plus) button of an anomaly and click Explore Raw Events.

    ../_images/UEBA_Page_Explore_Raw_Events_Anomaliespanel.png

    Exploring Raw Events

  1. Click Explore in UEBA to get more details on any of the following fields.

    • user

    • userPrincipleName

    • sAMAccountName

    • host

    • share_path

    • destination_address

    • server

    • share

    • website

    • domain

    • resources

    • source_address

    • SI_USER

../_images/UEBA_Dashboard_Drilldown_Explore_in_UEBA.png

Expand the UEBA Field

You are re-directed to the UEBA page with the value of the field as the filter. If the start_ts and end_ts fields are present in the event logs, UEBA applies the time range filter according to the value of these fields. Otherwise, UEBA applies the time range filter of seven days from the date UEBA ran the analytics.

../_images/UEBA_Dashboard_Drilldown_Redirect_to_Dashboard.png

Going Back to the UEBA Page

While exploring raw events, the lookup process command does not enrich risk scores in the raw events.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support