Logpoint currently supports the following data sources for each data category:
Data Category |
Data Source |
|---|---|
Active Directory |
Microsoft Active Directory |
Authentication Logs |
Office365, Cisco ISE |
Web Proxy Logs |
|
Email Logs |
Cisco, Qmail, Sendmail, Exim, Microsoft Exchange, Mimecast, Proofpoint, Office 365, Global |
VPN Logs |
|
Resource/File Access Logs |
Office 365, EMC, Global |
SAP Security Audit Logs |
LP4SAP, AgileSI |
Azure AD |
Office 365, Microsoft Azure |
Global means another data source can be mapped for the data category. Contact Logpoint Support for assistance.
You can setup UEBA to add all data sources or a specific one based on your system’s needs and logs during Onboarding. To add new data sources after onboarding, contact Logpoint Support. UEBA needs at least 30 days of normalized and enriched data from the new data source to create a baseline.
UEBA requires a minimum of 200 logs per day for each data source to work optimally. The logs counted for each data source need to fulfill the Compatibility Check.
UEBA only processes the fields listed below. Mandatory fields are marked by an asterisk (). Logs lacking these fields will not be processed by UEBA.
Important
All data source logs must include a primary field for user identification:
Active Directory - user
Authentication - user
Email - sAMAccountName
VPN - user
Web Proxy - user
Resource/File Access - user
SAP Security Audit - SI_USER
Azure AD - user
If a log contains both user and userPrincipalName fields, the primary field is userPrincipalName.
These fields are for Logpoint v7.4.0 and later. If you are using earlier version, go to Active Directory.
log_ts*
event_id*
event_type*
host*
user*
access_mask
account_expire
allowed_to_delegate
caller_domain
caller_id
caller_logon_id
caller_user
computer
computer_domain
computer_id
domain
elevated_token
encryption_type
group
group_domain
group_id
handle_id
key_length
logon_guid
logon_hour
logon_id
logon_process
logon_type
machine_id
machine_name
member
new_value
object_name
object_type
old_value
package
parameter
parent_process
password_last_set_ts
pre_authentication_type
privilege
process
process_id
reason
relative_target
sam_account_name
service
service_account
service_id
share_name
share_path
sid_history
source_address
source_machine_id
source_port
start_type
status_code
sub_status_code
target_domain
target_id
target_linked_logon_id
target_user
task
ticket_option
token_elevation_type
transmitted_service
user_account_control
user_id
userPrincipalName
virtual_account
workstation
Additional mandatory fields for logs with event_id 4656 or 4663:
object_type*
object_name*
Go to Input for a list of all the Event IDs provided by Active Directory.
log_ts*
user*
userPrincipalName
status*
host*
The value of status should be either succ or fail. The logs must also have either Authentication or Login label.
log_ts*
sender*
receiver*
data_size*
sAMAccountName*
userPrincipalNname
subject
status
file
file_count
log_ts*
user*
source_address*
status*
userPrincipalName
country_name
The logs must also have either label=VPN or sub_category=GlobalProtect.
log_ts*
request_method*
status_code*
received_datasize*
destination_address*
user_agent*
user*
userPrincipalName
sent_datasize
source_address
source_machine_id
domain
The logs must also have device_category=ProxyServer.
log_ts*
user*
userPrincipalName
object_name*
object_type*
host*
status*
source_machine_id
SI_EXTR*
log_ts*
SI_USER*
userPrincipalName
SI_SYSTEMID*
SI_CLIENT*
SI_MESSAGE*
SI_SIGID*
SI_STRING1
SI_HOSTNAME
SI_IPADDRV4
SI_IPADDRV6
You can only use Azure AD in Logpoint v7.2.0 and later.
norm_id
log_ts*
user*
userPrincipalName
domain*
record_type*
action*
organization_id*
user_type*
user_key*
application*
application_id
status
label
object_id
source_address
hostname
country
longitude
latitude
scope
session_id
api_id
token_id
issued_at_time
event_type*
user_agent
is_compliant_and_managed
user_authentication_method
device_trust_type
error_number
error_info
Logpoint UEBA validates whether fields are correctly formatted:
Fields |
Value Format |
host |
String without spaces |
event_id |
Number |
userPrincipalName |
Valid email address |
user |
Valid email address or string, and cannot be “-“ |
sub_status_code |
Must start with 0x |
object_type |
Letters, numbers, and “-“ |
event_type |
audit_success, audit_failure, or audit_fail |
request_method |
Letters, numbers, and “-“ |
status_code |
Number |
received_datasize |
Number |
source_address |
A valid IPv4 address or “-“ |
destination_address |
A valid IPv4 address or “-“ |
user_agent |
String without double quotes (“) |
sent_datasize |
Number |
sender |
Valid email address |
datasize |
Number |
file_size |
Number |
file |
String without spaces |
status |
success or failure |
file_count |
Number |
SI_CLIENT |
Three-digit number with leading zeros |
SI_SYSTEMID |
Three-character uppercase alphanumeric value where the first character is not a number. |
SI_SYSTEMID does not support reserved values like ADD, ALL, AMD, AND, ANY, ASC, AUX, COM, CON, DBA, END, EPS, FOR, GID, IBM, INT, KEY, LOG, LPT, SAP, VAR, and USR.