Log data categories UEBA uses for threat analysis are:
Authentication: events with user, status, and host related fields.
Web Proxy: events containing information about user and source address.
Email: email server and gateway related events with the sender, receiver, and datasize fields. Only outgoing emails sent to external recipients with a Sent, Delivered, or Successful status are analyzed. Only senders of the outgoing emails are considered entities.
VPN (Virtual Private Network): all the remote or SSL VPN (Secure Sockets Layer Virtual Private Network) related events with the source_address, user, and status fields.
Resource/File Access: all the resource and file access related events with the user, host, object_name, object_type, and status fields.
Active Directory:
Event ID
Description
4624
An account was successfully logged on.
4625
An account failed to logon.
4648
A logon was attempted using explicit credentials.
4768
A Kerberos authentication ticket (TGT) was requested.
4769
A Kerberos service ticket was requested.
4770
A Kerberos service ticket was renewed.
4771
Kerberos pre-authentication failed.
4772
A Kerberos authentication ticket request failed.
4773
A Kerberos service ticket request failed.
4776
The computer attempted to validate the credentials for an account.
4777
The domain controller failed to validate the credentials for an account.
4656
A handle to an object was requested.
4663
An attempt was made to access an object.