LogPoint provides logs related to the following data categories to UEBA for threat analysis:
Authentication: LogPoint provides all the authentication-related events with the user, status, and host fields to UEBA.
Web Proxy: LogPoint provides all the web proxy related events containing information about user and source address to UEBA.
Email: LogPoint provides all the mail server and email gateway related events with the sender, receiver, and datasize fields to UEBA.
Note
UEBA analyzes only outgoing emails sent to the external recipients with status: Sent, Delivered, or Successful.
UEBA considers only senders of the outgoing emails as entities.
VPN (Virtual Private Network): LogPoint provides all the remote or SSL VPN (Secure Sockets Layer Virtual Private Network) related events with the source_address, user, and status fields to UEBA.
Resource/File Access: LogPoint provides all the resource and file access related events with the user, host, object_name, object_type, and status fields to UEBA.
Note
LogPoint provides the following Active Directory related events to UEBA:
Event ID |
Description |
4624 |
An account was successfully logged on. |
4625 |
An account failed to logon. |
4648 |
A logon was attempted using explicit credentials. |
4768 |
A Kerberos authentication ticket (TGT) was requested. |
4769 |
A Kerberos service ticket was requested. |
4770 |
A Kerberos service ticket was renewed. |
4771 |
Kerberos pre-authentication failed. |
4772 |
A Kerberos authentication ticket request failed. |
4773 |
A Kerberos service ticket request failed. |
4776 |
The computer attempted to validate the credentials for an account. |
4777 |
The domain controller failed to validate the credentials for an account. |
4656 |
A handle to an object was requested. |
4663 |
An attempt was made to access an object. |