LogPoint currently supports the following data sources for each data category:
Active Directory |
Authentication Logs |
Web Proxy Logs |
Email Logs |
VPN Logs |
Resource/File Access Logs |
SAP Security Audit Logs |
Microsoft Active Directory |
Office 365 |
WebSense |
Cisco |
Cisco |
Office 365 |
LP4SAP |
Cisco ISE |
BlueCoat |
Qmail |
FortiGate |
EMC |
AgileSI |
|
Squid |
Sendmail |
PaloAlto |
Global |
|||
Cisco |
Exim |
Juniper |
||||
Zscaler |
Microsoft Exchange |
CITRIX |
||||
Global |
Mimecast |
Global |
||||
Proofpoint |
||||||
Office 365 |
||||||
Global |
Note
Microsoft Active Directory does not include the Microsoft Azure Active Directory.
Global refers to the mapping of any other data source for a particular data category. LogPoint provides the necessary support on demand for other data sources.
You can configure UEBA to run all the data sources or a single data source based on the needs and logs in your system.
You must specify the data sources to enable in UEBA while onboarding. To enable more data sources after onboarding, contact LogPoint Support. In this case, the detection of anomalies from the new data sources may not be as precise until LogPoint UEBA stabilizes the baselines.
UEBA requires a minimum of 200 logs per data source per day to work optimally. The logs counted for each data source need to fulfill the Compatibility Check.
The fields specified in the following sections are examined by UEBA.
Asterisks (*) denote mandatory fields. If a log does not contain a mandatory field, it is not processed by UEBA.
Only the fields listed below are processed by UEBA. All the other fields present in the logs are discarded.
log_ts*
event_id*
event_type*
host*
user or userPrincipalname*
sub_status_code
object_type
object_name
share_path
source_address
source_machine_id
Additional mandatory fields for the logs with event_id 4656 or 4663:
object_type*
object_name*
Additional mandatory fields for the logs with event_id 5145:
share_path*
Note
Refer to the Input section for a list of all the Event IDs provided by Active Directory.
log_ts*
status*
host*
userPrincipalName or sAMAccountName*
log_ts*
sender*
receiver*
data_size*
userPrincipalNname or sAMAccountName*
subject
status
file
file_count
log_ts*
user*
source_address*
status*
userPrincipalName
country_name
The logs must also have either label=VPN or sub_category=GlobalProtect.
log_ts*
request_method*
status_code*
received_datasize*
destination_address*
user_agent*
user or userPrincipalName*
sent_datasize
source_address
source_machine_id
domain
The logs must also have device_category=ProxyServer.
log_ts*
user or userPrincipalName*
object_name*
object_type*
host*
status*
source_machine_id
SI_EXTR*
log_ts*
SI_USER*
SI_SYSTEMID*
SI_CLIENT*
SI_MESSAGE*
SI_SIGID*
SI_STRING1
SI_HOSTNAME
SI_IPADDRV4
SI_IPADDRV6
You can use SAP Security Audit in LogPoint v7.1.0 and later only.
LogPoint UEBA validates if the following field values match the formats:
Fields |
Value Format |
host |
String without spaces |
event_id |
Number |
userPrincipalName |
Valid email address |
user |
Valid email address or string, and cannot be “-“ |
sub_status_code |
Must start with 0x |
object_type |
Letters, numbers, and “-“ |
event_type |
audit_success, audit_failure, or audit_fail |
request_method |
Letters, numbers, and “-“ |
status_code |
Number |
received_datasize |
Number |
source_address |
A valid IPv4 address or “-“ |
destination_address |
A valid IPv4 address or “-“ |
user_agent |
String without double quotes (“) |
sent_datasize |
Number |
sender |
Valid email address |
datasize |
Number |
file_size |
Number |
file |
String without spaces |
status |
success or failure |
file_count |
Number |
SI_CLIENT |
Three-digit number with leading zeros |
SI_SYSTEMID |
Three-character uppercase alphanumeric value where the first character is not a number. |
Note
SI_SYSTEMID does not support some reserved values like ADD, ALL, AMD, AND, ANY, ASC, AUX, COM, CON, DBA, END, EPS, FOR, GID, IBM, INT, KEY, LOG, LPT, SAP, VAR, and USR.