UEBA View

The UEBA view monitors AI alerts obtained from FortiInsight. To configure what data appears in the UEBA view, see UEBA Settings. The UEBA view is divided into these layers:

The Actions drop-down list displays the operations you can perform on selected incidents. For descriptions of the operations, see Acting on Incidents.

Incidents in the UEBA View can be filtered by activity status or time range. See Filtering in the UEBA View.

Incident Trend Chart

The Incident Trend Chart displays frequency of incidents over time. You can click the bars in the chart to filter both the chart and the attribute list. The attribute lists will update based on the time and severity category of the bar.

Attribute List

The Attribute List table provides the following information about the AI alerts received from FortiInsight:

Attribute Description
Incident The name of the incident that was detected. The incident name is defined in Setting Tags.
Host The host name or IP address where the alert originated.
Application The name of the application that is the source of the incident.
User

The Windows Agent user. This user is specified in Setting UEBA Higher Risk Entities.

Tag The tag used to categorize the alert. The tag is defined in Setting Tags.
Activity The description of the activity which raised the alert.

Related Incidents

The Related Incidents table provides additional information on the incidents selected in the Attribute List table.

Attribute Description
Severity Category The severity of the incident: HIGH, MEDIUM, or LOW. You can change the severity value in the Actions drop-down list.
Last Occurred The date and time when the incident was last detected.
Incident The name of the incident.
Tag The tag used to categorize the alert.

Host Name

The host name or IP address of the host where the alert originated.
User The Windows Agent user.
Application The name of the application that is the source of the incident.
Resource A resource name, typically a file path.
Activity The description of the activity which raised the alert.

Triggering Events

The Triggering Events layer is typically hidden. Click an incident in the Related Incidents table to display its triggering events.

These display options are available above the table:

  • Subpattern: FIN - Indicates that only FIN events are displayed.
  • Wrap Raw Events - Select to display the full log event in the table.
  • Show Event Type - Select to display the event type only.
  • Show Raw Event Only - Select to display the full log event only.

The following table describes incidents in the Triggering Events table.

Attribute Description
Event Receive Time The date and time when the event was received.

Host Name

The IP address or host name that was the source of the event.
Domain The Windows domain that was the source of the event.
User The Windows Agent user.

Tag Name

The tag used to categorize the alert.

Process Name

The name of the process producing the event.

Activity Name

The description of the activity which raised the alert.

Resource Name

A resource name, typically a file path.

Filtering in the UEBA View

Use the Status button in the upper right corner of the UEBA View to filter the display for active or cleared incidents, or both. Use the Time Range button to filter the display for incidents within a specific time range:

  • Status - Use the drop-down list to display Active incidents, Cleared incidents, or both.
  • Time Range - Filter the incidents according to a time range:
    • If you click Relative, adjust the time value in the Last field.
    • If you click Absolute enter a time range.