Submit Search

Comparing UEBA Sources

Windows UEBA vs Log Based UEBA
UEBA Rules Trigger Based on Log Source

Windows UEBA vs Log Based UEBA

The following table provides details on Windows UEBA Agent versus log based UEBA.

Scenario	Windows UEBA Agent	Windows Security Log	Windows Sysmon	Linux Agent	Linux Log
File create	Yes	No	Yes	No	No
File delete	Yes	Yes	Yes	No	No
File read	Yes	No	No	No	No
File write	Yes	No	No	No	No
File move	Yes	No	No	No	No
File rename	Yes	No	No	No	No
File print	Yes	No	No	No	No
Process stop	Yes	Yes	Yes	No	No
Process create	Yes	Yes	Yes	Yes	No
File upload	Yes	No	No	No	No
File download	Yes	No	No	No	No
Machine on	Yes	Yes	No	No	No
Machine off	Yes	Yes	No	No	No
Drive mount	Yes	No	No	No	No
Drive un-mount	Yes	No	No	No	No
Host logon	Yes	Yes	No	No	Yes
Host logoff	Yes	Yes	No	No	Yes

UEBA Rules Trigger Based on Log Source

Rule Name	Windows UEBA Agent	Win Log (Win Security AND/OR Sysmon)	Linux Agent	Linux Log
UEBA AI detects unusual drive unmounted	Yes	No	No	No
UEBA AI detects unusual file creation	Yes	Yes (Sysmon)	No	No
UEBA AI detects unusual file deletion	Yes	Yes (Win Security OR Sysmon)	No	No
UEBA AI detects unusual file download	Yes	No	No	No
UEBA AI detects unusual file movement	Yes	No	No	No
UEBA AI detects unusual file printed	Yes	No	No	No
UEBA AI detects unusual file reading	Yes	No	No	No
UEBA AI detects unusual file renamed	Yes	No	No	No
UEBA AI detects unusual file upload	Yes	No	No	No
UEBA AI detects unusual file writing	Yes	No	No	No
UEBA AI detects unusual host logon	Yes	Yes (Win Security)	No	Yes
UEBA AI detects unusual machine off	Yes	Yes (Win Security)	No	No
UEBA AI detects unusual machine on	Yes	Yes (Win Security)	No	No
UEBA AI detects unusual new drive mounted	Yes	No	No	No
UEBA AI detects unusual process created	Yes	Yes (Win Security OR Sysmon)	Yes	No
UEBA AI detects unusual process not restarted	Yes	No	No	No
UEBA AI detects unusual process started	Yes	Yes (Win Security OR Sysmon)	No	No
UEBA AI detects unusual process stopped	Yes	Yes (Win Security OR Sysmon)	No	No
UEBA AI detects unusual user logoff	Yes	Yes (Win Security)	No	Yes
UEBA Policy detects antivirus not started	Yes	No	No	No
UEBA Policy detects antivirus stopped	Yes	No	No	No
UEBA Policy detects backup applications	Yes	No	No	No
UEBA Policy detects browser download	Yes	No	No	No
UEBA Policy detects browser upload	Yes	No	No	No
UEBA Policy detects cloud upload	Yes	No	No	No
UEBA Policy detects email download	Yes	No	No	No
UEBA Policy detects email upload	Yes	No	No	No
UEBA Policy detects encryption tools	Yes	No	No	No
UEBA Policy detects file archiver application	Yes	No	No	No
UEBA Policy detects file printed	Yes	No	No	No
UEBA Policy detects files copied over remote desktop	Yes	No	No	No
UEBA Policy detects gaming application	Yes	No	No	No
UEBA Policy detects hacking tool and footprints	Yes	No	No	No
UEBA Policy detects hacking tool usage	Yes	No	No	No
UEBA Policy detects malicious powershell execution	Yes	No	No	No
UEBA Policy detects MTP read	Yes	No	No	No
UEBA Policy detects MTP write	Yes	No	No	No
UEBA Policy detects NFS read	Yes	No	No	No
UEBA Policy detects nfs write	Yes	No	No	No
UEBA Policy detects potential leaver editing a CV at work	Yes	No	No	No
UEBA Policy detects potential pirated media	Yes	No	No	No
UEBA Policy detects ransomware	Yes	No	No	No
UEBA Policy detects ransomware file names	Yes	No	No	No
UEBA Policy detects ransomware file types	Yes	No	No	No
UEBA Policy detects removable media read	Yes	No	No	No
UEBA Policy detects removable media write	Yes	No	No	No
UEBA Policy detects snipping tool	Yes	No	No	No
UEBA Policy detects software installation	Yes	No	No	No
UEBA Policy detects suspicious applications	Yes	No	No	No
UEBA Policy detects Tor client usage	Yes	No	No	No
UEBA Policy detects uncommon VPN client	Yes	No	No	No

FortiSIEM 6.6.1

Comparing UEBA Sources

Windows UEBA vs Log Based UEBA

UEBA Rules Trigger Based on Log Source