UEBA View
The UEBA view monitors AI alerts obtained from FortiInsight. To configure what data appears in the UEBA view, see UEBA Settings. The UEBA view is divided into these layers:
The Actions drop-down list displays the operations you can perform on selected incidents. For descriptions of the operations, see Acting on Incidents.
Incidents in the UEBA View can be filtered by activity status or time range. See Filtering in the UEBA View.
Incident Trend Chart
The Incident Trend Chart displays frequency of incidents over time. You can click the bars in the chart to filter both the chart and the attribute list. The attribute lists will update based on the time and severity category of the bar.
Attribute List
The Attribute List table provides the following information about the AI alerts received from FortiInsight:
| Attribute | Description |
|---|---|
| Incident | The name of the incident that was detected. The incident name is defined in Setting Tags. |
| Host | The host name or IP address where the alert originated. |
| Application | The name of the application that is the source of the incident. |
| User |
The Windows Agent user. This user is specified in Setting UEBA Higher Risk Entities. |
| Tag | The tag used to categorize the alert. The tag is defined in Setting Tags. |
| Activity | The description of the activity which raised the alert. |
Related Incidents
The Related Incidents table provides additional information on the incidents selected in the Attribute List table.
| Attribute | Description |
|---|---|
| Severity Category | The severity of the incident: HIGH, MEDIUM, or LOW. You can change the severity value in the Actions drop-down list. |
| Last Occurred | The date and time when the incident was last detected. |
| Incident | The name of the incident. |
| Tag | The tag used to categorize the alert. |
|
Host Name |
The host name or IP address of the host where the alert originated. |
| User | The Windows Agent user. |
| Application | The name of the application that is the source of the incident. |
| Resource | A resource name, typically a file path. |
| Activity | The description of the activity which raised the alert. |
Triggering Events
The Triggering Events layer is typically hidden. Click an incident in the Related Incidents table to display its triggering events.
These display options are available above the table:
- Subpattern: FIN - Indicates that only FIN events are displayed.
- Wrap Raw Events - Select to display the full log event in the table.
- Show Event Type - Select to display the event type only.
- Show Raw Event Only - Select to display the full log event only.
The following table describes incidents in the Triggering Events table.
| Attribute | Description |
|---|---|
| Event Receive Time | The date and time when the event was received. |
|
Host Name |
The IP address or host name that was the source of the event. |
| Domain | The Windows domain that was the source of the event. |
| User | The Windows Agent user. |
|
Tag Name |
The tag used to categorize the alert. |
|
Process Name |
The name of the process producing the event. |
|
Activity Name |
The description of the activity which raised the alert. |
|
Resource Name |
A resource name, typically a file path. |
Filtering in the UEBA View
Use the Status button in the upper right corner of the UEBA View to filter the display for active or cleared incidents, or both. Use the Time Range button to filter the display for incidents within a specific time range:
- Status - Use the drop-down list to display Active incidents, Cleared incidents, or both.
- Time Range - Filter the incidents according to a time range:
- If you click Relative, adjust the time value in the Last field.
- If you click Absolute enter a time range.
Copyright © 2024 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
