UEBA Sample Logs

UEBA Events File Interaction sample logs are provided here.

FINS-Windows-new-drive-mounted

2022-06-24T19:06:58Z CD-DESK-S 0.0.0.0 [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" FortiInsight-Windows-Agent msg = {"ac":"new drive mounted","ap":"ntoskrnl.exe","d":"2022-06-24T15:06:57.128-04:00","r":"\\\\?\\swd#wpdbusenum#_??_usbstor#disk&ven_samsung&prod_flash_drive_fit&rev_1100#0374216040008546&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{6ac27878-a6fa-4155-ba85-f98f491d4f33} -> samsung usb","u":"__"}

FINS-Windows-file-written

2022-06-24T19:25:06Z CD-DESK-S 192.0.2.0  [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500"  FortiInsight-Windows-Agent msg = {"ac":"file written","ap":"explorer.exe","d":"2022-06-24T15:25:00.992-04:00","r":"rm:\\d:\\agenttest\\wireshark-win64-3.6.6.exe","u":"cd-desk-s__durki"} 

FINS-Windows-file-created

2022-06-24T19:25:00Z CD-DESK-S 192.0.2.0  [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500"  FortiInsight-Windows-Agent msg = {"ac":"file created","ap":"explorer.exe","d":"2022-06-24T15:25:00.215-04:00","r":"rm:\\d:\\agenttest\\wireshark-win64-3.6.6.exe","u":"cd-desk-s__durki"} 

FINS-Windows-file-deleted

2022-06-24T19:23:57Z CD-DESK-S 192.0.2.0  [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500"  FortiInsight-Windows-Agent msg = {"ac":"file deleted","ap":"explorer.exe","d":"2022-06-24T15:23:56.794-04:00","r":"rm:\\d:\\agenttest\\winscp-5.17.8-setup.zip","u":"cd-desk-s__durki"}