FortiSIEM UEBA Telemetry
For the most complete visibility of user activity, the deployment of FortiSIEM Agents with UEBA enabled is recommended. This allows for detailed user activity to be collected without the need to enable any specific Microsoft Windows auditing.
FortiSIEM Agents can be configured to send information to FortiSIEM even if the workstation is not on the network. This helps to ensure that there is continued visibility on user activity.
The following diagram illustrates how a user that could roam between on network and off network using FortiSIEM Agents with optional UEBA feature can continue to send events and telemetry into FortiSIEM.
With the UEBA feature enabled, the agent will capture the key information from 5 areas (user, process, device, resources and action) that are used within the ML models.