Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.2.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.2.2 User Guide
    7.2.2
    7.5.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    UEBA based on Log

    UEBA Based on Log

    In earlier releases, User Entity Behavior Analytics (UEBA) was done based on proprietary logs collected by the FortiSIEM Windows UEBA Agent. Now, the analytics is extended to the following regular logs. Note that regular logs only cover a subset of the user activities compared to the FortiSIEM UEBA Agent.

    Windows Security logs

    • Unusual machine on activity based on Win-Security-4608 log
    • Unusual machine off activity based on Win-Security-4609 log
    • Unusual host logon activity based on Win-Security-4624 log
    • Unusual host logoff activity based on Win-Security-4634 log
    • Unusual file deletion based on Win-Security-4660 log
    • Unusual process created based on Win-Security-4688 log
    • Unusual process stopped based on Win-Security-4689 log

    Windows Sysmon

    • Unusual process created based on Win-Sysmon-1-Create-Process log
    • Unusual process stopped based on Win-Sysmon-5-Process-Terminated log
    • Unusual file creation based on Win-Sysmon-11-FileCreate log
    • Unusual file deletion based on Win-Sysmon-23-File-Delete-archived and Win-Sysmon-26-File-Delete-logged log

    Linux Agent

    • Unusual process created based on LINUX_PROCESS_EXEC log
    • Unusual machine off activity based on Generic_Unix_System_Shutdown log
    • Unusual host logon activity based on Generic_Unix_Successful_SSH_Login log

    For detailed comparison of Windows UEBA Agent versus log based UEBA, see Appendix - Comparing UEBA Sources.

    Previous
    Next

    UEBA based on Log

    UEBA Based on Log

    In earlier releases, User Entity Behavior Analytics (UEBA) was done based on proprietary logs collected by the FortiSIEM Windows UEBA Agent. Now, the analytics is extended to the following regular logs. Note that regular logs only cover a subset of the user activities compared to the FortiSIEM UEBA Agent.

    Windows Security logs

    • Unusual machine on activity based on Win-Security-4608 log
    • Unusual machine off activity based on Win-Security-4609 log
    • Unusual host logon activity based on Win-Security-4624 log
    • Unusual host logoff activity based on Win-Security-4634 log
    • Unusual file deletion based on Win-Security-4660 log
    • Unusual process created based on Win-Security-4688 log
    • Unusual process stopped based on Win-Security-4689 log

    Windows Sysmon

    • Unusual process created based on Win-Sysmon-1-Create-Process log
    • Unusual process stopped based on Win-Sysmon-5-Process-Terminated log
    • Unusual file creation based on Win-Sysmon-11-FileCreate log
    • Unusual file deletion based on Win-Sysmon-23-File-Delete-archived and Win-Sysmon-26-File-Delete-logged log

    Linux Agent

    • Unusual process created based on LINUX_PROCESS_EXEC log
    • Unusual machine off activity based on Generic_Unix_System_Shutdown log
    • Unusual host logon activity based on Generic_Unix_Successful_SSH_Login log

    For detailed comparison of Windows UEBA Agent versus log based UEBA, see Appendix - Comparing UEBA Sources.

    Previous
    Next