Reviewing UEBA logs

The UEBA Logs page is where all the logs for observables that have been matched are displayed.

You can access the UEBA logs page by navigating to Analyze > Logs > UEBA.

The UEBA logs page displays information for last 7 days, by default. The data in this page is updated every hour and maintains log information for last 30 days. The UEBA logs page displays 50 entries per page and 10000 entries in total.
  1. Time filter: Allows you to filter the logs for selected period.
    • Last 24 Hours (default)
    • Last 7 Days
    • Last 30 Days
    • Custom

      If you select Custom, you should select Start Time and End Time to view logs for selected period. You can view logs for a maximum period of 30 days from today.

      It should be mentioned here that the max time period is 30 days from now (the oldest Start Time could be 30 days from now).



  2. Search: Will allow you to configure and filter the logs by any of the columns displayed. See below for information on each of these columns.
    1. User Email: Displays the user's Forcepoint ONE SSE user email.
      • Can be filtered by equals, not equals, contains or does not contain and then entering characters or the user's email.
    2. Category: Displays the category of observable.
      • Can be filtered by equals and then select the category, that is Data Exfiltration.
    3. Observable Name: Displays the name of the Observable matched.
      • Can be filtered by equals, not equals, contains or does not contain and then entering the name of the Observable.
    4. Other available filters: You can also filter logs using following filters:
      • Observable ID: Can be filtered by and then entering the Observable ID.
      • Model Name: Can be filtered by equals and then selecting the model name.
      • Baseline: Can be filtered by equals and then entering the baseline.
      • Cadence of Evaluation: Can be filtered by equals and then selecting the cadence. Valid options are Fast, Medium and Slow.

      • Sensitivity: Can be filtered by equals and then selecting the sensitivity. Valid options are High, Medium and Low.

      You can create and save filters as needed. For example, creating a filter where Cadence of Evaluation equals Medium and Sensitivity equals High.

  3. Export CSV: After applying required filters, you can click Export CSV to export filtered logs in a zipped csv file. The CSV file contains latest 25000 records with all the fields.
  4. Clicking into an event log will take you to a details page providing further information about the event.


    When a user who is not part of IAM > Users and Groups page performs bulk activity for the observables, then such users are termed as Unregistered User: <email>.