Required sourcetypes for behavior-based detections
Required sourcetypes for UEBA cloud deployments
|
Sourcetype |
Vendor |
Recommended TA |
Relevant Event Codes or Activity IDs |
|---|---|---|---|
|
wineventlog xmlwineventlog wineventlog:security xmlwineventlog:security |
Microsoft |
Splunk Add-on for Microsoft Windows V8.5.x or later |
1102 4103, 4104 4624, 4625, 4634, 4648, 4661, 4662, 4663, 4672, 4673, 4688, 4689 4720–4781 5140, 5145 |
|
o365:reporting:messagetrace |
Microsoft |
Splunk Add-on for Microsoft Office 365 V4.8.1 or later |
messagetrace |
|
o365:management:activity |
Microsoft |
Splunk Add-on for Microsoft Office 365 V4.8.1 or later |
FileCopied FileDeleted FileDownloaded FileModified FileMoved FileRenamed FileRestored FileUploaded SharingRevoked SharingSet UserLoggedIn UserLoginFailed |
|
infoblox:dhcp |
Infoblox |
Splunk Add-on for Infoblox V2.2.0 or later |
ack expire release |
|
box:events box:file |
Box |
Splunk Add-on for Box V3.12.1 or later |
add_login_activity_device admin_login collaboration_accept collaboration_remove delete download edit failed_login item_modify item_open item_shared_update item_sync item_unsync login move preview rename share_expiration share upload |
|
cisco:asa |
Cisco |
Splunk Add-on for Cisco ASA 5.2.0 or later |
113019, 113039 602303, 602304 611101, 611103 716001–716006, 716038 722022–722034, 722051 723001, 723002 |
|
oktaim2:log |
Okta |
Splunk Add-on for Okta Identity Cloud V3.0.0 or later |
application.user_membership.add application.user_membership.update device.enrollment.create group.privilege.grant group.user_membership.add user.account.lock user.account.privilege.grant user.account.report_suspicious_activity_by_enduser user.authentication.auth_via_mfa user.authentication.sso user.lifecycle.activate user.lifecycle.create user.session.start |
|
pan:globalprotect |
Palo Alto |
Splunk Add-on for Palo Alto Networks V2.0.1 or later |
gateway-auth gateway-connected gateway-logout gateway-setup-ipsec gateway-switch-to-ssl portal-auth |
Required sourcetypes for UEBA on-premises deployments
The following table lists the primary sourcetypes required for UEBA on-premises deployments, along with the associated vendors. These sourcetypes align with the Common Information Model (CIM) data models UEBA relies on for analytics and anomaly detection.
UEBA required sourcetypes for on-premises deployments and CIM datamodels:
-
Authentication
-
Network_Traffic
-
Web
-
Change
-
Endpoint
-
Email
|
Sourcetype |
Vendor |
Recommended TA |
Relevant Activity or Event Codes |
|---|---|---|---|
|
XmlWinEventLog:Security |
Microsoft Windows |
Splunk Add-on for Microsoft Windows (TA-Windows) |
EventCode IN (4624, 4625, 4720–4729, 4756–4757) |
|
WinEventLog:Microsoft-Windows-PrintService/Operational |
Microsoft Windows Print Service |
Splunk Add-on for Microsoft Windows (TA-Windows) |
EventCode=307 (Print job events) |
|
XmlWinEventLog:Microsoft-Windows-PrintService/Operational |
Microsoft Windows Print Service |
Splunk Add-on for Microsoft Windows (TA-Windows) |
EventCode=307 |
|
WinEventLog:Microsoft-Windows-PrintService/Admin |
Microsoft Windows Print Service |
Splunk Add-on for Microsoft Windows (TA-Windows) |
EventCode=307 |
|
XmlWinEventLog:Microsoft-Windows-PrintService/Admin |
Microsoft Windows Print Service |
Splunk Add-on for Microsoft Windows (TA-Windows) |
EventCode=307 |
|
auditd |
Linux Audit Daemon |
Splunk Add-on for Unix and Linux (TA-nix) |
Suspicious Activity (login, privilege escalation) |
|
Cloudtrail |
AWS CloudTrail |
Splunk Add-on for AWS (TA-AWS) |
Suspicious Activity (API access, authentication, IAM change) |
|
suricata |
Suricata IDS / IPS |
Splunk Add-on for Suricata (community) |
Outbound Traffic, Blocked Traffic, Intrusion Detection alerts |
|
symantec:ep:behavior:file |
Symantec Endpoint Protection |
Splunk Add-on for Symantec Endpoint Protection |
Action Blocked, Action Allowed, File Read/Write behavior |
|
gws:gmail |
Google Workspace (Gmail) |
Splunk Add-on for Google Workspace |
Outbound Traffic (email send events) |