UEBA

Top Level Fieldset: False

This field set contains information about User and Entity Behavior Analytics (UEBA) behavior of an event.

Fields from ueba can only be found at the following locations:

• event.ueba

UEBA Fields

ueba.anomalous_fields

Required Field: False
Type: OBJECT
Example: {'source.as.number': 13541, 'source.ip': '147.34.2.14'}
Detection Supported Field: True

Details of the anomalous fields of the event.

ueba.normal_state

Required Field: False
Type: OBJECT
Example: {'source.as.number': [], 'source.ip': []}
Detection Supported Field: True

Normal state values of the anomalous fields.

ueba.rare_state

Required Field: False
Type: OBJECT
Example: {'source.as.number': [], 'source.ip': []}
Detection Supported Field: True

Rare state values of the anomalous fields.