User and Entity Behavior Logs
For supported software information, click here.
User and entity behavior analytics (UEBA) uses machine learning and advanced analytics to detect abnormal user activities in a network. Versa UEBA is a cloud service that provides a layer of security that enables your organization to monitor, detect, and respond to suspicious behaviors across your network infrastructure. Unlike security measures that focus on known attack signatures, UEBA continuously monitors and learns from user interactions, which helps security teams to identify anomalies in real-time and respond proactively to threats.
UEBA logs are exported to Analytics nodes by Versa messaging service (VMS) nodes. User entity score logs are exported to Analytics nodes by SASE gateways.
UEBA Logs
VMS exports UEBA logs when a UEBA application running in the cloud detects an anomalous event.
UEBA Log Message Format
2025-01-10T14:27:44+0000 uebaLog, applianceName=VMS1, tenantName=Provider-Org, userName=sse-demo-product-1@versa-networks.com, ucsScore=66, ucsBand="moderate-risk", uebaEventType=risky-countries, uebaDetails=”krbtestuser6@versa-networks.com access detected to/from IP 95.173.136.71:80 on application http in country RU. Rulename All-Profiles, Score: 66”
UEBA Log Message Fields
|
Log Type |
uebaLog |
|
applianceName |
Name of the VMS appliance or instance that originated the log. |
|
tenantName |
Tenant or organization name. |
|
username |
User name. |
|
ucsScore |
User confidence score (UCS). |
|
ucsBand |
UCS band. |
|
uebaEventType |
Type of UEBA event. |
|
uebaDetails |
Details about why the UEBA event was triggered. |
User Entity Confidence Score Logs
User entity confidence scores logs are sent by the SASE gateway when it receives notification of the device risk score for a user’s device from VMS.
User Entity Confidence Score Log Message Format
2024-11-04T19:14:22+0000 userEcsLog, applianceName=GW-1, tenantName=Tenant1, applianceId=0, userName=Unknown, deviceName="PRIYA-WINDOWS", racAccessType=unknown, privateIP=1.1.1.1, publicIP=10.10.10.10, ecsScore=50, ecsBand=high-risk, ecsReason="Triggered by Malware", dataSource=CrowdStrike, dataSourceVersion=1.1, os="Windows", osVersion="10.0.1934.1", serialNum=X123456780A
User Entity Confidence Score Log Message Fields
|
Log Type |
userEcsLog |
|
applianceName |
Name of the gateway handling the user's connection. |
|
tenantName |
Tenant or organization name. |
|
applianceId |
(Field not used.) |
|
username |
User name. |
|
deviceName |
Name of the user’s device. |
|
racAccessType |
Indicates whether the user accessed the network through remote access client type IPSEC or SSL. |
|
privateIP |
User device’s private IP address, used to connect to the gateway. |
|
publicIP |
User device’s public IP address, used to connect to the gateway. |
|
ecsScore |
User device’s entity confidence score (ECS). |
|
ecsBand |
User device’s entity confidence band. The confidence bands are:
|
|
ecsReason |
Reason for the ECS value. |
|
dataSource |
Source of data used to determine the ECS. |
|
os |
OS running on the user’s device. |
|
osVersion |
Version of the OS running on the user's device. |
|
serialNum |
Serial number of the user’s device. |
Supported Software
Releases 22.1.4 (Service Release dated 2025-02-08) and later support all content described in this article.