Anomaly reports and alerts in User and Entity Behavior Analytics (UEBA) in Log360 Cloud

    Last updated on:

    In this page

    Overview

    This page elaborates how you can access various reports for an effective anomaly investigation, associate alert profiles with the anomalies detected in Log360 Cloud, and how to manage and customize the alerts.

    Anomaly reports

    The anomaly reports of Log360 Cloud's UEBA further elevate the anomaly investigation process by providing granular details of each anomaly detected, categorized based on the associated anomaly rule. These reports can be accessed from the Correlation tab and include the following:

    • Graphical representations of the corresponding anomaly data under summary view.
    • Summary Tables: Quick-reference statistics for each selected rule categorized with details like Time, Log Source, UserName, Entity Type, Anomaly Type, Anomaly Message, Anomalous Entity and also the option to view anomaly details mentioned in the dashboard view constituents.
    • Events associated with the anomalies.

    These reports can be exported in PDF or CSV formats, allowing further offline analysis or sharing with other teams.

    By combining both report and dashboard analytic views, Log360 Cloud enables a structured approach to investigating and understanding anomalous behavior across your organization's environment.

    Anomaly reports and alerts
    Image 1: Anomaly reports in ManageEngine Log360 Cloud

    View reports

    Steps to view the reports associated with an anomaly rule:

    1. Navigate to the Correlation tab.
    2. As soon as you click on it, you will be able to see a left-hand side pane that lists different rule based reports (In case the left pane is hidden, click on the icon to expand the left hand side pane). Scroll down to view a list of Anomaly Reports.
      3. Anomaly reports and alerts
      Image 2: View anomaly reports in ManageEngine Log360 Cloud
    3. Click on the respective report category, and the drop-down of the complete list of the rule based reports will expand.
    4. Click on the specific report you are looking for, and the report will be shown to you.

    Informational alert messages in anomaly reports

    Depending upon the rule status, there are three types of informational alert messages that will be displayed to the user:

    1. If the rule is active but anomalies have not been generated yet:
      2. Anomaly reports and alerts
      Image 3: Informational alert in anomaly reports in ManageEngine Log360 Cloud

      In this case, the rule is currently active but so far, no reports have been generated for it yet because that anomaly hasn't been triggered.

    2. If the rule is not active:
      3. Anomaly reports and alerts
      Image 4: Informational alert in anomaly reports in ManageEngine Log360 Cloud

    As shown above, you can activate that specific anomaly rule by:

    1. Clicking on the "Enable Anomaly Rule" button.
    2. You will be taken to the complete list of anomaly rules.
    3. Search for the rule in the aforementioned list and go to the "Rule Status" column and hover over the now "Inactive" button, and the option to activate it appears as shown below.
      4. Anomaly reports and alerts
    4. Click on "Activate". Once the action is carried out, a pop-up appears briefly like the below.
      5. Anomaly reports and alerts
    1. Previously active anomaly rule now in an inactive state:
      2. Anomaly reports and alerts
      Image 5: Informational alert in anomaly reports in ManageEngine Log360 Cloud

      In this case, that particular anomaly rule was previously active and reports for that anomaly were generated as well and later the anomaly rule was deactivated. For such anomaly rule, the user can view the reports generated but only until the point when that rule was active. The rule must be manually activated in order to generate reports for it further.

      To know about how to activate an anomaly rule, refer to Working with anomaly rules

    Show or hide reports for both pre-defined and custom anomaly rules

    Each rule will have an associated report to view the anomaly data. Users can choose to show or hide the corresponding report of the selected rule.

    Steps to show/hide reports:

    1. Go to the Correlation tab, and in the left-hand side pane, click on "Manage Rules".
      2. Anomaly reports and alerts
      Image 6: Show/Hide anomaly reports in ManageEngine Log360 Cloud
    2. The list of the existing rules appears. Click on the "Anomaly Rules" sub-tab just above the rules list.
      3. Anomaly reports and alerts
      Image 7: Show/Hide anomaly reports in ManageEngine Log360 Cloud
    3. Search for the rule(s) in the rule list and go to the "Show/Hide Report" column that contains checkboxes to show/hide reports.
    4. To show a report, click on the currently empty checkbox (which indicates that the specific report is hidden currently) into . You can choose multiple reports to be shown at once.
    5. Upon completion of the action, the below pop-up appears.
      6. Anomaly reports and alerts
    6. Similarly, to hide a report, click on the currently filled checkbox (which indicates that the specific report is shown currently) into . You can choose multiple reports to be hidden at once.
    7. Upon completion of the action, the below pop-up appears.
      8. Anomaly reports and alerts

      Alternatively, an option to hide a single report will appear as a confirm action pop-up while you are deactivating an anomaly rule, so that you can hide the report for its associated anomaly rule the same time you are deactivating it.

      Anomaly reports and alerts

    To learn how to deactivate anomaly rules, read Activating and Deactivating rules for both pre-defined and custom anomaly rules in Working with anomaly rules

    Alerts

    Log360 Cloud's UEBA alerts the security admins whenever anomalies are detected in the network. By enabling this function, security teams can take a proactive approach towards network security monitoring by staying informed about unusual activities in real time and taking prompt action. Alerts can be enabled as in-product notifications and email alerts as well, and tailor them based on criticality and message contents.

    Setting up alerts for anomalies

    For all the anomaly rules, the alerts are disabled by default, and the users have to manually activate them to get notifications.

    Learn more about Creating alert profiles

    Enabling/Disabling alerts

    To enable alerts for an anomaly rule in Log360 Cloud UEBA, that particular rule must be actively running already. To know how to activate anomaly rule(s) in Log360 Cloud UEBA, read Working with anomaly rules.

    Steps to enable alerts for an anomaly rule:

    1. Go to the Correlation tab, and in the left-hand side pane, click on "Manage Rules".
      2. Anomaly reports and alerts
      Image 8: Enable anomaly alerts in ManageEngine Log360 Cloud
    2. The list of the existing rules appears. Click on the "Anomaly Rules" sub-tab just above the rules list.
      3. Anomaly reports and alerts
      Image 9: Enabling anomaly alerts in ManageEngine Log360 Cloud
    3. Navigate to the rule(s) in the rule list for which you wish to enable the alerts and go to the "Alert Profile" column.
    4. Click on the currently empty checkbox (which indicates that alerts are disabled for that rule) into .
    5. Alerts are now enabled for that rule.

    Similarly, to disable alerts for any anomaly rule, click on the currently filled checkbox (which indicates that alerts are enabled) into and alerts are successfully disabled now for that particular anomaly rule.

    Receiving alerts

    Log360 Cloud alerts users both via:

    • In-product notification: Accessible via the Alerts page in the console.
    • Email notification: Sent to configured recipients. These notifications can be customized to include a subject as well as the message in the mail.

    Learn more about Setting up email notification for alerts

    Managing alerts

    Users can manage or create custom alert profiles in Log360 Cloud to receive the notifications when anomalies are detected. They can define the alert name, set severity levels, choose delivery methods, and also tailor the alert messages to suit the enterprise's security and compliance needs.

    For a more detailed guide on creating and managing alert profiles in Log360 Cloud, read the Alerts help manual.

    Read also

    This document elaborates how to access and utilize the anomaly reports for investigation and the setting up of alerts for anomalies for anomaly detection in Log360 Cloud's UEBA. For leveraging the capabilities of UEBA, refer the below articles: