version 3.3.0 app ibm qradar user behavior...

IBM QRadar User Behavior Analytics (UBA)appVersion 3.3.0

User Guide

IBM

Note

Before you use this information and the product that it supports, read the information in “Notices” onpage 263.

Product information

This document applies to IBM® QRadar® Security Intelligence Platform V7.2.8 and subsequent releases unlesssuperseded by an updated version of this document.

© Copyright International Business Machines Corporation 2016, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

Chapter 1. User Behavior Analytics for QRadar....................................................... 1What's new in the User Behavior Analytics app..........................................................................................2Known issues............................................................................................................................................... 3Process overview......................................................................................................................................... 4Video demonstrations and tutorials............................................................................................................ 5UBA dashboard and user details................................................................................................................. 5Investigating users in QRadar Advisor with Watson...................................................................................9Prerequisites for installing the User Behavior Analytics app................................................................... 10Supported browsers for the UBA app....................................................................................................... 11Log source types relevant to the UBA app................................................................................................ 11

Chapter 2. Installing and uninstalling...................................................................13Installing the User Behavior Analytics app............................................................................................... 13Uninstalling the UBA app...........................................................................................................................14

Chapter 3. Upgrading...........................................................................................17Upgrading the User Behavior Analytics app..............................................................................................17

Chapter 4. Configuring.........................................................................................19Configuring the User Behavior Analytics app............................................................................................19

Configuring the Reference Data Import LDAP app..............................................................................19Configuring UBA settings..................................................................................................................... 23

Chapter 5. Administering..................................................................................... 31Managing permissions for the QRadar UBA app.......................................................................................31Creating watchlists.................................................................................................................................... 31Viewing the whitelist for trusted users..................................................................................................... 33Managing network monitoring tools..........................................................................................................33Managing restricted programs.................................................................................................................. 34Adding log sources to the trusted log source group................................................................................. 35Dormant accounts......................................................................................................................................35

Chapter 6. Tuning................................................................................................ 37Enabling indexes to improve performance............................................................................................... 37Integrating new or existing QRadar content with the UBA app............................................................... 38Reference sets........................................................................................................................................... 39

Chapter 7. Rules and tuning for the UBA app........................................................ 41Access and authentication........................................................................................................................ 41

UBA : Bruteforce Authentication Attempts......................................................................................... 41UBA : Executive Only Asset Accessed by Non-Executive User...........................................................43UBA : High Risk User Access to Critical Asset..................................................................................... 44UBA : Multiple VPN Accounts Failed Login From Single IP................................................................. 46UBA : Multiple VPN Accounts Logged In From Single IP.................................................................... 46UBA : Repeat Unauthorized Access.....................................................................................................47UBA : Unauthorized Access..................................................................................................................48UBA : Unix/Linux System Accessed With Service or Machine Account.............................................. 49UBA : User Access - Failed Access to Critical Assets..........................................................................50UBA : User Access - First Access to Critical Assets............................................................................ 51

iii

UBA : User Access from Multiple Hosts...............................................................................................53UBA : User Access to Internal Server From Jump Server .................................................................. 54UBA : User Access Login Anomaly....................................................................................................... 55UBA : User Accessing Account from Anonymous Source................................................................... 56UBA : User Time, Access at Unusual Times.........................................................................................57UBA : VPN Access By Service or Machine Account............................................................................. 59UBA : VPN Certificate Sharing..............................................................................................................59UBA : Windows Access with Service or Machine Account.................................................................. 60

Accounts and privileges.............................................................................................................................61UBA : Account or Group or Privileges Added.......................................................................................61UBA : Account or Group or Privileges Modified................................................................................... 63UBA : DoS Attack by Account Deletion................................................................................................ 64UBA : User Account Created and Deleted in a Short Period of Time.................................................. 68UBA : Dormant Account Used.............................................................................................................. 69UBA : Dormant Account Use Attempted..............................................................................................70UBA : Expired Account Used................................................................................................................ 72UBA : First Privilege Escalation............................................................................................................73UBA : New Account Use Detected....................................................................................................... 75UBA : Suspicious Privileged Activity (First Observed Privilege Use)...................................................77UBA : Suspicious Privileged Activity (Rarely Used Privilege).............................................................. 79UBA : User Attempt to Use a Suspended Account.............................................................................. 82UBA : User Has Gone Dormant (ADE rule)...........................................................................................83

Browsing behavior..................................................................................................................................... 84UBA : Browsed to Business/Service Website...................................................................................... 84UBA : Browsed to Communications Website...................................................................................... 86UBA : Browsed to Education Website..................................................................................................87UBA : Browsed to Entertainment Website...........................................................................................89UBA : Browsed to Gambling Website.................................................................................................. 90UBA : Browsed to Government Website..............................................................................................92UBA : Browsed to Information Technology Website...........................................................................93UBA : Browsed to Job Search Website................................................................................................ 94UBA : Browsed to LifeStyle Website.................................................................................................... 96UBA : Browsed to Malicious Website...................................................................................................97UBA : Browsed to Mixed Content/Potentially Adult Website..............................................................99UBA : Browsed to Phishing Website.................................................................................................. 100UBA : Browsed to Pornography Website........................................................................................... 102UBA : Browsed to Religious Website................................................................................................. 103UBA : Browsed to Scam/Questionable/Illegal Website....................................................................104UBA : Browsed to Uncategorized Website........................................................................................ 106UBA: User Accessing Risky URL.........................................................................................................107

Cloud........................................................................................................................................................ 109UBA : AWS Console Accessed by Unauthorized User....................................................................... 109UBA : Non-Standard User Accessing AWS Resources...................................................................... 109

Domain controller.................................................................................................................................... 110UBA : DPAPI Backup Master Key Recovery Attempted.................................................................... 110UBA : Kerberos Account Enumeration Detected...............................................................................110UBA : Multiple Kerberos Authentication Failures from Same User.................................................. 111UBA : Non-Admin Access to Domain Controller............................................................................... 111UBA : Pass the Hash...........................................................................................................................113UBA : Possible Directory Services Enumeration............................................................................... 113UBA : Possible SMB Session Enumeration on a Domain Controller................................................. 114UBA : Possible TGT Forgery............................................................................................................... 114UBA : Possible TGT PAC Forgery........................................................................................................115UBA : Replication Request from a Non-Domain Controller.............................................................. 115UBA : TGT Ticket Used by Multiple Hosts......................................................................................... 116

Endpoint...................................................................................................................................................116UBA : Detect Insecure Or Non-Standard Protocol............................................................................116UBA : Detect Persistent SSH session................................................................................................ 118

iv

UBA : Internet Settings Modified.......................................................................................................120UBA : Malware Activity - Registry Modified In Bulk.......................................................................... 121UBA : Netcat Process Detection (Linux)............................................................................................ 122UBA : Netcat Process Detection (Windows)......................................................................................123UBA : Process Executed Outside Gold Disk Whitelist (Linux)...........................................................125UBA : Process Executed Outside Gold Disk Whitelist (Windows).....................................................126UBA : Ransomware Behavior Detected............................................................................................. 127UBA : Restricted Program Usage....................................................................................................... 128UBA : User Installing Suspicious Application....................................................................................130UBA : User Running New Process......................................................................................................131UBA : Volume Shadow Copy Created................................................................................................ 132

Exfiltration................................................................................................................................................134UBA : Abnormal data volume to external domain (ADE rule)........................................................... 134UBA : Abnormal Outbound Transfer Attempts (ADE rule)................................................................ 134UBA : Data Exfiltration by Cloud Services......................................................................................... 135UBA : Data Exfiltration by Print..........................................................................................................135UBA : Data Exfiltration by Removable Media.................................................................................... 136UBA : Data Loss Possible................................................................................................................... 136UBA : Large Outbound Transfer by High Risk User........................................................................... 137UBA : Multiple Blocked File Transfers Followed by a File Transfer..................................................138UBA : Suspicious Access Followed by Data Exfiltration....................................................................139UBA : User Volume Activity Anomaly - Traffic to External Domains (ADE rule)............................... 140

Geography................................................................................................................................................141UBA : Anomalous Account Created From New Location.................................................................. 141UBA : Anomalous Cloud Account Created From New Location........................................................144UBA : User Access from Multiple Locations...................................................................................... 145UBA : User Access from Prohibited Location.................................................................................... 147UBA : User Access from Restricted Location.................................................................................... 149UBA : User Geography Change.......................................................................................................... 150UBA : User Geography, Access from Unusual Locations.................................................................. 152

Network traffic and attacks..................................................................................................................... 154UBA : D/DoS Attack Detected............................................................................................................ 154UBA : Honeytoken Activity.................................................................................................................156UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage..................................... 156UBA : User Behavior, Session Anomaly by Destination (ADE rule)...................................................157UBA : User Event Frequency Anomaly Categories (ADE rule).......................................................... 158UBA : User Volume Activity Anomaly - Traffic to Internal Domains (ADE rule)............................... 159

QRadar DNS Analyzer.............................................................................................................................. 160UBA : Potential Access to Blacklist Domain...................................................................................... 160UBA : Potential Access to DGA Domain.............................................................................................160UBA : Potential Access to Squatting Domain.................................................................................... 161UBA : Potential Access to Tunneling Domain....................................................................................161

QRadar Network Insights (QNI).............................................................................................................. 162UBA : QNI - Access to Improperly Secured Service - Certificate Expired........................................162UBA : QNI - Access to Improperly Secured Service - Certificate Invalid......................................... 163UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length...............................164UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate..................................165UBA : QNI - Confidential Content Being Transferred to Foreign Geography....................................166UBA : QNI - Observed File Hash Associated with Malware Threat...................................................167UBA : QNI - Observed File Hash Seen Across Multiple Hosts.......................................................... 168UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient.................. 169UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers................170

Reconnaissance.......................................................................................................................................171UBA : Unusual Scanning of DHCP Servers Detected.........................................................................171UBA : Unusual Scanning of Database Servers Detected...................................................................172UBA : Unusual Scanning of DNS Servers Detected .......................................................................... 172UBA : Unusual Scanning of FTP Servers Detected............................................................................ 172UBA : Unusual Scanning of Game Servers Detected.........................................................................173

v

UBA : Unusual Scanning of Generic ICMP Detected......................................................................... 173UBA : Unusual Scanning of Generic TCP Detected........................................................................... 173UBA : Unusual Scanning of Generic UDP Detected...........................................................................174UBA : Unusual Scanning of IRC Servers Detected............................................................................ 174UBA : Unusual Scanning of LDAP Servers Detected......................................................................... 175UBA : Unusual Scanning of Mail Servers Detected........................................................................... 175UBA : Unusual Scanning of Messaging Servers Detected.................................................................175UBA : Unusual Scanning of P2P Servers Detected............................................................................176UBA : Unusual Scanning of Proxy Servers Detected......................................................................... 176UBA : Unusual Scanning of RPC Servers Detected........................................................................... 176UBA : Unusual Scanning of SNMP Servers Detected........................................................................ 177UBA : Unusual Scanning of SSH Servers Detected........................................................................... 177UBA : Unusual Scanning of Web Servers Detected...........................................................................178UBA : Unusual Scanning of Windows Servers Detected................................................................... 178

System monitoring (Sysmon).................................................................................................................. 178UBA : Common Exploit Tools Detected............................................................................................. 178UBA : Common Exploit Tools Detected (Asset)................................................................................ 179UBA : Malicious Process Detected.....................................................................................................179UBA : Network Share Accessed.........................................................................................................180UBA : Process Creating Suspicious Remote Threads Detected (Asset)........................................... 180UBA : Suspicious Activities on Compromised Hosts.........................................................................181UBA : Suspicious Activities on Compromised Hosts (Assets).......................................................... 181UBA : Suspicious Administrative Activities Detected....................................................................... 181UBA : Suspicious Command Prompt Activity.................................................................................... 182UBA : Suspicious Entries in System Registry (Asset)........................................................................182UBA : Suspicious Image Load Detected (Asset)............................................................................... 183UBA : Suspicious Pipe Activities (Asset)............................................................................................183UBA : Suspicious PowerShell Activity................................................................................................184UBA : Suspicious PowerShell Activity (Asset)................................................................................... 184UBA : Suspicious Scheduled Task Activities..................................................................................... 184UBA : Suspicious Service Activities................................................................................................... 185UBA : Suspicious Service Activities (Asset).......................................................................................185UBA : User Access Control Bypass Detected (Asset)........................................................................186

Threat intelligence...................................................................................................................................186UBA : Abnormal visits to Risky Resources (ADE rule).......................................................................186UBA : Detect IOCs For Locky............................................................................................................. 187UBA : Detect IOCs for WannaCry.......................................................................................................187UBA : ShellBags Modified By Ransomware.......................................................................................188UBA : User Accessing Risky Resources............................................................................................. 188UBA : User Accessing Risky IP, Anonymization.................................................................................189UBA : User Accessing Risky IP, Botnet.............................................................................................. 189UBA : User Accessing Risky IP, Dynamic...........................................................................................190UBA : User Accessing Risky IP, Malware........................................................................................... 190UBA : User Accessing Risky IP, Spam................................................................................................191

Chapter 8. Reference Data Import - LDAP app.................................................... 193Supported browsers for the LDAP app....................................................................................................193Importing user data from a CSV file........................................................................................................194Creating an authorized service token..................................................................................................... 195Adding a private root certificate authority ............................................................................................. 195Adding an LDAP configuration.................................................................................................................196Selecting attributes................................................................................................................................. 197Adding LDAP attribute mappings............................................................................................................ 197Adding a reference data configuration....................................................................................................197Configuring polling...................................................................................................................................198Checking that data is added to the reference data collection................................................................199Creating a rule that responds to LDAP data updates............................................................................. 200

vi

Chapter 9. Machine Learning Analytics app........................................................ 203Known issues for Machine Learning Analytics........................................................................................203Prerequisites for installing the Machine Learning Analytics app........................................................... 203Installing the Machine Learning Analytics app.......................................................................................204Upgrading the Machine Learning Analytics app..................................................................................... 205UBA dashboard with Machine Learning V3.3.0...................................................................................... 206Enabling user models V3.3.0.................................................................................................................. 211

Access Activity.................................................................................................................................... 212Activity Distribution............................................................................................................................ 215Aggregated Activity.............................................................................................................................218Authentication Activity....................................................................................................................... 221Data Downloaded...............................................................................................................................225Data Uploaded to Remote Networks.................................................................................................. 228Defined Peer Group.............................................................................................................................231Learned Peer Group............................................................................................................................ 234Outbound Transfer Attempts..............................................................................................................237Risk Posture........................................................................................................................................ 240Suspicious Activity..............................................................................................................................243Creating a custom model....................................................................................................................247

User groups for the defined peer group analytic.................................................................................... 253Uninstalling the Machine Learning Analytics app...................................................................................253

Chapter 10. Troubleshooting and support...........................................................257Help and support page for UBA...............................................................................................................257Service requests...................................................................................................................................... 258Machine Learning app status shows warning on dashboard..................................................................258Machine Learning app status shows no progress for data ingestion..................................................... 258ML app status is in an error state............................................................................................................ 258Extracting UBA and Machine Learning logs............................................................................................ 260

Notices..............................................................................................................263Trademarks..............................................................................................................................................264Terms and conditions for product documentation.................................................................................264IBM Online Privacy Statement................................................................................................................ 265General Data Protection Regulation........................................................................................................265

vii

Chapter 1. User Behavior Analytics for QRadarThe User Behavior Analytics for QRadar app helps you to determine the risk profiles of users inside yournetwork and to take action when the app alerts you to threatening behavior.

The User Behavior Analytics for QRadar (UBA) app is a tool for detecting insider threats in yourorganization. It is built on top of the app framework to use existing data in your QRadar to generate newinsights around users and risk. UBA adds two major functions to QRadar: risk profiling and unified useridentities.

Risk profiling is done by assigning risk to different security use cases. Examples might include simplerules and checks like bad websites, or more advanced stateful analytics that use machine learning. Risk isassigned to each one depending on the severity and reliability of the incident detected. UBA uses existingevent and flow data in your QRadar system to generate these insights and profile risks of users. UBA usesthree types of traffic: 1. Traffic around access, authentication, and account changes. 2. User behavior onthe network, so devices such as: proxies, firewalls, IPS, and VPNs. 3. Endpoint and application logs, suchas from Windows or Linux, and SaaS applications. All three types of traffic enrich UBA and enable moreuse cases to profile risk.

Unifying user identities is accomplished by combing disparate accounts for a user in QRadar. By importingdata from an Active Directory, LDAP, or CSV file, UBA can be taught what accounts belong to a useridentity. This helps combine risk and traffic across the different user names in UBA.

Machine Learning (ML) is an add-on tool that augments the UBA app. It enables more rich and in-depthuse cases that perform time series profiling and clustering. It is installed from within the UBA app, on theMachine Learning settings page. ML adds visualizations to the existing UBA app that show learnedbehavior (models), current behavior, and alerts. Machine Learning uses up to four weeks of historical datain QRadar to make the predictive models and baselines of what is normal for a user.

For more information about using the Reference Data Import LDAP app, see Chapter 8, “Reference DataImport - LDAP app,” on page 193.

For more information about using the Machine Learning Analytics app, see Chapter 9, “Machine LearningAnalytics app,” on page 203.

Attention: You must install IBM QRadar V7.2.8 or later before you install the QRadar UBA app.

Related concepts“Rules and tuning for the UBA app” on page 41The IBM QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certainbehavioral anomalies.“Configuring the User Behavior Analytics app” on page 19Before you can use the IBM QRadar User Behavior Analytics (UBA) app, you must configure additionalsettings.“Reference Data Import - LDAP app” on page 193Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAPsources into your QRadar Console.“Machine Learning Analytics app” on page 203The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadarUser Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the MachineLearning Analytics models, you can gain additional insight into user behavior with predictive modeling.The ML app helps your system to learn the expected behavior of the users in your network.Related tasks“Installing the User Behavior Analytics app” on page 13

© Copyright IBM Corp. 2016, 2019 1

Use the IBM QRadar Extension Management tool to upload and install your app archive directly to yourQRadar Console.“Upgrading the User Behavior Analytics app” on page 17Use the IBM QRadar Extension Management tool to upgrade your app.

What's new in the User Behavior Analytics appLearn about the new features in each User Behavior Analytics (UBA) app release.

What's new in V3.3.0

• Increased the number of users supported by Machine Learning by 15 times.• Added Machine Learning use cases for Access, Authentication, and Suspicious Activity to replace the

High Level Category use case. For more information, see “UBA dashboard with Machine LearningV3.3.0” on page 206.

• Redesigned the Machine Learning settings page. For more information, see “Enabling user modelsV3.3.0” on page 211.

• Added the ability to create custom machine learning models to support your unique use cases. For moreinformation, see “Creating a custom model” on page 247.

• Added use case UBA : Browsed to Government Website. For more information , see “UBA : Browsed toGovernment Website” on page 92.

• Added use case UBA : Browsed to Religious Website“UBA : Browsed to Religious Website” on page 103.• Added use case UBA : Browsed to Education Website “UBA : Browsed to Education Website” on page

87.• Added use case UBA : Data Exfiltration by Print. For more information, see “UBA : Data Exfiltration by

Print” on page 135.• Added use case UBA : Data Exfiltration by Cloud Services. For more information, see “UBA : DataExfiltration by Cloud Services” on page 135.

• Added use case UBA : Data Exfiltration by Removable Media. For more information, see “UBA : DataExfiltration by Removable Media” on page 136.

• Added use case UBA : Data Loss Possible. For more information, see “UBA : Data Loss Possible” onpage 136.

What's new in V3.2.0

• Identify users with dormant accounts on the dashboard and on user profile pages. For moreinformation, see “Dormant accounts” on page 35.

• Create watchlists of services accounts based on a missing user property. For more information, see“Creating watchlists” on page 31.

• Improved the LDAP app so that you can select the LDAP attributes to use in UBA. Note: When youconfigure LDAP, you must now select an outer key in the Attribute Mapping section. For moreinformation, see “Configuring the Reference Data Import LDAP app” on page 19.

• Added the ability to import user information from a CSV file. For more information, see “Importing userdata from a CSV file” on page 194.

• Added use case UBA : User Access from Multiple Hosts. For more information, see “UBA : User Accessfrom Multiple Hosts” on page 53.

• Added use case UBA : Possible Directory Services Enumeration. For more information, see “UBA :Possible Directory Services Enumeration” on page 113.

• Added use case UBA : Possible SMB Session Enumeration on a Domain Controller. For moreinformation, see “UBA : Possible SMB Session Enumeration on a Domain Controller” on page 114.

2 IBM QRadar User Behavior Analytics (UBA) app: UBA app User Guide

• Added use case UBA : Suspicious Access Followed by Data Exfiltration. For more information, see“UBA : Suspicious Access Followed by Data Exfiltration” on page 139.

• Added use case UBA : Dormant Account Use Attempted. For more information, see “UBA : DormantAccount Use Attempted” on page 70.

Known issuesThe User Behavior Analytics app has required information for upgrading and known issues.

Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system.

Known issues for V3.3.0

The User Behavior Analytics app has the following known issues:

• There are issues with certain versions of Firefox when adding a new LDAP import or modifying anexisting import. To avoid any potential issues, use Mozilla Firefox version 55 and later.

• If you updated and saved a value for the Advanced Search Filter field on the ML Configuration page,when the page loads the value displays as 0 and the ML Configuration page does not save. To save theML Configuration page, you can clear the field or enter the previously saved value. To see the previouslysaved value, you can change the uri path of the ML Configuration path from /console/plugins/<appid>/app_proxy/ml/config_page to console/plugins/<app id>/app_proxy/ml/analytics. The values is at the key dataset importer > parameters > userfilter.

• There is an issue with the LDAP Configuration when saving passwords. If you need to edit an existingLDAP Configuration, you must clear the password text and then re-enter the password.

• User coalescing from a reference table yields incomplete user information in the UBA user records ifyou are running on QRadar 7.2.8 Patch 13, QRadar 7.2.8 Patch 13 IF1, QRadar 7.3.1 Patch 3, or QRadar7.3.1 Patch 4. The issue is resolved in V7.3.1 Patch 4 IF1. See APAR IJ06032 for more information.

• If you are upgrading the UBA app and you receive a QRadar Notification exception error stating that arule set has failed to load, you can ignore it and continue. If the error persists, contact IBM CustomerSupport.

• Because of known issues with QRadar V7.2.8 Patch 12 and QRadar V7.3.1 Patch 3, you should upgradeto QRadar V7.2.8 Patch 13 and QRadar V7.3.1 Patch 4.

• After you upgrade UBA to V3.2.0, the Machine Learning Activity Distribution graph on the User Detailspage can take up to one day to display.

• Importing more than 100,000 users into LDAP for UBA can severely affect your QRadar system and yourUBA app installation. The issue is caused due to a known issue in APAR IV98655. Importing more than200,000 users is not recommended unless you use QRadar 7.3.0 or later on a 128 GB console.

• In rare instances of QRadar V7.2.8 and V7.3.0, you might encounter an issue with a newly created SECtoken where the SEC token appears to work and then later becomes invalid. To fix this issue, completeone of the following actions:

– Restart the Apache Tomcat service from a command line on your QRadar Console.– Deploy any action from the Admin tab in QRadar.

• English strings or corrupted text is displayed in some parts of the user interface when using QRadarV7.2.8 and in some locales.

Chapter 1. User Behavior Analytics for QRadar 3

Process overviewThe User Behavior Analytics app works with your QRadar system to collect data about the users insideyour network.

How UBA works

1. Logs send data to QRadar.2. UBA specific rules look for certain events (depending on which UBA rules are enabled) and trigger a

new sense event that is read by the UBA app.3. The UBA rules require the events to have a username and other tests (review the rules to see what

they are looking for).4. UBA pulls the senseValue and username from the sense event and then increases that user's risk score

by the senseValue amount.5. When a user's risk score exceeds the threshold that you set in the UBA Settings page, UBA sends an

event which triggers the "UBA : Create Offense" rule and an offense is created for that user.

Risk score

A risk score is the summation of all risk events that are detected by UBA rules. The higher the risk score,the more likely an internal user is to be a security risk and warrants further review of the user's networkactivity. The risk score reduces over time if no new events occur. The amount of the reduction iscontrolled from the value in Decay risk by this factor per hour on the UBA Settings page.

How senseValues are used to create user risk scores

Each rule and analytic has a value assigned to it that indicates the severity of the issue found. Each time auser's actions causes a rule to trigger, the user gets this value added to the score. The more the user"violates" a rule, the higher the score will be.


Rules and sense events

Rules, when triggered, generate sense events that are used to determine the user's risk score.

You can update existing rules in QRadar to produce sense events. For more information, see “Integratingnew or existing QRadar content with the UBA app” on page 38.

Machine Learning Analytics and sense events

You can install the Machine Learning Analytics app and enable machine learning analytics to identifyanomalous user behavior. The analytics, when triggered, will generate sense events that also raise auser's risk score.

Video demonstrations and tutorialsLearn more about the IBM QRadar User Behavior Analytics (UBA) app, the Reference Data Import - LDAPapp, and the Machine Learning Analytics (ML) app.

IBM Security Learning Academy

Enroll in the User Behavior Analytics (UBA) courses on the IBM Security Learning Academy website.

Tip: You must have an IBM ID account to enroll and watch the videos.

Video tutorials on YouTube

Demonstration of the User Behavior Analytics app with Machine Learning V2.0.0: https://www.youtube.com/watch?v=RgF1RztR1yg.

Demonstration for configuring the Reference Data Import - LDAP app: https://www.youtube.com/watch?v=ER-wYxS6wFk.

General overview of the User Behavior Analytics app:

• https://www.youtube.com/watch?v=bf_DODl8Ehs• https://www.youtube.com/watch?v=ARVsuQaSF9E

UBA dashboard and user detailsThe IBM QRadar User Behavior Analytics (UBA) app shows you the overall risk data for users in yournetwork.

Dashboard

After you install and configure the UBA app, click the User Analytics tab to open the Dashboard.

Note: The supported number of users that the UBA app can monitor is 400,000 users.

In the Search for User field, you can search for users by name, email address, user name. As you enter aname, the app shows you the top five results.

The Dashboard is automatically refreshed every minute and shows you the following risk data:

Monitored Users Displays the total number of users that the UBA app is actively monitoring.

High Risk Users Displays the number of users who are currently exceeding the risk score. Thevalue for determining the risk score is set in the "Risk threshold to triggeroffenses" in UBA Settings.

Users Discovered fromEvents

Displays the number of users that are discovered from events, excludingimported users.


https://www.securitylearningacademy.com/local/navigator/index.php?level=siub01

https://www.youtube.com/watch?v=RgF1RztR1yg

https://www.youtube.com/watch?v=RgF1RztR1yg

https://www.youtube.com/watch?v=ER-wYxS6wFk

https://www.youtube.com/watch?v=ER-wYxS6wFk

https://www.youtube.com/watch?v=bf_DODl8Ehs

https://www.youtube.com/watch?v=ARVsuQaSF9E

Users Imported fromDirectory

Displays the number of users that were imported from reference tables.

Active Analytics • UBA Rules: Indicates the status of the rules content. A green statusindicates that the rules are installed and active. Gray indicates that therules are disabled. Yellow indicates that the installation is in progress.

• Flow Rules: Indicates the status of the QNI rules. A green status indicatesthat the QNI rules are installed and active. Gray indicates that the QNIrules are not installed.

• Behavioral Anomaly: A green status indicates that ADE rules are installedand active. Gray indicates that ADE rules are not installed.

• Machine Learning Analytics: A green status indicates that the MachineLearning Analytics app is installed. Gray indicates that the MachineLearning Analytics app is not installed.

Monitored Users Displays the top 10 riskiest users. The first column lists the display name andthe job title and city if available.

• Recent risk: Shows the accumulated risk for the respective user for the last5 minutes.

• Risk score: Shows a graph that illustrates the user's overall risk score trendfor the last hour and the current risk score. The color of the graph indicatesthe overall riskiness.

• Watchlist icon: Add the user to a watchlist or create a watchlist. Thenumber indicates how many watchlists the user is a member of.

• You can view all the tracked users on the Search page.

Recent Offenses Displays last 5 most recent offenses sorted by the time the offense was lastupdated.

[User] Watchlist Watchlists that you created. You can create as many watchlists as you wantand they display on the Dashboard. You can view all the tracked users in thecustom watchlist that you created on the Search page.

Tip: To add a user to a watchlist, click the Watchlist icon.

The number indicates how many watchlists the user is a member of.

System Score Overall accumulated risk score for all users at a specified point in time. Clickthe Calendar icon to specify a date range for longer than one day. Themaximum duration that you can select is 30 days any time during the lastyear.

Risk CategoryBreakdown

High-level risk categories over the last hour. Click the graph to seesubcategories and then click to see a display of events.

Users with DormantAccounts

Watchlist of users that are flagged as having dormant accounts. The Userswith Dormant Accounts is automatically generated. Available in V3.2.0 andlater.

Active Investigations Users that are currently under investigation. Select the My investigationscheck box to show only those investigations that you started. Available inV2.7.0 and later.

Status of MachineLearning Models

Status of the Machine Learning Analytics is visible if the Machine Learningapp is installed. For more information, see “UBA dashboard with MachineLearning V3.3.0” on page 206.


User details page

You can click a user name from anywhere in the app to see details for the selected user.

You can learn more about the user's activities with the event viewer pane. The event viewer pane showsinformation about a selected activity or point in time. Clicking an event in the event viewer pane revealsmore details such as syslog events and payload information. The event viewer pane is available for alldonut and line graphs and activities in the Risky Activity Timeline on the User details page.

The User Details page includes the following user information:

• Shows the name and aliases of the selected user and any additional details from attributes that areimported from LDAP.

• In V3.2.0 and later, you can view the status (dormant, active, never used) of all the accounts that arefound to be associated with the user.

• If you have QRadar Advisor with Watson V1.13.0 or later installed, you can search for information that isrelated to the user. You must have QRadar administrator privileges. Click the Search Watson icon.

• To initiate an investigation on the user, click the Start Investigation icon. When your investigationis complete, click the End Investigation icon.

• To add the user to a watchlist or create a watchlist, click the Watchlist icon.

The Advanced Actions list includes the following actions:

Add Custom Alert You can set a custom alert that is displayed by the user name. Click AddCustom Alert, enter an alert message, and then click Set. To remove thecustom alert for the selected user, click Remove Custom Alert.

Add to Whitelist You must have QRadar administrator privileges. You can add the selecteduser to the whitelist so that the user does not generate risk scores andoffenses. To remove the selected user from the whitelist, click Whitelisted.To review the complete list of users who were added to the whitelist, see“Viewing the whitelist for trusted users” on page 33.

Generate GDPRcompliant report foruser

You can generate a General Data Protection Regulation (GDPR) compliancereport for the user.

Important: Generate the report before you click Delete and stop trackinguser.

Delete and stoptracking user

You must have QRadar administrator privileges. You can click Delete andstop tracking user to comply with General Data Protection Regulation(GDPR). Select Yes to permanently delete and stop tracking the user. Tobegin tracking the user again, delete the user's aliases from the reference setUBA : Users Not Tracked. To view all the user's aliases, download the GDPRreport before you delete the user.

Always track withMachine Learning

You must have QRadar administrator privileges. You can click Always trackwith Machine Learning to add the user to the UBA: ML Always TrackedWatchlist reference set. Adding the user to the reference set provides thehighest likelihood that the user is included in a machine learning model. Formore information about reference sets in UBA, see “Reference sets” on page39. To remove the selected user from the reference set, click Tracked withMachine Learning.

Note: Available in V2.8.0 or later and only if Machine Learning is installed andyou have QRadar Admin privileges.

You can view the following information about the selected user:


Overall Risk Score The overall risk score shows the risk trends for the user.

Timeline The timeline graph shows Risky Events and User Events. Risky events are riskevents that contribute to risk score. User events are non-risk events. The Y-axis is event count and X-axis is time. You can click any activity in thetimeline to open the event viewer pane that lists supporting log events thatare associated with the user's activity. Click an event to view more detailssuch as syslog events and payload information.

• In V2.8.0 or earlier, in the Risky Activity Time line section, you can clickGroup by Activity or Group by Hour to see a list of the user's activities andthen filter and search by any column in the timeline.

• In V3.0.0 and later, timeline activity is grouped by sessions and days.Sessions are defined in the Application Settings section of the UBASettings page. The colors represent the overall riskiness of a session. Clickthe Calendar icon to specify the date range (1 - 14 days).

• In 3.1.0 and later, you can customize the metric settings that display forthe timeline by clicking the Metric Settings icon. You can add and removethe categories that you want to see. The data shown in the Examplemetrics section of the Metric Settings screen does not represent realvalues.

Note: “Risky Events” and “Use cases” will show the same data where“Risky Events” is the total number of events for the given use cases. “URLCategories” and “URLs” will show the same data where “URLs” is the totalnumber of events for the given “URL Categories”. “Event IDs” and “Events”will show the same data where “Events” is the total number of events forthe given Event IDs.

Recent Offenses Shows any user type offense, where the user name matched any of theselected user's aliases. The last five offenses are displayed. Click an offenseto open the Offenses tab in QRadar.

Risk CategoryBreakdown

Shows the risk categories of the selected user during the last hour.

Add NotesClick the Add icon to add notes for the selected user. The notes areautomatically deleted after the 30-day retention period.

Tip: To save the note indefinitely, mark the note as important by clicking theFlag icon.

The following graphs are displayed on the User Details page if the Machine Learning app is installed andthe specified model is enabled. For more information, see “UBA dashboard with Machine LearningV3.3.0” on page 206.

• Access Activity• Activity Distribution• Aggregated Activity• Authentication Activity• Data Downloaded• Data Uploaded to Remote Networks• Defined Peer Group• Learned Peer Group• Outbound Transfer Attempts• Risk Posture


• Suspicious Activity• Custom Models (User-defined custom models)

To return to the main Dashboard, click Dashboard.

Related concepts“UBA dashboard with Machine Learning V3.3.0” on page 206The IBM QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes theMachine Learning model status and additional details for the selected user.“Dormant accounts” on page 35You can see users in your system that have dormant accounts, active accounts, or accounts that havenever been used.Related tasks“Creating watchlists” on page 31You can add a user to a new watchlist or an existing watchlist.“Viewing the whitelist for trusted users” on page 33You can view the list of trusted users that are whitelisted in the reference set management list.“Adding log sources to the trusted log source group” on page 35If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA :Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them.“Installing the Machine Learning Analytics app” on page 204Install the Machine Learning Analytics (ML) app after you have installed the UBA app from the ExtensionManager.“Investigating users in QRadar Advisor with Watson” on page 9You can select users from the User Behavior Analytics (UBA) app to send to QRadar Advisor with Watsonfor investigation.

Investigating users in QRadar Advisor with WatsonYou can select users from the User Behavior Analytics (UBA) app to send to QRadar Advisor with Watsonfor investigation.

Before you begin

• You must have User Behavior Analytics (UBA) app V2.7.0 or later installed and configured with userdata.

• You must have Admin privileges.• You must have QRadar Advisor with Watson V 1.13.0 or later installed.

For more information, see https://developer.ibm.com/qradar/advisor.

About this task

Note: This feature is only available in User Behavior Analytics V2.7.0 and later and QRadar Advisor withWatson V1.13.0 and later.

Procedure

1. Click the User Analytics tab to open the UBA Dashboard.2. Select a user or search for a user to open the User Details page.3. Click the Search Watson icon.

When the icon stops spinning, you can review your results in the QRadar Advisor with Watson app.


https://developer.ibm.com/qradar/advisor

4. From the Watson tab, on the Incident Overview page, select the user investigation. User

investigations are indicated with the Investigation initiated from UBA icon.

Prerequisites for installing the User Behavior Analytics appBefore you install the User Behavior Analytics (UBA) app, ensure that you meet the requirements.

• Verify that you have IBM Security QRadar V7.2.8 or later installed.

For the best experience, upgrade your QRadar system to the following versions:

– QRadar 7.2.8 Patch 13 (7.2.8.20180529210357) or later– QRadar 7.3.1 Patch 6 (7.3.1.20180912181210) or later

• Install content packs from the IBM App Exchange.• Add the IBM Sense DSM for the User Behavior Analytics (UBA) app.

Content dependencies

Several rules were designed to feed events to UBA from other apps. These rules require the content forthe other apps to be installed in order for them to work properly.

For more information about UBA content and required apps, see the following table.

UBA Content Required Apps

“QRadar DNS Analyzer” on page 160 IBM QRadar DNS Analyzer

UBA QRadar Network Insights QRadar Network Insights Content v7.2.8QRadar Network Insights Content for V7.3.0+

Reconnaissance IBM Security Reconnaissance Content

System monitoring (Sysmon) IBM QRadar Content for Sysmon

“Cloud” on page 109 IBM QRadar Content Extension for Amazon AWS

Note: If you edit these rules, they might not work as expected.

Installing the IBM Sense DSM manually

The User Behavior Analytics (UBA) app uses the IBM Sense DSM to add user risk scores and offenses intoQRadar. You can install the DSM through auto-updates or you can upload to QRadar and install itmanually.

Note: If your system is disconnected from the internet, you might need to install the DSM RPM manually.

Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar.

1. Download the DSM RPM file from the IBM support website:

• For QRadar V7.2.8: DSM-IBMSense-7.2-20190423155729.noarch.rpm• For QRadar V7.3.1 and later: DSM-IBMSense-7.3-20190423195729.noarch.rpm

2. Copy the RPM file to your QRadar Console.3. Use SSH to log in to the QRadar host as the root user.4. Go to the directory that includes the downloaded file.5. Type the following command:

rpm -Uvh <rpm_filename>6. From the Admin settings, click Deploy Changes.


https://exchange.xforce.ibmcloud.com/hub/extension/6c52b4571878b24511052868dbb4f6c9

https://exchange.xforce.ibmcloud.com/hub/extension/522bf1095f047b0b37225d8efc5d4877

https://exchange.xforce.ibmcloud.com/hub/extension/5faf57a09236654323cbc4db41bd74f4

https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMContentPackageInternalRecon

https://exchange.xforce.ibmcloud.com/hub/extension/e41e758e2ab5786173438cd09219a9d0

https://exchange.xforce.ibmcloud.com/hub/extension/bf358419d91d425df1e2ee9e72d37c13

http://www.ibm.com/support

7. From the Admin settings, select Advanced > Restart Web Services.

Supported browsers for the UBA appFor the features in IBM Security QRadar products to work properly, you must use a supported webbrowser.

The following table lists the supported versions of web browsers.

Web browser Supported versions

Mozilla Firefox 45.2 Extended Support Release

Google Chrome Latest

Note: To maximize your experience with UBA, you should do one of the following:

• Disable the pop-up blocker for your browser• Configure your browser to allow exceptions for pop-ups coming from the QRadar Console IP address

Log source types relevant to the UBA appThe User Behavior Analytics (UBA) app and the ML app can accept and analyze events from certain logsources.

In general, the UBA app and the ML app require log sources that supply a username. For UBA, if there isno username, enable the Search assets for username, when username is not available for event orflow data check box in UBA Settings so that UBA can attempt to look up the user from the asset table. Ifno user can be determined, UBA does not process the event.

For more details about specific use cases and the corresponding log source types, see Chapter 7, “Rulesand tuning for the UBA app,” on page 41.

Related tasks“Configuring UBA settings” on page 23To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBAapplication settings.


Chapter 2. Installing and uninstalling

Installing the User Behavior Analytics appUse the IBM QRadar Extension Management tool to upload and install your app archive directly to yourQRadar Console.

Before you beginComplete the “Prerequisites for installing the User Behavior Analytics app” on page 10.

Important: Before you install the app, ensure that IBM QRadar meets the minimum memory (RAM)requirements. The UBA app requires 1 GB of free memory from the application pool of memory. The UBAapp will fail to install if the application pool does not have enough free memory.

About this task

The installation has changed starting with V2.8.0. UBA specific content packages, which contain rules fortriggering offenses, are now installed as separate extensions. Content packages are installed by default.If you choose to create your own custom rules to trigger offenses in UBA, you can change the Install andupgrade content packages setting when you configure UBA Settings.

Attention: After the app is installed, you must:

• Enable indexes• Deploy the full configuration.• Clear your browser cache and refresh the browser window.• Set up permissions for users that require access to view the User Analytics tab. The following

permissions must be assigned to each user role that requires access to the app:

– User Analytics– Offenses– Log Activity

After you download your app from the IBM Security App Exchange, use the IBM QRadar ExtensionManagement tool to install it on your QRadar Console.

Procedure

1. Open the Admin settings:

• In IBM QRadar V7.3.0 or earlier, click the Admin tab.

• In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open theadmin tab.

2. Click System Configuration > Extensions Management.3. In the Extensions Management window, click Add and select the UBA app archive that you want to

upload to the console.4. Select the Install immediately check box and click Add.5. At the prompt, select Overwrite.

Important: You might have to wait several minutes before your app becomes active. After the UBAapp is installed, the content packages are installed in the background. The content might not be visiblein QRadar immediately after the app is installed.


6. From the Admin settings, click System Configuration > Index Management and then enable thefollowing indexes:

• High Level Category• Low Level Category• Username• senseValue

7. From the Admin settings, click Advanced > Deploy Full Configuration.

Note: The following content packages are installed after the UBA installation completes and UBA isconfigured.

• User Behavior Analytics Access and Authentication Content• User Behavior Analytics Accounts and Privileges Content• User Behavior Analytics Browsing Behavior Content• User Behavior Analytics Cloud Content• User Behavior Analytics Domain Controller Content• User Behavior Analytics DNS Analyzer Content• User Behavior Analytics Endpoint Content• User Behavior Analytics Exfiltration Content• User Behavior Analytics Geography Content• User Behavior Analytics Network Traffic and Attacks Content• User Behavior Analytics QRadar Network Insights Content• User Behavior Analytics Reconnaissance Content• User Behavior Analytics Sysmon Content• User Behavior Analytics Threat Intelligence Content

What to do next

• When the installation is complete, clear your browser cache and refresh the browser window before youuse the app.

• Manage permissions for UBA app user roles.

Related tasks“Enabling indexes to improve performance” on page 37To improve the performance of your IBM QRadar User Behavior Analytics (UBA) app, enable indexes inIBM QRadar.“Managing permissions for the QRadar UBA app” on page 31Administrators use the User Role Management feature in IBM QRadar to configure and manage useraccounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activitypermissions for each user role that is permitted to use the QRadar UBA app.

Uninstalling the UBA appUse the IBM QRadar Extension Management tool to uninstall your application from your QRadar Console.

Before you beginIf you have the Machine Learning Analytics (ML) app installed, you must uninstall the ML app from theMachine Learning Settings page before uninstalling the UBA app from the Extension Managementwindow. If you do not remove the ML app before you uninstall UBA, you must remove it from theinteractive API documentation interface.


Procedure




2. Click Extension Management.3. On the INSTALLED tab of the Extension Management window, select User Behavior Analytics app

and click Uninstall.

When you uninstall an app, it is removed from the system. If you want to reinstall it, you must add itagain.

4. Starting with V2.8.0, the following content packages are installed when you configure the UBA app.You must uninstall each content package to completely remove the app.

• User Behavior Analytics Access and Authentication Content• User Behavior Analytics Accounts and Privileges Content• User Behavior Analytics Browsing Behavior Content• User Behavior Analytics Cloud Content• User Behavior Analytics DNS Analyzer Content• User Behavior Analytics Domain Controller Content• User Behavior Analytics Endpoint Content• User Behavior Analytics Exfiltration Content• User Behavior Analytics Geography Content• User Behavior Analytics Network Traffic and Attacks Content• User Behavior Analytics QRadar Network Insights Content• User Behavior Analytics Reconnaissance Content• User Behavior Analytics Sysmon Content• User Behavior Analytics Threat Intelligence Content

Chapter 2. Installing and uninstalling 15

Chapter 3. Upgrading

Upgrading the User Behavior Analytics appUse the IBM QRadar Extension Management tool to upgrade your app.

Before you begin

Important: The memory requirements have increased starting with V2.8.0. Before you upgrade the app,ensure that IBM QRadar meets the minimum memory (RAM) requirements. The UBA app requires 1 GB offree memory from the application pool of memory. The UBA app will fail to upgrade if the application pooldoes not have enough free memory.

For the best experience, upgrade your QRadar system to the following versions:

• QRadar 7.2.8 Patch 13 (7.2.8.20180529210357) or later• QRadar 7.3.0 Patch 7 (7.3.0.20171205025101) or later• QRadar 7.3.1 Patch 6 (7.3.1.20180912181210) or later

Procedure




2. Click Extension Management.3. In the Extension Management window, click Add and select the UBA app archive that you want to

upload to the console.4. At the prompt, select Overwrite. All of your existing UBA app data remains intact.

Important: You might have to wait several minutes before your app becomes active. After the UBAapp is upgraded, the content packages are upgraded in the background. The content might not bevisible in QRadar immediately after the app is upgraded.

Note: The following content packages are upgraded after the UBA upgrade completes and UBA isconfigured.

• User Behavior Analytics Access and Authentication Content• User Behavior Analytics Accounts and Privileges Content• User Behavior Analytics Browsing Behavior Content• User Behavior Analytics DNS Analyzer Content• User Behavior Analytics Endpoint Content• User Behavior Analytics Exfiltration Content• User Behavior Analytics Geography Content• User Behavior Analytics Network Traffic and Attacks Content• User Behavior Analytics QRadar Network Insights Content• User Behavior Analytics Reconnaissance Content• User Behavior Analytics Sysmon Content• User Behavior Analytics Threat Intelligence Content


What to do nextWhen the upgrade is complete, clear your browser cache and refresh the browser window before you usethe app.


Chapter 4. Configuring

Configuring the User Behavior Analytics appBefore you can use the IBM QRadar User Behavior Analytics (UBA) app, you must configure additionalsettings.

When you install the UBA app, the IBM QRadar Reference Data Import LDAP (LDAP) app is also installed.If you choose to use the LDAP app, you must configure the LDAP app before you set up the UBA app. Thedata that the UBA app uses comes from an LDAP query. The LDAP query retrieves the list of users that isused to populates the UBA app.

Both the UBA app and the LDAP app require separate authorization tokens. You can create theauthorization tokens when you configure each app.

Complete the following setup procedures:

• Configure the Reference Data Import LDAP app if you are using LDAP• Configure UBA settings for the UBA app

Configuring the Reference Data Import LDAP appWhen you install the IBM® QRadar® User Behavior Analytics (UBA) app, the Reference Data Import LDAPapp is also installed. You can use the LDAP app to import user data from an LDAP/AD server or CSV fileinto a QRadar reference table. The reference table is then consumed by the UBA app or can be used forQRadar searches or rules.

Before you begin

Attention: If you previously installed the stand-alone Reference Data Import LDAP app, it isreplaced when you install the UBA app. Your configurations are added to the updated version ofthe Reference Data Import LDAP app.

About this task

Note: Make sure that you note the reference table name and if you give a custom alias to any of theattributes. When you set up the UBA app, select the reference table that you created in the ReferenceData Import LDAP app.

For more information about the Reference Data Import LDAP app, see the following section of the IBMKnowledge Center: http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.apps.doc/c_Qapps_LDAP_intro.html

Procedure



• In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to openthe admin tab.

2. Click the Reference Data Import - LDAP icon.

• In QRadar V7.3.0 or earlier, click Plugins > User Analytics > UBA Settings.• QRadar 7.3.1 or later, click Apps > Reference Data Import - LDAP > Reference Data Import -

LDAP.


http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.apps.doc/c_Qapps_LDAP_intro.html

http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.apps.doc/c_Qapps_LDAP_intro.html

3. Click Configure to create an authorized service token for LDAP. The Configure Authorized ServiceToken box opens.a) Click the Manage Authorized Services link and then click Add Authorized Service.b) In the Service Name field, type LDAP. This is the user that API requests from the LDAP app are

executed as.c) From the User Role list, select the Admin user role.d) From the Security Profile list, select the security profile that you want to assign to this authorized

service. The security profile determines the networks and log sources that this service can accesson the QRadar user interface.

e) In the Expiry Date list, type or select a date for this service to expire. If an expiry date is notnecessary, select No Expiry.

f) Click Create Service.g) Click the row that contains the LDAP service you created and then select and copy the token string

from the Selected Token field in the menu bar.h) In the Configure Authorized Service Token box, paste the authorized service token string into

the Token field.

4. Optional: To add a private root certificate authority file, click Browse files, open a supported file,click Open and then click Upload. The following file type is supported: .pem.

5. Click OK.

6. On the Reference Data Import (LDAP) app main window, click Add Import. The Add a New LDAPConfiguration dialog box opens.

7. On the LDAP Configuration tab, add connection information for the LDAP server. The Filter field isautomatically populated from your Active Directory attributes.a) Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field.b) Enter the point in the LDAP directory tree from where the server must search for users in the Base

DN field. For example, if your LDAP server was on the domain example.com, you might use:dc=example,dc=com.


c) Enter the attribute or attributes you want to use to sort the data that is imported into thereference table in the Filter field. For example: cn=*; uid=*; sn=*. The following defaultvalues will work with Active Directory: (&(sAMAccountName=*)(samAccountType=805306368)).

d) Enter the user name that is used to authenticate the LDAP server in the Username field.e) Enter the password for the LDAP server in the Password field.

8. Click Test Connection or Next to confirm that IBM QRadar can connect to the LDAP server. If yourconnection attempt is successful, information from your LDAP server is displayed on the LDAPConfiguration tab.

9. On the Select Attributes tab, select the attributes you want to extract from the LDAP server. Thefollowing default values will work with Active Directory:userPrincipalName,cn,sn,telephoneNumber,l,co,department,displayName,mail,title.

10. On the Attribute Mapping tab, set the key for the reference table.

Chapter 4. Configuring 21

Tip: You can create new LDAP fields by clicking Add and combining two attributes. For example, youcan use the following syntax: "Last: {ln}, First: {fn}".

Tip: If you want to merge LDAP data from multiple sources in the same reference table, you can usecustom aliases to differentiate LDAP attributes with the same name in different sources.

11. On the Reference Configuration tab, create a new reference map of maps or designate an existingreference map of maps to which you want to add LDAP data.a) In the Reference table field, enter the name for a new reference table. Alternatively, add the

name of an existing reference table to which you want to append the LDAP data from the list.b) The Generate map of sets check box is disabled by default. If you enable the check box, it sends

data to a reference set format to improve QRadar searching, however, it might impactperformance.

c) In the Time to live section, define how long you want the data to persist in the reference map ofmaps. By default, the data you add never expires. When the time-to-live period is exceeded, aReferenceDataExpiry event is triggered.

Note: If you append data to an existing reference map of maps, the app uses the original time-to-live parameters. These parameters cannot be overridden on the Reference Configuration tab.

12. On the Polling tab, define how often you want the app to poll your LDAP server for data.a) In the Polling interval in minutes field, define in minutes how often you want the app to poll your

LDAP server for data.


Note: The minimum polling interval value is 120. You can also enter a polling interval of zero. Ifyou enter a polling interval of zero, you must poll the app manually with the poll option that isdisplayed in the feed.

b) In the Record retrieval limit field, enter a value for the number of records you want the poll toreturn.By default, 100,000 records are returned. The maximum number of records that can be returnedis 200,000.

c) Optional: The Paged results check box is selected by default to avoid limiting the number ofrecords the LDAP server returns for each poll.

Note: Paged results are not supported by all LDAP servers.

13. Click Save.

Configuring UBA settingsTo view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBAapplication settings.

Configuring the authorization token in QRadar settingsTo view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure a UBAauthorization token in UBA Settings.

About this task

Attention: QRadar on Cloud administrators cannot create an authorized service token for QRadarapps due to limited administrator capabilities. If you're a QRadar on Cloud customer, contactCustomer Support to create an authorized service token for you.

You must complete the following steps to create an authorization token. Do not save the configurationuntil have you configured all of the UBA Settings.

Procedure




2. Click the UBA Settings icon.

• In QRadar V7.3.0 or earlier, click Plugins > User Analytics > UBA Settings.• In QRadar 7.3.1 or later, click Apps > User Analytics > UBA Settings.

3. In the QRadar Settings section, click the Manage Authorized Services link.


4. Click Add Authorized Service5. In the Service Name field, type UBA.6. From the User Role list, select the Admin user role.7. From the Security Profile list, select the security profile that you want to assign to this authorized

service. The security profile determines the networks and log sources that this service can access onthe QRadar user interface.

8. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is notnecessary, select No Expiry.

9. Click Create Service.10. Click the row that contains the UBA service you created and then select and copy the token string

from the Selected Token field in the menu bar.11. Return to the QRadar Settings section and paste the authorized service token string into the Token

field.

What to do next“Configuring content package settings” on page 24

Configuring content package settingsTo view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure contentpackage settings.

Procedure






3. In the Content Package Settings section, the Install and upgrade UBA content packages check box isenabled by default. If you do not want to install the UBA content packages, clear the check box andsave the configuration. If you decide not to install UBA content packages, you must create your ownrules to trigger sense events that send events to UBA.

Note: If you clear the Install and upgrade UBA content packages check box and save theconfiguration and then return to the UBA Settings page and decide to select the check box and savethe configuration, the content will be installed and upgraded.


What to do next“Configuring application settings” on page 25

Configuring application settingsTo view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBAapplication settings.

Procedure






3. In the Application Settings section, configure the following settings:Option Description

Risk threshold Indicates how high a user's risk score should get before an offense is triggeredagainst that user. A risk score is the summation of all risk events detected by UBArules.

Select one of the following options:

• Dynamic: The default value is 4.0. The higher the value is, the higher the dynamicthreshold will be, resulting in less offenses. You should turn off Generate anoffense for high risk users until the settings have run for at least a day. Thedynamic threshold value is updated hourly based on risk score distribution in thesystem. You can determine if you want to enable the setting based on the numberof offenses that could be triggered. See the Tip for more information.

Note: If there is not enough variety in their scores, the risk score is set to +10 ofthe highest risk user. it stays that way to prevent a large number of offenses frombeing generated unnecessarily.

• Static: The default value is 100,000. The value is set to a high value by default toavoid triggering offenses before the environment is analyzed. You can turn onGenerate an offense for high risk users to open an offense with a username typefor users above the risk threshold. You can determine if you want to enable thesetting based on the number of offenses that could be triggered.

Tip: Consider setting up UBA and leaving the default value. Allow the settings to runfor at least a day to see the type of scores that are returned. After a few days,review the results on the dashboard to determine a pattern. You can then adjust thethreshold. For example, if you see one or two people with scores in the 500s butmost are in the 100s then consider setting the threshold to 200 or 300. So "normal"for your environment might be 100 or so, and any score above that might requireyour attention.

Decay risk bythis factor perhour

Risk decay is the percentage that the risk score is reduced by every hour. Thedefault value is 0.5.

Note: The higher the number, the faster the risk score decays; the lower thenumber, the slower the risk score decays.


Option Description

Date range foruser detailgraphs

The date range that is displayed for the user details graphs on the User Detailspage. The default value is 1.

Duration ofinvestigationstatus

The number of hours (1 - 10,000) that is assigned for an investigation to becompleted.

User inactivityinterval

The User Details page shows a timeline with activity grouped by sessions. If a useris inactive for the amount of time entered in the User inactivity interval field, thesession ends. The default value is 15 minutes.

Dormantaccountthreshold

The number of days that users are inactive before they are considered dormant. Thedefault value is 14 days. For more information, see “Dormant accounts” on page35.

(Available in V3.2.0 and later.)

Search assetsfor username,whenusername isnot availablefor event orflow data

Select the check box to search for user names in the asset table. The UBA app usesassets to look up a user for an IP address when no user is listed in an event.

Important: This feature might cause performance issues in the UBA app and yourQRadar system.

Tip: If the query timeout threshold is exceeded, the app does not return any data. Ifyou receive an error message on the UBA Dashboard, clear the check box and clickRefresh.

Displaycountry/region flagsfor IPaddresses

Clear the check box if you do not want to display country and region flags for IPaddresses.


What to do next“Importing user data and user coalescing” on page 27

Importing user data and user coalescingTo view information in the IBM QRadar User Behavior Analytics (UBA) app, you can import user data froma reference table.

Before you beginComplete the instructions for “Configuring application settings” on page 25.

About this taskImporting user data and user coalescing are optional.

Procedure





• In QRadar V7.3.0 or earlier, click Plugins > User Analytics > UBA Settings.


• In QRadar 7.3.1 or later, click Apps > User Analytics > UBA Settings.3. In the Import User Data section, select a Reference table.4. Enter the number of hours to determine how often you want the reference table to ingest data.5. In the User Coalescing section, select the attributes that are pulled from the selected reference table

and that appear as "Username" by your QRadar system. The risk scores of these identifiers are addedto, and are also associated with the primary identifier. Do not select attributes that have shared valuesacross users. For example, if there are many people from the same department, do not select"Department" as a username. Selecting a shared attribute like "Department" or "Country" causes UBAto combine all users with the same department or country value.

What to do next“Configuring display attributes” on page 28

Configuring display attributesTo view information in the IBM QRadar User Behavior Analytics (UBA) app, you can select attributes fromthe reference table that you want to display on the User Details page.

Procedure







3. In the Display Attributes section, select the attributes that you want to display on the User Detailspage.

4. Click Save Configuration.


Chapter 5. Administering

Managing permissions for the QRadar UBA appAdministrators use the User Role Management feature in IBM QRadar to configure and manage useraccounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activitypermissions for each user role that is permitted to use the QRadar UBA app.

About this task

After you install the QRadar UBA app, the User Analytics, Offenses, and Log Activity permissions mustbe enabled for the user roles that are assigned to users intending to use the QRadar UBA app.

Procedure




2. In the System Configuration section, click User Management, and then click the User Roles icon.3. Select an existing user role or create a new role.4. Select the following check boxes to add the permissions to the role.

• User Analytics• Offenses• Log Activity

5. Click Save.

Creating watchlistsYou can add a user to a new watchlist or an existing watchlist.

About this taskYou can add a user to a new watchlist or an existing watchlist from the UBA Dashboard, the User Detailspage, or the Search Results page. A single user can be a member of multiple watchlists.

Procedure

1. From the UBA Dashboard or the User Details page, click the Watchlist icon.2. From the menu, select Create new watchlist. To add a user to an existing watchlist, click Add to

your watchlist.3. On the General Settings tab, enter a watchlist name.4. You can artificially increase or decrease the user's risk score by changing the value in the Scale risk

by factor field. The default factor of '1' leaves the risk score unchanged.

Note: If a user is in more than one watchlist, the largest scale factor is applied.5. In the Machine Learning tracking priority section, select the priority for how users are tracked by

the Machine Learning analytics.


• High - Users are always tracked up to the maximum users per Machine Learning analytic.• Normal - Users are tracked by highest risk after all the high users are included.• Never - Users are not tracked by Machine Learning.

6. Click Next.

7. On the Membership Settings tab, you can automatically populate the watchlist with users from areference set, a regular expression, or both.

8. In the Import from QRadar reference set field, search for a reference set or click to select areference set from the list to import all entries from the reference set. Note: The list might containreference sets that do not have user names. After you select a reference set, click the link to review.

9. In the Add from Monitored Users with regex filter field, you can select a user property and enter avalid Python regular expression to select users who are already found in the UBA database.

10. In the Refresh interval field, enter the number of hours for how often you want the user list to beupdated.For example, if you enter 10, the user list is updated every 10 hours.If the Refresh interval is set to a value of 0 (zero), you can manually update the watchlist by clickingRefresh.

11. Click Save.


Viewing the whitelist for trusted usersYou can view the list of trusted users that are whitelisted in the reference set management list.

Procedure




2. In the System Configuration section, click Reference Set Management.3. On the Reference Set Management window, select the UBA : Trusted Usernames reference set.4. Click View Contents.

Managing network monitoring toolsYou can manage network monitoring tools for the IBM QRadar User Behavior Analytics (UBA) app.

About this taskIf you want to monitor the use of network capture, monitoring or analysis program usage, make sure theprograms are listed in the UBA : Network Capture, Monitoring and Analysis Program Filenames reference

Chapter 5. Administering 33

set. You must then enable the UBA : Network Capture, Monitoring and Analysis Program Filenamesrule.

Procedure




2. In the System Configuration section, click Reference Set Management.3. On the Reference Set Management window, select the UBA : Network Capture, Monitoring and

Analysis Program Filenames reference set.4. Click View Contents.5. To add an application to manage, click Add and enter the values in the box.6. To remove an application, select an application and click Delete.

What to do nextEnable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule.

Managing restricted programsYou can manage restricted programs for the IBM QRadar User Behavior Analytics (UBA) app.

About this taskIf there are any applications that you want to monitor for usage, go to the UBA : Restricted ProgramFilenames reference set and enter the applications that you want to monitor. You must then enable theUBA : Restricted Program Filenames rule.

Procedure




2. In the System Configuration section, click Reference Set Management.3. On the Reference Set Management window, select the UBA : Restricted Program Filenames

reference set.4. Click View Contents.5. To add an application to manage, click Add and enter the values in the box.6. To remove an application, select an application and click Delete.

What to do nextEnable the UBA : Restricted Program Filenames rule.


Adding log sources to the trusted log source groupIf you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA :Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them.

Procedure




2. Click the Log Sources icon.3. Click Add.4. Configure the common parameters for your log source.5. Configure the protocol-specific parameters for your log source.6. Select the UBA : Trusted Log Source Group check box.7. Click Save.8. On the Admin tab, click Deploy Changes.

Dormant accountsYou can see users in your system that have dormant accounts, active accounts, or accounts that havenever been used.

Viewing dormant accounts on the User Details page

In V3.2.0 and later, you can see the status of the accounts that are associated with the selected user onthe User Details page.

User Account Status Description

Active An account that UBA has seen events from a QRadar log source within theconfigured dormant account threshold time period.

Dormant An account that UBA has seen at least one event from in the past but has notseen any new events during the dormant account threshold time period.

Never Used An account for which UBA has never seen an event with that user name in aQRadar log source.

Accounts identified as "Never Used" can be caused by the following activities:

• Accounts that have never been logged by a QRadar log source for theassociated user name account.

• The event occurred before UBA V3.2.0 was installed. Note: When you firstinstall the UBA app, only events that occurred in the last hour are analyzed todetermine when an account was last accessed. After the initial analysis, theUBA app queries events that occurred between executions of the backgroundtask that watches for account usage.

Note: Accounts that are categorized as "Never Used" were likely imported fromthe LDAP app.

Chapter 5. Administering 35

Users with Dormant Accounts watchlist

The Users with Dormant Accounts watchlist is automatically generated as the UBA app pulls in user data.You can view the Users with Dormant Accounts watchlist on the UBA Dashboard.

If you delete the watchlist, it is not automatically re-created. If you need to create it again, select theUBA : Dormant Accounts reference set on the Membership Settings tab on the Create a watchlistscreen.

Configuring the dormant accounts threshold

The default value for the dormant accounts threshold is 14 days. You can change the number of days thatusers are inactive before they are considered dormant in the Application Settings section on the UBASettings page (Admin Settings > User Analytics > UBA Settings).

Responses to dormant accounts or users

You can generate responses for dormant accounts from the provided rules. You can also create customresponses by using the events that are triggered from the app.

To use the provided rules so that a user's score is increased when an account that was dormant is used oris attempted to be used, make sure that the following rules are enabled:

• “UBA : Dormant Account Use Attempted” on page 70• “UBA : Dormant Account Used” on page 69

To create custom responses, you can use the following generated events in a rule or query:

• Dormant Account Found (QID 104000012)• Dormant Account Used (QID 104000013)

Related concepts“UBA dashboard and user details” on page 5The IBM QRadar User Behavior Analytics (UBA) app shows you the overall risk data for users in yournetwork.Related tasks“Configuring application settings” on page 25To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBAapplication settings.“Creating watchlists” on page 31You can add a user to a new watchlist or an existing watchlist.


Chapter 6. Tuning

Enabling indexes to improve performanceTo improve the performance of your IBM QRadar User Behavior Analytics (UBA) app, enable indexes inIBM QRadar.

About this task

To improve the speed of searches in IBM QRadar and the UBA app, narrow the overall data by adding thefollowing indexed fields to your search query:

• High Level Category• Low Level Category• senseValue• senseOverallScore• Username

For more information about indexing, see the following section of the IBM Knowledge Center at https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_adm_index_mgmt.html.

Procedure




2. In the System Configuration section, click the Index Management icon.3. On the Index Management page, in the search box, enter High Level Category.4. Select High Level Category and then click Enable Index.

5. Click Save.6. Select Low Level Category and then click Enable Index.


https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_adm_index_mgmt.html



7. Click Save.8. On the Index Management page, in the search box, enter sense.9. Select senseValue and senseOverallScore and then click Enable Index.

10. Click Save.11. On the Index Management page, in the search box, enter username.12. Select Username and then click Enable Index.

13. Click Save.

Integrating new or existing QRadar content with the UBA appUse the Rules Wizard in QRadar to integrate existing or custom QRadar rules with the UBA app.

About this taskTo meet your specific needs, you can use the capabilities built into QRadar by integrating your existingQRadar rules with the UBA app.

Restriction: Do not customize your rules to use the UBA and Machine Learning reference sets. Attemptingto use the reference sets in custom rules can lead to failures within the UBA app.


Procedure

1. Create a copy of the existing rule. This prevents updates to the base rule from affecting the edits madeto the new rule.

2. Open the rule in the Rule Wizard and then navigate to the Rule Response section.3. Enable or edit the Dispatch New Event option by making sure the Event Description text is formatted

in the following way: senseValue=#,senseDesc='sometext',usecase_id='rule UUID'4. Set the High-Level-Category to Sense.5. Click Finish to save the changes.

Note: If the rule works on flow data, you must enable the Search assets for username, whenusername is not available for event or flow data option so that events with no usernames canattempt a lookup for user mapping.

Reference setsThe User Behavior Analytics app and the Machine Learning app use reference sets for storing userinformation. Some reference sets are reserved for app use only and you should not modify them or usethem in creating custom rules.

Reference sets you can customize

Reference set Description

UBA : High Risk Users The UBA : High Risk Users reference set is built from the Risk threshold totrigger offenses value on the UBA Settings page. The maximum number ofusers is 10,000 and the reference set is rebuilt every 5 minutes

UBA : TrustedUsernames

You can add user names to the UBA : Trusted Usernames reference set but donot use for rules or reports. No offenses are generated for the users in theUBA : Trusted Usernames reference set.

UBA : ML AlwaysTracked Watchlist

The UBA : ML Always Tracked Watchlist reference set is built from the usersyou select to Track with Machine Learning in the Advanced Settings sectionon the User Details page. You can add user names to the UBA : ML AlwaysTracked Watchlist reference set but do not use for rules or reports.

Reference sets you cannot customize

Restriction: Do not modify or use the following reference sets for custom rule creation.

• UBA - Current ML Tracked Users• UBA - Previous ML Tracked Users• UBA - Current Abridged ML Tracked Users• UBA - Previous Abridged ML Tracked Users• UBA - Current Peer Group ML Tracked Users• UBA - Previous Peer Group ML Tracked Users

Chapter 6. Tuning 39

Chapter 7. Rules and tuning for the UBA appThe IBM QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certainbehavioral anomalies.

The User Behavior Analytics (UBA) app includes use cases that are based on custom rules. These rulesare used to generate data for the UBA app dashboard. Starting with V3.0.0 of the UBA app, you can view,filter, and tune rules within the UBA app. In V2.8.0 or earlier, you can view and modify the rules in theUser Behavior Analytics Group on the Rules List in QRadar.

Note:

• By default, not all of the UBA app rules are enabled.• One or more of the log sources should provide information for the specific UBA rule. The log sources are

not prioritized in any particular order.

Restriction: Do not customize your rules to use the UBA and Machine Learning reference sets. Attemptingto use the reference sets in custom rules can lead to failures within the UBA app. For more information,see “Reference sets” on page 39.

For more information about working with rules in QRadar, see Rules.

For more information about enabling Machine Learning user models, see “Enabling user models V3.3.0”on page 211.

Rules and tuning page

The UBA app V3.0.0 introduces the Rules and Tuning page (Admin Settings > User Analytics > Rulesand Tuning).

The Rules and Tuning page includes a list of all the rules that are included with the installed version of theUBA app. Along with the current enabled status and the corresponding reference sets.

On the Rules and Tuning page, you can:

• Enable or disable rules• Quickly access the QRadar Rules Wizard to review or edit rules• Quickly access reference sets to review or edit their content• Filter the rules table by category, status, default risk score, reference sets required, and content

dependencies• Sort the rules table by rule name, reference set, or status• Search items in the table or words that are found in the rule description tooltip• Access the help documentation for individual rules

Access and authentication

UBA : Bruteforce Authentication AttemptsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Bruteforce Authentication Attempts

Enabled by default

True


https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_rul_mgt.html

Default senseValue

5

Description

Detects authentication failure brute force attack (Horizontal and Vertical).

Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Failures• BB:UBA : Detecting Authentication Bruteforce Attempts (Horizontal)• BB:UBA : Detecting Authentication Bruteforce Attempts (Vertical)

Log source types

3Com 8800 Series Switch, APC UPS, AhnLab Policy Center APC, Application Security DbProtect, ArpeggioSIFT-IT,Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba MobilityController, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 SecurityPlatform,Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CAACF2, CA SiteMinder, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify ServerSuite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), CiscoAironet,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center,Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco IntrusionPrevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), CitrixAccess Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter,CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, CyberGuardTSP Firewall/VPN, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, ESET RemoteAdministrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM,Event CRE Injected, Extreme 800-Series Switch, Extreme DragonNetwork IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare OperatingSystem (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGateSecurity Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HPNetwork Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrustCloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBMGuardium, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadarNetwork Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager forEnterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance,IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business,IBM WebSphere Application Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio AdaptiveSecurity Platform, Imperva SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform,Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks IntrusionDetection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper Steel-BeltedRadius, Juniper WirelessLAN, Lieberman Random Password Manager, LightCyber Magna, Linux OS, MacOS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPSAppliance, McAfee ePolicy Orchestrator, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, MicrosoftOffice 365, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows SecurityEvent Log, Motorola SymbolAP, Netskope Active, Nortel Application Switch, Nortel Contivity VPNSwitch,Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, NortelEthernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch(SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC, Okta,Open LDAP Software, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic,Oracle Database Listener, Oracle Enterprise Manager,Oracle RDBMS Audit Record, Oracle RDBMS OSAudit Record, PGP Universal Server, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, ProofpointEnterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure,RSA Authentication


Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityMonitoring, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, SolarisOperating System Authentication Messages, SonicWALL SonicOS, Sophos Astaro Security Gateway, SquidWeb Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Top Layer IPS, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise,Tropos Control, Universal DSM, VMware vCloud Director, Venustech Venusense Security Platform,Vormetric Data Security, WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI

UBA : Executive Only Asset Accessed by Non-Executive UserThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Executive Only Asset Accessed by Non-Executive User

Enabled by default

False

Default senseValue

15

Description

Detects when a non-executive user logs on to an asset that is for executive use only. Two empty referencesets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit thereference sets to add or remove any accounts and IP addresses that are flagged from your environment.Enable this rule after you configure the reference sets.

Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Success• BB:CategoryDefinition: Firewall or ACL Accept

Required configuration

Add the appropriate values to the following reference set: "UBA : Executive Users" and "UBA : ExecutiveAssets".

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1

Chapter 7. Rules and tuning for the UBA app 43

Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : High Risk User Access to Critical AssetThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : High Risk User Access to Critical Asset

Enabled by default

False

Default senseValue

15

Description

Detects when a user involved in incidents (offenses) access to critical asset.


Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Success


Add the appropriate values to the following reference set: "Critical Assets".

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec


Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : Multiple VPN Accounts Failed Login From Single IPThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Multiple VPN Accounts Failed Login From Single IP

Enabled by default

True

Default senseValue

5

Description

Detects any VPN account login failures from the "UBA : Multiple VPN Accounts Failed Login From SingleIP" reference set.

Support rules

• UBA : Populate Multiple VPN Accounts Failed Login From Single IP• BB:UBA : VPN Login Failed


Enable the following rule: "UBA : Populate Multiple VPN Accounts Failed Login From Single IP"

Log source types

Cisco Adaptive Security Appliance (ASA)

UBA : Multiple VPN Accounts Logged In From Single IPThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Multiple VPN Accounts Logged In From Single IP

Enabled by default

False

Default senseValue

5

Description

Maps multiple VPN users that are coming from the same IP address and then raises the risk score. Whenthe rule detects VPN users coming from the same IP address, the IP address is added to the "UBA :Multiple VPN Accounts Logged In From Single IP". Before enabling this rule, make sure the rule "UBA :Populate Multiple VPN Accounts Logged In From Single IP" is enabled and the "UBA : Multiple VPNAccounts Logged In From Single IP" reference set has data.


Support rules

• UBA : Populate Multiple VPN Accounts Logged In from Single IP• BB:UBA : VPN Login Successful


Enable the following rule: "UBA : Populate Multiple VPN Accounts Logged In from Single IP"

Log source types


UBA : Repeat Unauthorized AccessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Repeat Unauthorized Access

Enabled by default

True

Default senseValue

10

Description

Indicates that repeat unauthorized access activities were found.

Support rule

UBA : Unauthorized Access


Enable the following rule: "UBA : Unauthorized Access"

Log source typesAkamai KONA, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, ArpeggioSIFT-IT, Array Networks SSL VPN Access Gateways, Aruba Mobility Controller, Avaya VPN Gateway,Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9Security Platform, Blue Coat Web Security Service, BlueCat Networks Adonis, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2,CA SiteMinder, CRE System, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance(ASA), Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module(FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), CiscoIronPort, Cisco Nexus,Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler,Configurable Firewall Filter, CorreLog Agent for IBM zOS, Custom Rule Engine, DCN DCS/DCRS Series, DGTechnology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers,Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, Fidelis XPS, Flow Classification Engine,Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HPNetwork Automation, HP Tandem, Honeycomb Lexicon File Integrity Monitor, Huawei S Series Switch,HyTrust CloudControl, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBMGuardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBMResource Access Control Facility (RACF), IBM Security Access Manager for Mobile, IBM Security IdentityManager, IBM Security Network IPS (GX), IBM Tivoli Access Manager for e-business, IBM WebSphere


Application Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform,Imperva Incapsula, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Kisco Information SystemsSafeNet/i, Lieberman Random Password Manager, Linux DHCP Server, Linux OS, Linux iptables Firewall,Mac OS X, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway,McAfee ePolicy Orchestrator, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server,Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server,Microsoft Windows Security Event Log, NCC Group DDos Secure, Nortel Contivity VPN Switch, NortelMultiprotocol Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, Okta, Open LDAP Software,OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Palo Alto PA Series,PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, PulseSecure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro,Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SolarisOperating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS,Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos Web Security Appliance, Squid WebProxy, Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, SymantecEndpoint Protection, Symantec Gateway Security (SGS) Appliance, Symantec System Center, SymarkPower Broker, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, TopLayer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech VenusenseSecurity Platform,Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, iT-CUBE agileSI

UBA : Unauthorized AccessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unauthorized Access

Enabled by default

True

Default senseValue

10

Description

Indicates that unauthorized access activities were found.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Access Denies• BB:UBA : Application Denies

Log source typesAkamai KONA, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, ArpeggioSIFT-IT, Array Networks SSL VPN Access Gateways, Aruba Mobility Controller, Avaya VPN Gateway,Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9Security Platform, Blue Coat Web Security Service, BlueCat Networks Adonis, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2,CA SiteMinder, CRE System, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance(ASA), Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module(FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), CiscoIronPort, Cisco Nexus,Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler,Configurable Firewall Filter, CorreLog Agent for IBM zOS, Custom Rule Engine, DCN DCS/DCRS Series, DG


Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers,Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, Fidelis XPS, Flow Classification Engine,Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HPNetwork Automation, HP Tandem, Honeycomb Lexicon File Integrity Monitor, Huawei S Series Switch,HyTrust CloudControl, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBMGuardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBMResource Access Control Facility (RACF), IBM Security Access Manager for Mobile, IBM Security IdentityManager, IBM Security Network IPS (GX), IBM Tivoli Access Manager for e-business, IBM WebSphereApplication Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform,Imperva Incapsula, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Kisco Information SystemsSafeNet/i, Lieberman Random Password Manager, Linux DHCP Server, Linux OS, Linux iptables Firewall,Mac OS X, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway,McAfee ePolicy Orchestrator, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server,Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server,Microsoft Windows Security Event Log, NCC Group DDos Secure, Nortel Contivity VPN Switch, NortelMultiprotocol Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, Okta, Open LDAP Software,OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Palo Alto PA Series,PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, PulseSecure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro,Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SolarisOperating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS,Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos Web Security Appliance, Squid WebProxy, Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, SymantecEndpoint Protection, Symantec Gateway Security (SGS) Appliance, Symantec System Center, SymarkPower Broker, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, TopLayer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech VenusenseSecurity Platform,Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, iT-CUBE agileSI

UBA : Unix/Linux System Accessed With Service or Machine AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unix/Linux System Accessed With Service or Machine Account

Enabled by default

True

Default senseValue

15

Description

Detects any interactive session (through GUI and CLI, both local and remote login) that is initiated by aservice or machine account in UNIX and Linux servers. Accounts and allowed interactive sessions arelisted in the UBA : Service, Machine Account and the UBA : Allowed Interaction Session reference sets.Edit the reference sets to add or remove any interactive session that you want to flag from yourenvironment.

Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Firewall or ACL Accept


• BB:CategoryDefinition: Authentication Success


Add the appropriate values to the following reference sets: "UBA : Service, Machine Account" and "UBA :Allowed Interactive Session".

Log source types

Linux OS

UBA : User Access - Failed Access to Critical AssetsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access - Failed Access to Critical Assets

Enabled by default

True

Default senseValue

5

Description

This rule detects authentication failures for systems located in the Critical Assets reference set.

Support Rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Failures



Log source types

3Com 8800 Series Switch, APC UPS, AhnLab Policy Center APC, Application Security DbProtect, ArpeggioSIFT-IT,Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba MobilityController, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 SecurityPlatform,Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CAACF2, CA SiteMinder, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify ServerSuite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), CiscoAironet,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center,Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco IntrusionPrevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), CitrixAccess Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter,CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, CyberGuardTSP Firewall/VPN, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, ESET RemoteAdministrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM,Event CRE Injected, Extreme 800-Series Switch, Extreme DragonNetwork IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare OperatingSystem (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGateSecurity Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP


Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrustCloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBMGuardium, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadarNetwork Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager forEnterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance,IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business,IBM WebSphere Application Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio AdaptiveSecurity Platform, Imperva SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform,Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks IntrusionDetection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper Steel-BeltedRadius, Juniper WirelessLAN, Lieberman Random Password Manager, LightCyber Magna, Linux OS, MacOS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPSAppliance, McAfee ePolicy Orchestrator, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, MicrosoftOffice 365, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows SecurityEvent Log, Motorola SymbolAP, Netskope Active, Nortel Application Switch, Nortel Contivity VPNSwitch,Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, NortelEthernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch(SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC, Okta,Open LDAP Software, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic,Oracle Database Listener, Oracle Enterprise Manager,Oracle RDBMS Audit Record, Oracle RDBMS OSAudit Record, PGP Universal Server, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, ProofpointEnterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure,RSA AuthenticationManager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityMonitoring, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, SolarisOperating System Authentication Messages, SonicWALL SonicOS, Sophos Astaro Security Gateway, SquidWeb Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Top Layer IPS, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise,Tropos Control, Universal DSM, VMware vCloud Director, Venustech Venusense Security Platform,Vormetric Data Security, WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI

UBA : User Access - First Access to Critical AssetsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Supports:

• UBA : User Access First Access to Critical Assets• UBA : Critical Systems Users Seen Update

Enabled by default

True

Default senseValue

10

Description

UBA : User Access First Access to Critical Assets: Indicates that this is the first time the user accesseda critical asset. The "Critical Systems Users Seen" reference collection governs the time-to-live of anobservation. By default this rule detects the first access in three months.

UBA : Critical Systems Users Seen Update: Updates the last seen value in the "Critical Systems UsersSeen" reference collection for Destination IP/Username matches that already exist.


Support rules

• BB:CategoryDefinition: Authentication Success• BB:UBA : Common Event Filters



Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec


Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : User Access from Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : UBA : User Access from Multiple Hosts

Enabled by default

False

Default senseValue

5

Description

Detects when a single user logs in from more than an allowed number of devices.

Support rule

BB:UBA : Common Event Filters

Log source types

APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino, IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman


Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series, Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSM, VMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : User Access to Internal Server From Jump ServerThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access to Internal Server From Jump Server

Enabled by default

False

Default senseValue

10

Description

Detects when a user uses a jump server to access the VPN or internal servers.

Support Rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Success


Add the appropriate values to the following reference sets: "UBA : Jump Servers" and "UBA : InternalServers".

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA


Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : User Access Login AnomalyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access Login Anomaly


Enabled by default

True

Default senseValue

5

Description

Indicates a sequence of login failures on a local asset. The rule might also indicate an accountcompromise or lateral movement activity. Ensure that the Multiple Login Failures for Single Username ruleis enabled. Adjust the match and time duration parameters for this rule to tune the responsiveness.

Support rules

• BB:UBA : Common Event Filters• Multiple Login Failures for Single Username


Enable the following rule: "Multiple Login Failures for Single Username"

Log source types

All supported log sources.

UBA : User Accessing Account from Anonymous SourceThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Accessing Account from Anonymous Source

Enabled by default

True

Default senseValue

15

Description

Indicates that a user is accessing internal resources from an anonymous source such as TOR or a VPN.

Support Rules

• BB:CategoryDefinition: Authentication Success• BB:UBA : Common Event Filters

Required Configuration

Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard


CRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS,Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS forCatalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : User Time, Access at Unusual TimesThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Time, Access at Unusual Times

Enabled by default

True


Default senseValue

5

Description

Indicates that users are successfully authenticating at times that are unusual for your network, as definedby "UBA: Unusual Times, %" building blocks.

Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Success• BB:UBA : Unusual Times, Evening• BB:UBA : Unusual Times, Overnight

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security


Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : VPN Access By Service or Machine AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : VPN Access By Service or Machine Account

Enabled by default

True

Default senseValue

10

Description

Detects when a Cisco VPN is accessed by a service or machine account. Accounts are listed in the 'UBA :Service, Machine Account' reference set. Edit this list to add or remove any accounts to flag from yourenvironment.

Support rule

BB:UBA : VPN Mapping (logic)


Add the appropriate values to the following reference sets: "UBA : Service, Machine Account".

Log source types


UBA : VPN Certificate SharingThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : VPN Certificate Sharing

Enabled by default

True

Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall DSM tothe following:

• For V7.2.8: DSM-CiscoFirewallDevices-7.2-20170619124928.noarch.rpm


• For V7.3.0 and later: DSM-CiscoFirewallDevices-7.3-20170619132427.noarch.rpm

Default senseValue

15

Description

This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate thatthere is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing canmake it difficult to identify who's done what. This can complicate taking next steps in the event of acompromise.

Support rules

• BB:UBA : VPN Mapping (logic)• UBA : Subject_CN and Username Map Update• UBA : Subject_CN and Username Mapping

These rules update the associated reference sets with the required data.

Required configurationEnable the following rules:

• UBA : Subject_CN and Username Map Update• UBA : Subject_CN and Username Mapping

Log source types


UBA : Windows Access with Service or Machine AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Windows Access with Service or Machine Account

Enabled by default

True

Default senseValue

15

Description

Detects any interactive session (RDP, local login) that is initiated by a service or machine account inWindows Server. Accounts are listed in the UBA : Service, Machine Account reference set. Edit the list toadd or remove any accounts to flag from your environment.

Support rules



Add the appropriate values to the following reference sets: "UBA : Service, Machine Account".


Log source types

Microsoft Windows Security Event Log (EventID: 4776)

Accounts and privileges

UBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Account or Group or Privileges Added (formerly called UBA : Account, Group or Privileges Added orModified)

Enabled by default

True

Default senseValue

5

Description

Detects events that a user performs and that fit into one of the following categories. The rule dispatchesan IBM Sense event to increment the originating user's risk score.

• Authentication.Group Added• Authentication.Group Changed• Authentication.Group Member Added• Authentication.Computer Account Added• Authentication.Computer Account Changed• Authentication.Policy Added• Authentication.Policy Change• Authentication.Trusted Domain Added• Authentication.User Account Added• Authentication.User Account Changed• Authentication.User Right Assigned

Note: To tune the impact of this rule on users' overall risk scores, consider modifying the building blockrule "CategoryDefinition: Authentication User or Group Added or Changed" by adding event categories ofinterest to your organization.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Authentication User or Group or Policy Added

Log source types

Akamai KONA, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, ArpeggioSIFT-IT, Array Networks SSL VPN Access Gateways, Aruba Mobility Controller, Avaya VPN Gateway,Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9Security Platform, Blue Coat Web Security Service, BlueCat Networks Adonis, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CRE System,Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400,Cisco ACS, Cisco Adaptive Security Appliance


(ASA), Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module(FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), CiscoIronPort, Cisco Nexus, Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler,Configurable Firewall Filter, CorreLog Agent for IBM zOS, Custom Rule Engine, DCN DCS/DCRS Series, DGTechnology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers,Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, Fidelis XPS, Flow Classification Engine,Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HPNetwork Automation, HP Tandem, Honeycomb Lexicon File Integrity Monitor, Huawei S Series Switch,HyTrust CloudControl, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBMGuardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBMResource Access Control Facility (RACF), IBM Security Access Manager for Mobile, IBM Security IdentityManager, IBM Security Network IPS (GX), IBM Tivoli Access Manager for e-business, IBM WebSphereApplication Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform,Imperva Incapsula, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Kisco Information SystemsSafeNet/i, Lieberman Random Password Manager, Linux DHCP Server, Linux OS, Linux iptables Firewall,Mac OS X,McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway,McAfee ePolicy Orchestrator, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server,Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server,Microsoft Windows Security Event Log, NCC Group DDos Secure, Nortel Contivity VPN Switch, NortelMultiprotocol Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, Okta, Open LDAP Software,OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Palo Alto PA Series,PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, PulseSecure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro,Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SolarisOperating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS,Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos Web Security Appliance, Squid WebProxy, Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, SymantecEndpoint Protection, Symantec Gateway Security (SGS) Appliance, Symantec System Center, SymarkPower Broker, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, TopLayer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech VenusenseSecurity Platform, Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss,genua genugate, iT-CUBE agileSI

Related conceptsUBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account Used


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Account or Group or Privileges Modified (formerly called UBA : User Account Change)

Enabled by default

True

Default senseValue

10

Description

Indicates when a user account was affected by an action which changes the user’s effective privileges,either up or down.

False positive note: This event might misattribute modifications to an account name to the user makingthe changes. If you want to reduce this false positive possibility you can add the test 'and when Usernameequals AccountName'.

False negative note: This event might not detect all cases of account modifications for a user.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Authentication User or Group or Policy Changed

Log source types

Microsoft Windows Security Event Log (EventID: 626, 642, 644, 1300, 1317, 625, 629, 4672, 4722,4725, 4738, 4765, 4767, 4781, 4737, 4755)


Related conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : DoS Attack by Account Deletion

Enabled by default

False

Default senseValue

10


Description

Detects DoS attack by checking the number of account deletion events against a fixed threshold withinfixed time span.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : User Account Deleted

Log source types

Amazon AWS CloudTrail (EventID: DeleteUser)

Application Security DbProtect (EventID: Login revoked - Windows, Login dropped - standard, Databaserole - dropped, Database user revoked)

Aruba Mobility Controller (EventID: authmgr_user_del)

Box (EventID: DELETE_USER)

Brocade FabricOS (EventID: SEC-1181, SEC-3028)

CA ACF2 (EventID: ACF2-L)

Check Point (EventID: user_deleted, device_deleted, User Deleted)

Cilasoft QJRN/400 (EventID: C20020)

Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502102, %ASA-5-502102)

Cisco FireSIGHT Management Center (EventID: USER_REMOVED_CHANGE_EVENT)

Cisco Firewall Services Module (FWSM) (EventID: 502102)

Cisco Identity Services Engine (EventID: 86008, 86028)

Cisco NAC Appliance (EventID: CCA-1453, CCA-1502)

Cisco Nexus (EventID: SECURITYD-6-DELETE_STALE_USER_ACCOUNT)

Cisco Wireless LAN Controllers (EventID: 1.3.6.1.4.1.9.9.515.0.1)

CloudPassage Halo (EventID: Halo user deleted, Local account deleted (linux only))

CorreLog Agent for IBM zOS (EventID: RACF DELUSER: No Violations)

Custom Rule Engine (EventID: 3035, 3043)

Cyber-Ark Vault (EventID: 276)

EMC VMWare (EventID: AccountRemovedEvent)

Extreme Dragon Network IPS (EventID: HOST:LINUX:USER-DELETED, HOST:WIN:ACCOUNT-DELETED)

Extreme Matrix K/N/S Series Switch (EventID: User Deleted Event, has been deleted)

Extreme NAC (EventID: Deleted registered user)

Extreme NetsightASM (EventID: UserRemove)

Flow Classification Engine (EventID: 3035, 3043)

Forcepoint Sidewinder (EventID: passport deletion, all passports revoked)

HBGary Active Defense (EventID: DeleteUser)

HP Network Automation (EventID: User Deleted)

Huawei S Series Switch (EventID: SSH/6/DELUSER_SUCCESS)

IBM AIX Audit (EventID: USER_Remove SUCCEEDED)


IBM AIX Server (EventID: USER_Remove)

IBM DB2 (EventID: DROP_USER SUCCESS)

IBM DataPower (EventID: 0x81000136)

IBM IMS (EventID: USER DELETED)

IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Delete User)

IBM QRadar Packet Capture (EventID: UserDeleted)

IBM Resource Access Control Facility (RACF) (EventID: 80 17.2, DELUSER_SUCCESS, 80 17.0)

IBM Security Access Manager for Enterprise Single Sign-On (EventID: REVOKE_IMS_ID, DELETE_IMS_ID)

IBM Security Directory Server (EventID: SDS Audit)

IBM Security Identity Governance (EventID: 50, 43, 70005)

IBM Security Identity Manager (EventID: Delete SUCCESS, Delete SUBMITTED, Delete Success)

IBM SmartCloud Orchestrator (EventID: user)

IBM Tivoli Access Manager for e-business (EventID: 13408 - Succeeded, 13408 Command Succeeded)

IBM i (EventID: GSL2502, M250100, DO_USRPRF, GSL2602, GSL2601, M260100, MC@0400, GSL2501)

IBM z/OS (EventID: 80 1.35)

Juniper Networks Network and Security Manager (EventID: adm24473)

Linux OS (EventID: userDel, Account Deleted, DEL_USER)

McAfee Application/Change Control (EventID: USER_ACCOUNT_DELETED)

McAfee ePolicy Orchestrator (EventID: 20793)

Microsoft ISA (EventID: user removed)

Microsoft Office 365 (EventID: Delete User-PartiallySucceded, Delete user-success, Delete User-success,Delete user-PartiallySucceded)

Microsoft SQL Server (EventID: 24129, DR - US, DR - SL, DR - LX, DR - AR,DR - SU, 24076, 24123, 38)

Microsoft Windows Security Event Log (EventID: 4743, 630, 1327, 647, 4726)

Netskope Active (EventID: Delete Admin, Deleted admin)

Nortel Application Switch (EventID: User Deleted)

Novell eDirectory (EventID: DELETE_ACCOUNT)

OS Services Qidmap (EventID: Account Deleted, User Deleted)

OSSEC (EventID: 18112)

Okta (EventID: core.user_group_member.user_remove, app.generic.import.details.delete_user)

Oracle Enterprise Manager (EventID: Computer Delete (successful), User Delete (successful))

Oracle RDBMS Audit Record (EventID: DROP USER-Standard:1, 53:1, 53:0,DROP USER-Standard:0, 53)

PGP Universal Server (EventID: ADMIN_DELETED_USER)

Palo Alto Endpoint Security Manager (EventID: User Deleted)

Pulse Secure Pulse Connect Secure (EventID: SYN24849, ADM20722, ADM24473, SYN24745,SYN24850)

RSA Authentication Manager (EventID: unknown, Deleted user, REMOVE_ORPHANED_PRINCIPALS,REMOTE_PRINCIPAL_DELETE, DELETE_PRINCIPAL)

SIM Audit (EventID: Configuration-UserAccount-AccountDeleted)


STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject DeletedTrueFalse, ActiveDirectoryuserObject DeletedTrueFalse, Console user/group deleted, Console user/group deleted)

SafeNet DataSecure/KeySecure (EventID: Removed user)

Skyhigh Networks Cloud Security Platform (EventID: 10017)

Solaris BSM (EventID: delete user)

SonicWALL SonicOS (EventID: 559, 1157, 1158)

Trend Micro Deep Security (EventID: 651)

Universal DSM (EventID: Computer Account Removed, User Account Removed)

VMware vCloud Director (EventID: com/vmware/vcloud/event/user/remove, com/vmware/vcloud/event/user/delete)

Vormetric Data Security (EventID: DAO0090I)

iT-CUBE agileSI (EventID: AU8, U0)

Related conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Account Created and Deleted in a Short Period of Time

Enabled by default

True

Default senseValue

15

Description

Detects when an user account is created and deleted in a short period of time.

Support rules

• BB:UBA : User Account Created• BB:UBA : User Account Deleted• BB:UBA : Common Event Filters

Log source typesRelated conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Dormant Account Used

Enabled by default

True

Default senseValue

10

Description

Detects the successful log in from an account that has been determined to be dormant.

Support rule


Log source types

Any supported log source that provides a username in the event.

Related conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account Used


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Dormant Account Use Attempted

Enabled by default

True

Default senseValue

15

Description

Detects the failed log in attempt from an account that has been determined to be dormant.

Support rule


Log source types

3Com 8800 Series Switch, APC UPS, AhnLab Policy Center APC, Application Security DbProtect, ArpeggioSIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba MobilityController, Avaya VPN Gateway,Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 SecurityPlatform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder,CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Identity Platform, CentrifyInfrastructure Services, Check Point,Cilasoft QJRN/400, Cisco ACS,Cisco Adaptive Security Appliance(ASA), Cisco Aironet, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHTManagement Center,Cisco Firewall Services Module (FWSM),Cisco IOS,Cisco Identity ServicesEngine,Cisco Intrusion Prevention System (IPS),Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, CiscoPIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless


Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, ConfigurableAuthentication message filter, CorreLog Agent for IBM zOS,CrowdStrike Falcon Host,Custom Rule Engine,Cyber-Ark Vault, CyberGuard TSP Firewall/VPN, DCN DCS/DCRS Series, DG Technology MEAS, EMCVMWare, ESET Remote Administrator, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM,Event CREInjected,Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch,Extreme Matrix K/N/S Series Switch,Extreme Networks ExtremeWare Operating System (OS),Extreme Stackable and Standalone Switches, Extreme XSR Security Routers, F5 Networks BIG-IP APM,F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, Forcepoint Sidewinder,ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem,Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BluemixPlatform, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium, IBM Lotus Domino, IBMProventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS,IBM ResourceAccess Control Facility (RACF),IBM Security Access Manager for Enterprise Single Sign-On, IBM SecurityAccess Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager,IBMSmartCloud Orchestrator, IBM Tivoli Access Manager for e-business,IBM WebSphere ApplicationServer,IBM i,IBM z/OS,IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform, ImpervaSecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform, Juniper Junos WebAppSecure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP),Juniper Networks Network and Security Manager, Juniper Steel-Belted Radius, Juniper WirelessLAN,Lieberman Random Password Manager, LightCyber Magna, Linux OS, Mac OS X, McAfee Application/Change Control,McAfee Network Security Platform,McAfee ePolicy Orchestrator, Microsoft IAS Server,Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft SCOM, Microsoft SQL Server, MicrosoftSharePoint, Microsoft Windows Security Event Log, Motorola SymbolAP, Netskope Active, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, Okta,OpenBSD OS, Open LDAP Software, Oracle Acme PacketSBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Enterprise Manager, Oracle RDBMS Audit Record,Palo Alto PA Series, Pirean Access: One, PostFix MailTransferAgent, ProFTPD Server, ProofpointEnterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA AuthenticationManager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityMonitoring, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, SolarisOperating System Authentication Messages, SonicWALL SonicOS, Sophos Astaro Security Gateway, SquidWeb Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, SybaseASE,Symantec Encryption Management Server, Symantec Endpoint Protection, TippingPoint IntrusionPrevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Deep DiscoveryEmail Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise,Tropos Control, Universal DSM, VMware vCloud Director, Venustech Venusense Security Platform,Vormetric Data Security, WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI

Related conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Used


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Expired Account Used. (formerly called UBA : Orphaned or Revoked or Suspended Account Used)

Enabled by default

True

Default senseValue

10

Description

Indicates that a user attempted to log in to a disabled or an expired account on a local system. This rulemight also suggest that an account was compromised.

Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication to Expired Account

Log source types

Cisco CatOS for Catalyst Switches, Cisco Intrusion Prevention System (IPS), Extreme Dragon NetworkIPS, IBM Proventia Network Intrusion Prevention System (IPS), Juniper Junos WebApp Secure, MicrosoftIAS Server, Microsoft Windows Security Event Log

Related conceptsUBA : Account or Group or Privileges Added


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : First Privilege Escalation

Enabled by default

True

Default senseValue

10

Description

Indicates that a user executed privileged access for the first time. This reporting rule can be disabled toallow the tracking of user behaviors for baselining purposes.


Support rule

BB:UBA : Privileged User, First Time Privilege Use (logic)

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Application Security DbProtect, ArborNetworks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Bit9Security Platform, Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, BrocadeFabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black Protection, Centrify Server Suite, CheckPoint, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, CiscoFirewall Services Module (FWSM), Cisco IOS,Cisco Identity Services Engine, Cisco Intrusion PreventionSystem (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), CitrixAccess Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator, CorreLog Agent for IBM zOS,Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare,Enterasys Matrix K/N/S Series Switch, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC,Extreme NetsightASM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM,Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron,H3C Comware Platform, HBGary Active Defense, HP Network Automation, Honeycomb Lexicon FileIntegrity Monitor, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIXAudit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium,IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadarPacket Capture, IBM Resource Access Control Facility (RACF), IBM Security Access Manager forEnterprise Single Sign-On, IBM Security Directory Server, IBM Security Identity Governance, IBM SecurityIdentity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, ISC BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OSPlatform,Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, JuniperNetworks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Lieberman Random Password Manager,Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShieldNetwork IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, MicrosoftEndpoint Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, MicrosoftOperations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft WindowsSecurity Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, NortelEthernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel SecureNetwork Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OSServices Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault,Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record,Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PASeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/EnterprisePrivacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, RadwareDefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbitsStealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS,Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALLSonicOS, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,SybaseASE, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec System Center,System Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion PreventionSystem (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend MicroDeep Discovery Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise, Universal DSM, VMware vCloud Director, VMware vShield, Venustech VenusenseSecurity Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genuagenugate, iT-CUBE agileSI


Related conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : New Account Use Detected

Enabled by default

True

Default senseValue

5


Description

Provides reporting functions that indicate a user successfully logged in for the first time. This reportingrule can be disabled temporarily for baselining purposes.

Support rule

BB:UBA : User First Time Access (logic)

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS,Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS forCatalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE,Symantec


Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSIRelated conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Privileged Activity (First Observed Privilege Use)

Enabled by default

True


Default senseValue

5

Description

Indicates that a user executed a privileged action that the user never executed before. Observations arekept in "UBA : Observed Activities by Low Level Category and Username" map-of-sets.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Privileged Activity

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Application Security DbProtect, ArborNetworks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Bit9Security Platform, Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, BrocadeFabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black Protection, Centrify Server Suite, CheckPoint, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, CiscoFirewall Services Module (FWSM), Cisco IOS,Cisco Identity Services Engine, Cisco Intrusion PreventionSystem (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), CitrixAccess Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator, CorreLog Agent for IBM zOS,Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare,Enterasys Matrix K/N/S Series Switch, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC,Extreme NetsightASM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM,Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron,H3C Comware Platform, HBGary Active Defense, HP Network Automation, Honeycomb Lexicon FileIntegrity Monitor, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIXAudit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium,IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadarPacket Capture, IBM Resource Access Control Facility (RACF), IBM Security Access Manager forEnterprise Single Sign-On, IBM Security Directory Server, IBM Security Identity Governance, IBM SecurityIdentity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, ISC BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OSPlatform,Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, JuniperNetworks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Lieberman Random Password Manager,Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShieldNetwork IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, MicrosoftEndpoint Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, MicrosoftOperations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft WindowsSecurity Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, NortelEthernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel SecureNetwork Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OSServices Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault,Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record,Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PASeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/EnterprisePrivacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, RadwareDefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbitsStealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS,Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,


Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALLSonicOS, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,SybaseASE, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec System Center,System Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion PreventionSystem (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend MicroDeep Discovery Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise, Universal DSM, VMware vCloud Director, VMware vShield, Venustech VenusenseSecurity Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genuagenugate, iT-CUBE agileSIRelated conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Privileged Activity (Rarely Used Privilege)


Enabled by default

True

Default senseValue

10

Description

Indicates that a user executed a privileged action that the user has not executed recently. Observationsare kept in "UBA : Recent Activities by Low Level Category and Username" map-of-sets. The sensitivity ofthis event can be modified by changing the TTL (time-to-live) of the Reference Map-of-Sets for "UBA :Recent Activities by Low Level Category and Username". Increasing the TTL reduces the sensitivity.Decreasing the TTL increases the sensitivity.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Privileged Activity

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Application Security DbProtect, ArborNetworks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Bit9Security Platform, Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, BrocadeFabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black Protection, Centrify Server Suite, CheckPoint, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, CiscoFirewall Services Module (FWSM), Cisco IOS,Cisco Identity Services Engine, Cisco Intrusion PreventionSystem (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), CitrixAccess Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator, CorreLog Agent for IBM zOS,Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare,Enterasys Matrix K/N/S Series Switch, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC,Extreme NetsightASM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM,Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron,H3C Comware Platform, HBGary Active Defense, HP Network Automation, Honeycomb Lexicon FileIntegrity Monitor, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIXAudit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium,IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadarPacket Capture, IBM Resource Access Control Facility (RACF), IBM Security Access Manager forEnterprise Single Sign-On, IBM Security Directory Server, IBM Security Identity Governance, IBM SecurityIdentity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, ISC BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OSPlatform,Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, JuniperNetworks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Lieberman Random Password Manager,Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShieldNetwork IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, MicrosoftEndpoint Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, MicrosoftOperations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft WindowsSecurity Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, NortelEthernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel SecureNetwork Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OSServices Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault,


Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record,Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PASeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/EnterprisePrivacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, RadwareDefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbitsStealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS,Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALLSonicOS, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,SybaseASE, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec System Center,System Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion PreventionSystem (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend MicroDeep Discovery Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise, Universal DSM, VMware vCloud Director, VMware vShield, Venustech VenusenseSecurity Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genuagenugate, iT-CUBE agileSIRelated conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)



UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Attempt to Use a Suspended Account

Enabled by default

True

Default senseValue

10

Description

Detects that a user attempted to access a suspended or a disabled account.

Support rules

• BB:CategoryDefinition: Authentication to Disabled Account• BB:UBA : Common Event Filters

Log source types

Cisco Intrusion Prevention System (IPS), Extreme Dragon Network IPS, IBM Proventia Network IntrusionPrevention System (IPS), Microsoft ISA, Microsoft Windows Security Event Log

Related conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege Escalation


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Has Gone Dormant (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Note: This rule is no longer supported. Dormant account information can be viewed on the UBADashboard starting with V3.2.0. For more information, see “Dormant accounts” on page 35.

UBA : User Has Gone Dormant (no activity anomaly rule)

UBA : Dormant Account Found (privileged)

Enabled by default

False

Default senseValue

10

Description

Ensure that "UBA : User Has Gone Dormant (no activity anomaly rule)" is enabled to activate this rule.

This rule indicates that a username's activity count has changed by greater than 80%. "UBA : UserDormant Account Found (privileged)" and "UBA : User Has Gone Dormant (no activity anomaly rule)" areintended to point out when a user has stopped producing activity for an extended period. This conditionmight indicate that the user no longer requires access as indicated by a long absence of activity that isassociated with their username. False alarms are possible if a Username's activity drops to zero duringthe short interval period (14 days by default) and before zero is the new baseline (28 days by default).These do not affect a user's risk score if the response frequency limit for "UBA : User Dormant AccountFound (privileged)" is set to a time period equal to or greater than the long interval per user name.

Note: False alarms are possible for 'UBA : User Has Gone Dormant (no activity anomaly rule)' if aUsername's activity decreases to zero during the short interval period (14 days by default) and beforezero is the new baseline (28 days by default). The false alarms do not affect a user's risk score if theresponse frequency limit for "UBA : User Dormant Account Found (privileged)" is set to a period of timeequal to or greater than the long interval per Username.

Support rule

UBA : Dormant Account Found (privileged)



Enable the following rule: "UBA : Dormant Account Found (privileged)".

Log source types


Related conceptsUBA : Account or Group or Privileges AddedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Account or Group or Privileges ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : DoS Attack by Account DeletionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Account Created and Deleted in a Short Period of TimeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Dormant Account Use AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Expired Account UsedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : First Privilege EscalationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : New Account Use DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (First Observed Privilege Use)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Suspicious Privileged Activity (Rarely Used Privilege)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Attempt to Use a Suspended AccountThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Browsing behavior

UBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Business/Service Website


Enabled by default

True

Default senseValue

5

Description

A user has accessed a URL that might indicate an elevated security or legal risk.

Support rule

BB:UBA : URL Category Filter

Log source types

Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo AltoPA Series

Related conceptsUBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Communications Website

Enabled by default

True

Default senseValue

5

Description

A user has accessed a URL which may indicate elevated security or legal risk.

Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Education Website

Enabled by default

True

Default senseValue

5


Description

Detected user browsing a website associated with education content.

Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Entertainment Website

Enabled by default

True

Default senseValue

5

Description

A user accessed a URL that might indicate elevated security or legal risk.

Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Gambling Website

Enabled by default

True

Default senseValue

5

Description


Support rule



Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URL



UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Government Website

Enabled by default

True

Default senseValue

5

Description

Detected user browsing a website associated with government content.

Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Information Technology Website

Enabled by default

True

Default senseValue

5

Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Job Search Website


Enabled by default

True

Default senseValue

15

Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to LifeStyle Website

Enabled by default

True

Default senseValue

5

Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Malicious Website

Enabled by default

True

Default senseValue

15


Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Mixed Content/Potentially Adult Website

Enabled by default

True

Default senseValue

10

Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Phishing Website

Enabled by default

True

Default senseValue

15

Description


Support rule



Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URL



UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Pornography Website

Enabled by default

True

Default senseValue

10

Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Religious Website

Enabled by default

True

Default senseValue

5

Description

Detected user browsing a website associated with religious content.

Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Scam/Questionable/Illegal Website


Enabled by default

True

Default senseValue

5

Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Browsed to Uncategorized Website

Enabled by default

True

Default senseValue

5

Description


Support rule


Log source types


Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA: User Accessing Risky URLThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA: User Accessing Risky URL (previously called X-Force Risky URL)

Enabled by default

True

Description

This rule detects when a local user is accessing questionable online content.


Support rules

• X-Force Risky URL• BB:UBA : Common Event Filters


• Set Enable X-Force Threat Intelligence Feed to Yes in Admin Settings > System Settings.• Enable the following rule: X-Force Risky URL.

Log source types

Juniper SRX Series Services Gateway, Microsoft ISA, Pulse Secure Pulse Connect Secure

Related conceptsUBA : Browsed to Business/Service WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Communications WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Education WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Entertainment WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Gambling WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Government WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Information Technology WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Job Search WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to LifeStyle WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Malicious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Mixed Content/Potentially Adult WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Phishing WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Pornography Website


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Religious WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Scam/Questionable/Illegal WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Browsed to Uncategorized WebsiteThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Cloud

UBA : AWS Console Accessed by Unauthorized UserThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : AWS Console Accessed by Unauthorized User

Enabled by default

False

Default senseValue

10

Description

Detects an unauthorized attempt to access the Amazon Web Services (AWS) console by a user that isoutside the authorized list in the 'AWS - Standard Users' reference set.

Support rules



• Install the following package from the IBM Security App Exchange: IBM QRadar Content Extension forMonitoring Amazon AWS.

• Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators"Configure the follow log source: Amazon AWS Cloudtrail

Log source types

Amazon AWS CloudTrail (EventID: ConsoleLogin)

UBA : Non-Standard User Accessing AWS ResourcesThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Non-Standard User Accessing AWS Resources




Enabled by default

False

Default senseValue

10

Description

Detects a non-standard user who is attempting to access Amazon Web Services (AWS) resources.

Log source types

Amazon Web Services Extension

Domain controller

UBA : DPAPI Backup Master Key Recovery AttemptedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : DPAPI Backup Master Key Recovery Attempted

Enabled by default

True

Default senseValue

10

Description

Detects when recovery is attempted for a DPAPI Master Key.

Support rule


Log source types


UBA : Kerberos Account Enumeration DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Kerberos Account Enumeration Detected

Enabled by default

True

Default senseValue

10


Description

Detects Kerberos account enumeration by detecting high number of user names being used to makeKerberos requests from same source IP.

Support rule


Log source types


UBA : Multiple Kerberos Authentication Failures from Same UserThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Multiple Kerberos Authentication Failures from Same User

Enabled by default

False

Default senseValue

15

Description

Detects multiple Kerberos authentication ticket rejections or failures.

Support rule

• BB:UBA : Common Log Source Filters• BB:UBA : Kerberos Authentication Failures

Log source types

Microsoft Windows Security Event Log

UBA : Non-Admin Access to Domain ControllerThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Non-Admin Access to Domain Controller

Enabled by default

False

Default senseValue

5

Description

Detects non-admin account access attempts to domain controller.

Support rule

• BB:UBA : Common Event Filters


• BB:CategoryDefinition: Authentication Success• BB:CategoryDefinition: Authentication Failures


Add the appropriate values to the following reference sets: "UBA : Domain Controllers" and "UBA :Domain Controller Administrators"

Log source types

APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino, IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series, Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec


Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSM, VMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

UBA : Pass the HashThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Pass the Hash

Enabled by default

False

Default senseValue

15

Description

Detects Windows logon events that are possibly generated during pass the hash exploits.

Support rule


Required configuration:

Add the appropriate values to the following reference set: UBA : Trusted Domains.

Log source types

Microsoft Windows Security Event Logs (EventID: 4624)

UBA : Possible Directory Services EnumerationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Possible Directory Services Enumeration

Enabled by default

False

Default senseValue

5

Description

Detects reconnaissance attempts to Directory Service Enumeration.

Support rule



Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators"


Log source types


UBA : Possible SMB Session Enumeration on a Domain ControllerThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Possible SMB Session Enumeration on a Domain Controller

Enabled by default

False

Default senseValue

10

Description

Detects attempts at SMB enumeration against a domain controller.

Support rule



Add the appropriate values to the following reference sets:

• UBA : Domain Controllers• UBA : Domain Controller Administrators

Log source types


UBA : Possible TGT ForgeryThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Possible TGT Forgery

Enabled by default

False

Default senseValue

15

Description

Detects Kerberos TGTs that contain Domain Name anomalies. These possibly indicate tickets that aregenerated by using pass the ticket exploits.

Support rule




Add the appropriate values to the following reference sets: UBA : Trusted Domains.

Log source types


UBA : Possible TGT PAC ForgeryThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Possible TGT PAC Forgery

Enabled by default

False

Default senseValue

10

Description

Detects use of Forged PAC certificate to get a Service Ticket from Kerberos TGS.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : TCT PAC Forgery Patched Server• BB:UBA : TCT PAC Forgery Unpatched Server


Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators".

Log source types

Microsoft Windows Security Event Log (EventID: 4672, 4769)

UBA : Replication Request from a Non-Domain ControllerThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Replication Request from a Non-Domain Controller

Enabled by default

True

Default senseValue

5

Description

Detects replication requests from an illegitimate Domain Controller


Support rules



Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators".

Log source types


UBA : TGT Ticket Used by Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : TGT Ticket Used by Multiple Hosts

Enabled by default

False

Default senseValue

15

Description

Detects Kerberos TGT ticket being used on two (or more) different computers.

Support rule


UBA : Kerberos Account Mapping

This rule updates the associated reference sets with the required data.


Enable the following rules: "UBA : Kerberos Account Mapping"

Log source types


Endpoint

UBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Detect Insecure Or Non-Standard Protocol

Enabled by default

False


Default senseValue

5

Description

Detects any user that is communicating over unauthorized protocols that are regarded as insecure or non-standard protocols. Authorized protocols are listed in the UBA : Ports of Authorized Protocols referenceset with default value 0, which is the port of QRadar events. Edit the UBA : Ports of Authorized Protocolsreference set to flag from your environment before you enable this rule.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Insecure Ports•


Add the appropriate values to the following reference set: UBA : Ports Of Authorized Protocols.

Log source types


Related conceptsUBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious Application


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Detect Persistent SSH session

Enabled by default

True

Default senseValue

10

Description

Detects SSH sessions that are active for more than 10 hours.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : SSH Session Closed• BB:UBA : SSH Session Opened


This rule requires both SSH Opened and SSH Closed events to occur for an accurate detection. If the logsource that is used does not have an eventID for both events, you might receive inaccurate results. Seethe Data sources to determine eventIDs for the log source in use.

Log source types (SSH Opened)

Centrify Infrastructure Services (EventID: 27100, 27104)

Cisco IOS (EventID: %SSH-5-SSH2_SESSION, %SSH-SW2-5-SSH2_SESSION)

Custom Rule Engine (EventID: 18037, 3071)

Cyber-Ark Vault (EventID: 378)

Extreme XSR Security Routers (EventID: NEW_SSH_CONNECTION)


Huawei S Series Switch (EventID: SSH/4/SFTP_REQ_RECORD)

HyTrust CloudControl (EventID: AUN0120, unknown)

IBM AIX Server (EventID: sshd2 connection established, ssh-server connect, ssh-server session open)

IBM DataPower (EventID: 0x8100011e, 0x810001e4, 0x810001e5)

Juniper MX Series Ethernet Services Router (EventID: SSH)


Juniper Networks AVT (EventID: SSH)

Mac OS X (EventID: OSX ssh session started)

OS Services Qidmap (EventID: Connection from, pam_open_session, pam_sm_open_session)

Solaris Operating System Authentication Messages (EventID: ssh session opened)

Universal DSM (EventID: SSH Opened, SSH Session Started)

Log source types (SSH Closed)

Aruba Mobility Controller (EventID: sshd_disconnect)

Centrify Infrastructure Services (EventID: 27102)

Cisco IOS (EventID: %SSH-5-SSH_CLOSE, %SSH-SW2-5-SSH2_CLOSE, %SSH-5-SSH2_CLOSE)

Custom Rule Engine (EventID: 3072, 18038, 18040)

Cyber-Ark Vault (EventID: 380, 381)

Flow Classification Engine (EventID: 3072, 18038, 18040)

Huawei S Series Switch (EventID: SSH/6/RECV_DISCONNECT)

IBM AIX Server (EventID: ssh-server disconnect, sshd2 connection lost, SSH Disconnect, sshd2 localdisconnect, ssh-server session close)

OS Services Qidmap (EventID: Done with connection, pam_sm_close_session, pam_close_session, Didnot receive identification string, Connection timed out, Received disconnect from IP, Connection closed)

Pulse Secure Pulse Connect Secure (EventID: GWE24572)

Universal DSM (EventID: SSH Terminated, SSH Session Finished, SSH Closed)

Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program Usage


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Internet Settings Modified

Enabled by default

True

Default senseValue

15

Description

Detects modifications of internet settings on the system.

Support rule


Log source types


Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Malware Activity - Registry Modified In Bulk

Enabled by default

True

Default senseValue

15

Description

Detects processes that modify multiple registry values in bulk within a shorter interval.

Support rule


Log source types


Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings Modified


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Netcat Process Detection (Linux)

Enabled by default

True

Default senseValue

15

Description

Detects netcat process on a Linux system.

Support rule

BB:UBA : Common Log Source Filters

Log source types

Linux OS (EventID: SYSCALL)


Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Netcat Process Detection (Windows)

Enabled by default

True

Default senseValue

15


Description

Detects Netcat process on a Windows system.

Support rule


Log source types


Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy Created



UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Process Executed Outside Gold Disk Whitelist (Linux)

Enabled by default

False

Default senseValue

15

Description

Detects processes that are created on a Linux system and alerts when the process is outside of thegolden disk process whitelist.

Note: The rule is disabled by default. Enable the rule only after you populate or modify the process namesto be whitelisted in the reference set 'UBA : Gold Disk Process Whitelist - Linux'.


Add the appropriate values to the following reference set: "UBA : Gold Disk Process Whitelist - Linux".

Support rule

BB:UBA : Common Log Source Filters

Log source types

Linux OS (EventID: SYSCALL)

Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Process Executed Outside Gold Disk Whitelist (Windows)

Enabled by default

False

Default senseValue

15

Description

Detects processes that are created on a Windows system and alerts when the process is outside thegolden disk process whitelist.

Note: The rule is disabled by default. Enable the rule only after you populate or modify the process namesto be whitelisted in the reference set 'UBA : Gold Disk Process Whitelist - Windows'.


Add the appropriate values to the following reference set: "UBA : Gold Disk Process Whitelist - Windows".

Log source types


Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings Modified


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Ransomware Behavior Detected

Enabled by default

False

Default senseValue

15

Description

Detects behavior that is typically seen during a ransomware infection.

Support rule



Add the appropriate values to the following reference set: "UBA : Windows Common Processes".


Log source types


Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Restricted Program Usage

Enabled by default

False


Default senseValue

5

Description

Indicates that a process is created and the process name matches one of the binary names listed in thereference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you cancustomize it. You can populate the reference set with file names that you want to monitor for riskmanagement.

For more information about adding or removing programs for monitoring, see Managing restrictedprograms.

Support rule



Add the appropriate values to the following reference set: "UBA : Restricted Program Filenames".

Log source types


Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious Application


http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.UBAapp.doc/t_Qapps_UBA_manage_restricted_programs.html?view=kc#t_Qapps_UBA_manage_restricted_programs

http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.UBAapp.doc/t_Qapps_UBA_manage_restricted_programs.html?view=kc#t_Qapps_UBA_manage_restricted_programs

The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Supports the following rules:

• UBA : User Installing Suspicious Application• UBA : Populate Authorized Applications

Enabled by default

False

Default senseValue

15

Description

Detects application installation events and then alerts when suspicious applications are seen. Note:Populate the reference set "UBA : Authorized Applications" with the application names that areauthorized in the organization. Rule "UBA : Populate Authorized Applications" can be enabled for a shortduration to populate this reference set.

Rule "UBA : Populate Authorized Applications" populates the reference set "UBA : AuthorizedApplications" with the names of applications that are installed while this rule is enabled. Note: The rule isdisabled by default. Enable for a shorter duration to populate the names while users are installingapplications.

Log source types

Microsoft Windows Security Event Logs

Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Running New ProcessThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Supports the following rules:

• UBA : User Running New Process• UBA : Populate Process Filenames

Enabled by default

False

Default senseValue

15

Description

Detects processes that are created by the user and then alerts when a user runs a new process.

Rule "UBA: Populate Process Filenames" populates the reference set "UBA : Process Filenames" used asa utility rule for "UBA : User Running New Process." Note: The rule is disabled by default. Enable the rulefor a shorter duration to populate the filenames.

Support rule

BB:UBA : Common Event Filters, UBA : Populate Process Filenames


Add the appropriate values to the following reference set: "UBA : Process Filenames".


Log source types

Microsoft Windows System Event Logs (EventID:4688)

Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Volume Shadow Copy CreatedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Volume Shadow Copy Created

Enabled by default

True


Default senseValue

15

Description

Detects shadow copies that were created using vssadmin.exe or Windows Management InstrumentationCommand-line (WMIC).

Support rule


Log source types

Microsoft Windows Security Event Logs (EventID: 1 or 4688)

Related conceptsUBA : Detect Insecure Or Non-Standard ProtocolThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Detect Persistent SSH sessionThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Internet Settings ModifiedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Malware Activity - Registry Modified In BulkThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Netcat Process Detection (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Linux)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Process Executed Outside Gold Disk Whitelist (Windows)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Ransomware Behavior DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Restricted Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Installing Suspicious ApplicationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Running New Process



Exfiltration

UBA : Abnormal data volume to external domain (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Note: This rule has been replaced with the following Machine Learning Analytic: Abnormal Volume of Datato External Domains.

• UBA : Abnormal data volume to external domain• UBA : Abnormal data volume to external domain Found


Enabled by default

False

Default senseValue

15

Description

UBA : Abnormal data volume to external domain This rule uses the Anomaly Detection engine tomonitor user's traffic usage and alert on abnormal data volumes of traffic to external domains.

UBA : Abnormal data volume to external domain Found This is a CRE rule that supports the identicalrespective ADE rule : UBA: Abnormal data volume to external domain, which uses the Anomaly Detectionengine to monitor user's traffic usage and alert on abnormal data volumes of traffic to external domains.

Log source types


UBA : Abnormal Outbound Transfer Attempts (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Note: This rule has been replaced with the following Machine Learning Analytic: Outbound TransferAttempts. For more information, see “Outbound Transfer Attempts” on page 237.

UBA : Abnormal Outbound Transfer Attempts (called UBA : Abnormal Outbound Attempts in V2.4.0)

UBA : Abnormal Outbound Transfer Attempts Found


Enabled by default

False

Default senseValue

15


Description

UBA : Abnormal Outbound Transfer Attempts (ADE rule) This rule uses the Anomaly Detection engineto monitor outbound traffic usage and to alert on abnormal number of attempts.

UBA : Abnormal Outbound Transfer Attempts Found This is a CRE rule that supports the identicalrespective ADE rule : UBA : Abnormal Outbound Attempts, which uses the Anomaly Detection engine tomonitor outbound traffic usage and to alert on abnormal number of attempts.

Log source types

All supported logs sources.

UBA : Data Exfiltration by Cloud ServicesThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Data Exfiltration by Cloud Services

Enabled by default

False

Default senseValue

5

Description

Detects users that are uploading files to personal cloud services.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : File Transfer to Cloud services

Log source types

Aruba Introspect (EventID: Cloud Exfiltration)

Fortinet FortiGate Security Gateway (EventID: 16064, 35599, 35977, 35984, 36076, 36115, 36300,36343, 36350, 36353, 36413, 38668, 38902, 38994, 39287, 39297, 39356, 39474, 39806)

UBA : Data Exfiltration by PrintThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Data Exfiltration by Print

Enabled by default

False

Default senseValue

5

Description

Detects users that are sending files to print or that are using screen capture tools such as Print Screenand Snipping Tool.


Support rules

• BB:UBA : Common Event Filters• BB:UBA : File Transfer to Print

Log source types

Universal DSM (EventID: File Print)

Verdasys Digital Guardian (EventID: Print, ADE Print Screen)

UBA : Data Exfiltration by Removable MediaThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Data Exfiltration by Removable Media

Enabled by default

False

Default senseValue

5

Description

Detects users that are transferring files to removable media such as USB and CD.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : File Transfer to CD• BB:UBA : File Transfer to USB

Log source types

Symantec Endpoint Protection (EventID: Log writing to USB drives_File_Write, Log writing to USBdrives_Write File)

Verdasys Digital Guardian (EventID: CD Burn)

UBA : Data Loss PossibleThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Data Loss Possible

Enabled by default

True

Default senseValue

15

Description

Detects possible data loss determined by either the data source, event category or specific events relatedto data loss detection and prevention.


Support rules

• BB:UBA : Data Loss Categories• BB:UBA : Data Loss Devices• BB:UBA : Data Loss Events

Log source types

Check Point (EventID: Detect)

Cisco Stealthwatch (EventID: 40, 45)

Forcepoint V Series (EventID: BLOCKED_BY_WEB_DLP)

Fortinet FortiGate Security Gateway (EventID: dlp passthrough, 43720)

IBM Proventia Network Intrusion Prevention System (IPS) (EventID: BsdlprSymlink,FreebsdLpdBo,HummingbirdLpdBo, MozillaSenduidlPop3Bo, BsdLpdBo)

McAfee Network Security Platform (EventID: 0x4517f400)

Netskope Active (EventID: dlp)

Pulse Secure Pulse Connect Secure (EventID: SYS24815, SYS24843, SYS24844)

Skyhigh Networks Cloud Security Platform (EventID: Anomaly, Incident, 10003, 10004, 10005, 10036)

Symantec DLP (EventID: all ids)

TippingPoint Intrusion Prevention System (IPS) (EventID: 26335,26334, 26336,27318, 27494, 27515)

Universal DSM (EventID: Data Loss Possible, Data Loss Prevention Policy Violation)

Verdasys Digital Guardian (EventID: ADE Screen Capture, Application Data Exchange, Attach Mail, CDBurn, File Archive, File Copy, File Delete, File Move, File Recycle, File Rename, File Save As, NetworkTransfer Download, Network Transfer Upload, Print, Print Screen, ADE Print Process)

WatchGuard Fireware OS (EventID: 1CFF0011, 1AFF002F, 1AFF0030, 1AFF0031, 1BFF0024, 1BFF0025,1BFF0026, 1BFF0027, 1CFF0012, 1CFF0013, 1CFF0014)

UBA : Large Outbound Transfer by High Risk UserThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Large Outbound Transfer by High Risk User

Enabled by default

False

Default senseValue

15

Description

Detects an outbound transfer of 200,000 bytes or more by a high risk user.

Support rules


Log source typesLog sources that have the CEP BytesSent defined.


UBA : Multiple Blocked File Transfers Followed by a File TransferThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Multiple Blocked File Transfers Followed by a File Transfer

Enabled by default

True

Default senseValue

10

Description

Detects exfiltration by checking for file uploads that were initially blocked but were followed by asuccessful upload within a span of 5 minutes.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Blocked File Transfer• BB:UBA : Successful File Transfer


This rule requires both Blocked file transfers and Successful file transfers events to occur for an accuratedetection. If the log source that is used does not have an eventID for both events, you might receiveinaccurate results. See the Data sources to determine eventIDs for the log source in use.

Log source types (Blocked file transfers)


Cisco Call Manager (EventID: %UC_DRF-3-DRFSftpFailure)

Cisco IOS (EventID: %UPDATE-3-SFTP_TRANSFER_FAIL)

Custom Rule Engine (EventID: 18014, 18071, 18187, 4032)

Extreme Stackable and Standalone Switches (EventID: FFTP request failed)

Flow Classification Engine (EventID: 4032, 18187, 18014, 18071)

Forcepoint Sidewinder (EventID: FTP Permits, denied ftp command)

IBM i (EventID: UNR0907, UNR0908, UNR2302, GSL0118, GSL0119, GSL0318, GSL0319, GSL3718,GSL3719, GSL0618,UNR0701, UNR0707, UNR0901, UNR0910, UNR2301, UNR0705, UNR0706,UNR0708, UNR0710, UNR0801, UNR0802, UNR0905, UNR0906, GSL0619)

Juniper Networks Intrusion Detection and Prevention (IDP) (EventID: TFTP:AUDIT:READ-FAILED)

Microsoft IIS (EventID: 530)

Microsoft Operations Manager (EventID: 22095)

OSSEC (EventID: 11504, 11512)

Universal DSM (EventID: FTP Action Denied, TFTP Session Denied,FTP Denied,FileTransfer Denied)

WatchGuard Fireware OS (EventID: 1CFF0002,1CFF0006,1CFF0007,1CFF0009, 1CFF0001,1CFF0019,1CFF0000, 1CFF0003)


Log source types (Successful file transfers)


Cisco FireSIGHT Management Center (EventID: FILE_EVENT, FILE_EVENT_0)

Cisco IOS (EventID: %FTPSERVER-6-NEWCONN)

Cisco IronPort (EventID: FTP_connection)

Custom Rule Engine (EventID: 18010, 4031,18431, 18183)

DG Technology MEAS (EventID: 119-003, 119-070)

Flow Classification Engine (EventID: 18010, 4031,18431, 18183)

Flow Device Type (EventID: 21984, 21879, 51337, 51336, 35159, 21910)

Huawei S Series Switch (EventID: FTPS/5/REQUEST)

IBM Proventia Network Intrusion Prevention System (IPS) (EventID: FTP, TFTP)

IBM i (EventID: MLD1200, MLD2100, MO10300,MO10400, MO11800, MO12100, MO12400, MO20200,MO20300. MO21300, MO21800, MO21900, GSL0101, GSL0102, GSL0301, GSL0302,GSL3701,GSL3702, M090100, UNA0705, UNA0706, UNA0708, UNA0710, UNA0801, UNA0802,UNA0905, UNA0906, UNA0907,UNA0908, UNA2302,UNA0601, UNA0604, UNA0605, UNA0607,UNA0701, UNA0707, UNA0901, UNA0902, UNA0910, UNA2301, M030100, MLD1100)

Juniper MX Series Ethernet Services Router (EventID: TFTP, FTP)

Juniper Networks AVT (EventID: TFTP, FTP)

Microsoft IIS (EventID: 150, 125, 225)

ProFTPD Server (EventID: FTP session opened)

Solaris Operating System Authentication Messages (EventID: ftp connection)

SonicWALL SonicOS (EventID: 1112, 1113)

Squid Web Proxy (EventID: 3C0002_ALLOWED)

Trend InterScan VirusWall (EventID: Trend ftpconnect)

Universal DSM (EventID: File Transfer, FTP Opened, FTP Action Allowed, TFTP Session Opened)

Verdasys Digital Guardian (EventID: Network Transfer Upload, Network Transfer Download)

WatchGuard Fireware OS (EventID: 2AFF0004, 1CFF0019)

UBA : Suspicious Access Followed by Data ExfiltrationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Access Followed by Data Exfiltration

Enabled by default

False

Default senseValue

10

Description

Detects access from unusual, restricted, or prohibited locations followed by a data exfiltration attempt.


Support rule

• BB:UBA : Common Event Filters• BB:UBA : Data Exfiltration• UBA : User Access from Restricted Location• UBA : User Access from Prohibited Location• UBA : User Geography, Access from Unusual Locations


Enable the following rules:

• UBA : User Access from Restricted Location• UBA : User Access from Prohibited Location• UBA : User Geography, Access from Unusual Locations

Log source types

Cisco Stealthwatch (EventID: 45)

IBM Security Trusteer Apex Advanced Malware Protection (EventID: ConnectionCreate.Connection_Test,CerberusNG.ent_create_remote_thread, ConnectionCreate.in_suspend_state,ConnectionCreate.orphant_thread_connect, close.file_inspection, processcreate.file_inspection)

Skyhigh Networks Cloud Security Platform (EventID: 10003, 10004)

UBA : User Volume Activity Anomaly - Traffic to External Domains (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Note: UBA : User Volume Activity Anomaly - Traffic to External Domains rule is no longer supported.

• UBA : User Volume Activity Anomaly - Traffic to External Domains• UBA : User Volume Activity Anomaly - Traffic to External Domains Found

Enabled by default

False

Default senseValue

10

Description

UBA : User Volume Activity Anomaly - Traffic to External Domains This is a CRE rule that supports theidentical respective ADE rule : UBA : User Volume of Activity Anomaly - Traffic which uses the AnomalyDetection engine to monitor user's traffic usage and alert on unusual volumes of traffic.

UBA : User Volume Activity Anomaly - Traffic to External Domains Found This is a CRE rule thatsupports the identical respective UBA : User Volume Activity Anomaly - Traffic to External Domains rule,which uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormalnumber of attempts.

Log source types



Geography

UBA : Anomalous Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Anomalous Account Created From New Location

Enabled by default

True

Default senseValue

5

Description

Detects anomalous account creation activity from new location.

Support rules

• BB:UBA : Cloud Endpoints• BB:UBA : User Account Created• BB:UBA : Common Event Filters• UBA : User Geography Change


Enable the following rule: "UBA : User Geography Change".

Log source types

AhnLab Policy Center APC (EventID: Administrator Account Add:Succeeded,ADD_ADMIN_ACCOUNT_SUCCESS)

Application Security DbProtect (EventID: Database user created, Login created - standard, Login added -Windows, Database role - created)

Aruba Mobility Controller (EventID: authmgr_user_add)

Bit9 Security Platform (EventID: User_group_created, User_group_modified, User_group_deleted,Console_user_created, Console_user_modified, Console_user_deleted)

Box (EventID: NEW_USER)

Brocade FabricOS (EventID: SEC-1180,SEC-3025, SEC-1182)

CA ACF2 (EventID: ACF2-L)

Check Point (EventID: User Added, device_added)

Cilasoft QJRN/400 (EventID: C20010, C20011)

Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502101, %ASA-5-502101)

Cisco Firewall Services Module (FWSM) (EventID: 502101, 504001)

Cisco IOS (EventID: %APF-6-USER_NAME_CREATED)

Cisco Identity Services Engine (EventID: 86006)

Cisco NAC Appliance (EventID: CCA-1500)


Cisco PIX Firewall (EventID: %PIX-0-502101, %PIX-1-502101, %PIX-2-502101, %PIX-3-502101,%PIX-4-502101, %PIX-5-502101, %PIX-6-502101, %PIX-7-502101)

Cisco PIX Firewall (EventID: 502101)

Cisco Wireless LAN Controllers (EventID: %APF-6-USER_NAME_CREATED, 1.3.6.1.4.1.9.9.515.0.2)

Cisco Wireless Services Module (WiSM) (EventID: %AAA-6-GUEST_ACCOUNT_CREATE, %APF-6-USER_NAME_CREATED)

CloudPassage Halo (EventID: Halo user added, Halo user re-added, Local account created (linux only))

CorreLog Agent for IBM zOS (EventID: RACF ADDUSER: No Violations)

Cyber-Ark Vault (EventID: 180, 2)

EMC VMWare (EventID: AccountCreatedEvent)

Extreme Dragon Network IPS (EventID: HOST:WIN:ACCOUNT-CREATED)

Extreme Matrix K/N/S Series Switch (EventID: created with, User Created Event)

Extreme NAC (EventID: Added registered user, Add Registered User)


Forcepoint Sidewinder (EventID: passport addition)

Fortinet FortiGate Security Gateway (EventID: add, auth-logon)

Foundry Fastiron (EventID: SNMP_USER_ADDED)

HBGary Active Defense (EventID: CreateUser)

HP Network Automation (EventID: User Added)

IBM AIX Audit (EventID: USER_Create SUCCEEDED)

IBM AIX Server (EventID: USER_Create)

IBM DB2 (EventID: ADD_USER SUCCESS)

IBM IMS (EventID: USER CREATED)

IBM QRadar Packet Capture (EventID: UserAdded)

IBM Resource Access Control Facility (RACF) (EventID: 80 10.0, 80 10.2)

IBM Security Access Manager for Enterprise Single Sign-On (EventID: PRE_PROVISION_IMS_USER,AA_SCR_REGISTRATION, REGISTER_MAC_IDENTITY, REGISTER_IDENTITY)

IBM Security Directory Server (EventID: SDS Audit)

IBM Security Identity Governance (EventID: 49, 70004, 42)

IBM Security Identity Manager (EventID: Add Success, Add SUBMITTED, Add SUCCESS)

IBM SmartCloud Orchestrator (EventID: user)

IBM Tivoli Access Manager for e-business (EventID: 13402 - Succeeded, 13401 - Succeeded, 13402Command Succeeded, 13401 Command Succeeded)

IBM i (EventID: GSL2401,MC@0300, GSL2402, M240100, CP_CRT)

Imperva SecureSphere (EventID: NEW_USERS_ACCOUNT, SOX_NEW_USERS, SOX - New users, NewUsers Account)

Itron Smart Meter (EventID: CEUI-AUDIT-27, CEUI.AUDIT.26)

Juniper Networks Network and Security Manager (EventID: adm23303, aut20167, adm30407, aut20168,adm20716, adm20717)

Linux OS (EventID: ADD_USER)

McAfee Application/Change Control (EventID: USER_ACCOUNT_CREATED)


McAfee ePolicy Orchestrator (EventID: 20792)

Microsoft ISA (EventID: user added)

Microsoft SQL Server (EventID: CR - SU, CR - US, CR - SL, CR - LX, CR - AR, CR - WU, 24127, 24121,24075)

Microsoft SharePoint (EventID: 37)

Microsoft Windows Security Event Log (EventID: 624, 645, 1318, 4720, 4741)

NCC Group DDos Secure (EventID: 1003)

Netskope Active (EventID: Create Admin, Created new admin)

Novell eDirectory (EventID: CREATE_ACCOUNT)

OS Services Qidmap (EventID: User Account Added)

OSSEC (EventID: 5902, 18110)

Okta (EventID: app.user_management.push_new_user_success, app.generic.import.details.add_user,app.generic.import.new_user, app.user_management.provision_user,app.user_management.push_new_user, app.user_management.push_profile_success,core.user.config.user_creation.success, core.user_group_member.user_add,cvd.user_profile_bootstrapped, cvd.appuser_profile_bootstrapped)

OpenBSD OS (EventID: add user)

Oracle Enterprise Manager (EventID: User Create (successful), Computer Create (successful))

Oracle RDBMS Audit Record (EventID: 51:1, 51:0, CREATE USER-Standard:1, CREATE USER-Standard:0)

Oracle RDBMS OS Audit Record (EventID: 51)

Pirean Access: One (EventID: IsimUserRegistration;*;1)

Pulse Secure Pulse Connect Secure (EventID: ADM23303, ADM20265, AUT20167, ADM30407,AUT20168)

RSA Authentication Manager (EventID: Added user, unknown, REMOTE_PRINCIPAL_CREATE,CREATE_PRINCIPAL, CREATE_AM_PRINCIPAL)

SIM Audit (EventID: Configuration-UserAccount-AccountAdded)

STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject AddedTrueFalse, Console ?user/group added, Console � user/group added, Active DirectoryuserObject AddedTrueFalse, Console -user/group added)

SafeNet DataSecure/KeySecure (EventID: Added user)

Salesforce Security Auditing (EventID: Created new Customer User, Created new user)

Skyhigh Networks Cloud Security Platform (EventID: 10016)

Solaris BSM (EventID: create user)

SonicWALL SonicOS (EventID: 558)

Symantec Encryption Management Server (EventID: ADMIN_IMPORTED_USER)

ThreatGRID Malware Threat Intelligence Platform (EventID: user-account-creation)

Trend Micro Deep Discovery Email Inspector (EventID: SYSTEM_EVENT_ACCOUNT_CREATED)

Trend Micro Deep Security (EventID: 650)

Universal DSM (EventID: Computer Account Added, User Account Added)

VMware vCloud Director (EventID: com/vmware/vcloud/event/user/create, com/vmware/vcloud/event/user/import)

Vormetric Data Security (EventID: DAO0089I)


iT-CUBE agileSI (EventID: U0, AU7)

Related conceptsUBA : Anomalous Cloud Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Multiple LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Prohibited LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Restricted LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography ChangeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography, Access from Unusual LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Anomalous Cloud Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Anomalous Cloud Account Created From New Location

Enabled by default

True

Default senseValue

10

Description

Detects cloud account creation activities from a new location.

Support rules

• BB:UBA : Common Event Filters• BB:UBA : Cloud Endpoints• BB:UBA : User Account Created• UBA : User Geography Change


Enable the following rule: "UBA : User Geography Change".

Log source types

Amazon AWS CloudTrail (EventID: CreateUser)

Microsoft Office 365 (EventID: Add User-success, Add user-PartiallySucceded)


Related conceptsUBA : Anomalous Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Multiple LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Prohibited LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Restricted LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography ChangeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography, Access from Unusual LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access from Multiple LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access from Multiple Locations

Enabled by default

True

Default senseValue

5

Description

Indicates that multiple locations or sources are using the same user account simultaneously. Adjust thematch and duration parameters to tune responsiveness.

Support rule


Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark


Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSIRelated conceptsUBA : Anomalous Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Anomalous Cloud Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Prohibited LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Restricted LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography Change


The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography, Access from Unusual LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access from Prohibited LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access from Prohibited Location

Enabled by default

False

Default senseValue

15

Description

Detects user access from a location not in the "UBA : Allowed Location List."

Support rules:

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Success•


Add the appropriate values to the following reference set: UBA : Allowed Location List

Log source types

APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino, IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control


Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series, Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSM, VMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

Related conceptsUBA : Anomalous Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Anomalous Cloud Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Multiple LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Restricted LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography ChangeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography, Access from Unusual Locations



UBA : User Access from Restricted LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access from Restricted Location

Enabled by default

False

Default senseValue

15

Description

Detects user access from a location on the "UBA : Restricted Location List." You can add countries from"geographic location" to the "UBA : Restricted Location List."

Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Success•


Add the appropriate values to the following reference set: UBA : Restricted Location List

Log source types

APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino, IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud


Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series, Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSM, VMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

Related conceptsUBA : Anomalous Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Anomalous Cloud Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Multiple LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Prohibited LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography ChangeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography, Access from Unusual LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Geography ChangeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Geography Change


Enabled by default

True

Default senseValue

5

DescriptionA match indicates that a user logged in remotely from a country that is different from the country of theuser's last remote login. This rule might also indicate an account compromise, particularly if the rulematches occurred closely in time.

Support rules

• BB:UBA : Common Event Filters• BB:CategoryDefinition: Authentication Success• UBA : User Geography Map


Enable the following rule: UBA : User Geography Map

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, CiscoACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOSfor Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel


Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSI

Support rule

User Geography Map

This rule updates the associated reference sets with the required data.

Related conceptsUBA : Anomalous Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Anomalous Cloud Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Multiple LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Prohibited LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Restricted LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography, Access from Unusual LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Geography, Access from Unusual LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Geography, Access from Unusual Locations

Enabled by default

True


Default senseValue

15

Description

Indicates that users were able to authenticate in countries that are unusual for your network, as definedby the building block rule "UBA : BB : Unusual Source Locations".

Support rules

• BB:UBA : Unusual Source Locations• BB:CategoryDefinition: Authentication Success• BB:UBA : Common Event Filters

Log source typesAPC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application SecurityDbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass PolicyManager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, BarracudaWeb Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCardCRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS,Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS forCatalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authenticationmessage filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-ArkVault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S SeriesSwitch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CREInjected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and StandaloneSwitches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow ClassificationEngine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3CComware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR SeriesRouter, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia NetworkIntrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access ControlFacility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Managerfor Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloudOrchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBMz/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall andVPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP,Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,MicrosoftWindows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, NortelApplication Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel EthernetRouting Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel MultiprotocolRouter, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, NovelleDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, OracleAudit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMSAudit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint SecurityManager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,


Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, SolarisOperating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid WebProxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEndpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, TroposControl, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense SecurityPlatform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,iT-CUBE agileSIRelated conceptsUBA : Anomalous Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Anomalous Cloud Account Created From New LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Multiple LocationsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Prohibited LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Access from Restricted LocationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Geography ChangeThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Network traffic and attacks

UBA : D/DoS Attack DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : D/DoS Attack Detected

Enabled by default

False

Default senseValue

15

Description

Detects network Denial of Service (DoS) attacks by a user.

Note: Before you can use this rule, complete the following steps:

1. From the Admin tab, click UBA Settings.


2. Select the Search assets for username, when username is not available for event or flow datacheck box to search for user names in the asset table. The UBA app uses assets to look up a user foran IP address when no user is listed in an event.

3. The event rule needs "Snort Open Source IDS" Log Source to work.

Log source types

• BB:UBA : Common Log Source Filters• BB:CategoryDefinition: DDoS Attack Events• BB:CategoryDefinition: Network DoS Attack• BB:CategoryDefinition: Service DoS

Data sources

Akamai KONA, Application Security DbProtect, Aruba Mobility Controller, Barracuda Web ApplicationFirewall, Brocade FabricOS, CRE System, Check Point, Cisco Adaptive Security Appliance (ASA), CiscoFirewall Services Module (FWSM), Cisco IOS, Cisco Intrusion Prevention System (IPS), Cisco PIX Firewall,Cisco Stealthwatch, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Custom RuleEngine, CyberGuard TSP Firewall/VPN, Enterprise-IT-Security.com SF-Sherlock, Event CRE Injected,Extreme Dragon Network IPS, Extreme HiPath, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5Networks BIG-IP LTM, Fair Warning, FireEye, Flow Classification Engine, ForeScout CounterACT, FortinetFortiGate Security Gateway, Foundry Fastiron, Huawei AR Series Router, IBM Proventia Network IntrusionPrevention System (IPS), IBM Security Network IPS (GX), Imperva Incapsula, Juniper Junos OS Platform,Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks IntrusionDetection and Prevention (IDP), Juniper Networks Network and Security Manager, McAfee FirewallEnterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Motorola SymbolAP,NCC Group DDos Secure, Niksun 2005 v3.5, Nortel Application Switch, OS Services Qidmap, OSSEC, PaloAlto PA Series, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler, STEALTHbitsStealthINTERCEPT, SafeNet DataSecure/KeySecure, Sentrigo Hedgehog, Skyhigh Networks CloudSecurity Platform, Snort Open Source IDS, SonicWALL SonicOS, Squid Web Proxy, Stonesoft ManagementCenter, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), Top Layer IPS,Trend Micro Deep Security, Universal DSM, Vectra Networks Vectra, Venustech Venusense SecurityPlatform, WatchGuard Fireware OS

Related conceptsUBA : Honeytoken ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Network Traffic : Capture, Monitoring and Analysis Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Behavior, Session Anomaly by Destination (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Event Frequency Anomaly Categories (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Volume Activity Anomaly - Traffic to Internal Domains (ADE rule)



UBA : Honeytoken ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Honeytoken Activity

Enabled by default

False

Default senseValue

10

Description

Detects activity using a Honeytoken account.

Support rules



Add the appropriate values to the following reference sets: UBA : Honeytoken Accounts

Add the appropriate log sources to the following log source groups: UBA : Systems with HoneytokenAccounts.

Log source types

All log sources added to the UBA : Systems with Honeytoken Accounts log source group.

Related conceptsUBA : D/DoS Attack DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Network Traffic : Capture, Monitoring and Analysis Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Behavior, Session Anomaly by Destination (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Event Frequency Anomaly Categories (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Volume Activity Anomaly - Traffic to Internal Domains (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Network Traffic : Capture, Monitoring and Analysis Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage


Enabled by default

False

Default senseValue

15

Description

Indicates that a process is created and the process name matches one of the binary names that are listedin the reference set "UBA : Network Capture, Monitoring and Analysis Program Filenames". This referenceset lists the binary names of network packet capturing software. The reference set is pre-populated withthe names of some common network protocol analysis software filenames.

For more information about adding or removing programs for monitoring, see Managing networkmonitoring tools.

Support rule



Add the appropriate values to the following reference set: UBA : Network Capture, Monitoring andAnalysis Program Filenames.

Log source types


Related conceptsUBA : D/DoS Attack DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Honeytoken ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Behavior, Session Anomaly by Destination (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Event Frequency Anomaly Categories (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Volume Activity Anomaly - Traffic to Internal Domains (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Behavior, Session Anomaly by Destination (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Note: This rule is no longer supported.

UBA : User Behavior, Session Anomaly by Destination

UBA : User Behavior, Session Anomaly by Destination Found



http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.UBAapp.doc/t_Qapps_UBA_manage_network_monitor_tools.html?view=kc#t_Qapps_UBA_manage_network_monitor_tools

http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.UBAapp.doc/t_Qapps_UBA_manage_network_monitor_tools.html?view=kc#t_Qapps_UBA_manage_network_monitor_tools

Enabled by default

False

Default senseValue

10

Description

UBA : User Behavior, Session Anomaly by Destination Indicates that a user is accessing significantlydifferent destination IP addresses than the user accessed in the past. The event is not necessarily anindication of compromise. The change in behavior might indicate a significant change in the user’s jobresponsibilities or work habits.

UBA : User Behavior, Session Anomaly by Destination Found This is a CRE rule that supports theidentical respective ADE rule : UBA : User Behavior, Session Anomaly by Destination which indicates thata user is accessing significantly different destination IP addresses than were accessed by the user in thepast. The event is not necessarily an indication of compromise. The change in behavior might indicate asignificant change in the user’s job responsibilities or work habits.

Log source types


Related conceptsUBA : D/DoS Attack DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Honeytoken ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Network Traffic : Capture, Monitoring and Analysis Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Event Frequency Anomaly Categories (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Volume Activity Anomaly - Traffic to Internal Domains (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Event Frequency Anomaly Categories (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

Note: This rule has been replaced with Machine Learning models. For more information, see “Enablinguser models V3.3.0” on page 211.

UBA : User Event Frequency Anomaly Categories (ADE rule)

UBA : User Event Frequency Anomaly - Categories Found


Enabled by default

False


Default senseValue

5

Description

UBA : User Event Frequency Anomaly Categories Uses the Anomaly Detection engine to monitor thecategory distribution of a user's events. It alerts on unusual frequency changes.

UBA : User Event Frequency Anomaly - Categories Found This is a CRE rule that supports the identicalrespective ADE rule : UBA : User Event Frequency Anomaly - Categories which uses the AnomalyDetection engine to monitor the category distribution of a user's events. It will alert on unusual frequencychanges.

Log source types


Related conceptsUBA : D/DoS Attack DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Honeytoken ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Network Traffic : Capture, Monitoring and Analysis Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Behavior, Session Anomaly by Destination (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Volume Activity Anomaly - Traffic to Internal Domains (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Volume Activity Anomaly - Traffic to Internal Domains (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.


• UBA : User Volume Activity Anomaly - Traffic to Internal Domains• UBA : User Volume Activity Anomaly - Traffic to Internal Domains Found

Enabled by default

False

Default senseValue

10

Description

This is a CRE rule that supports the identical respective rule : UBA : User Volume of Activity Anomaly -Traffic to Internal Domains which uses the Anomaly Detection engine to monitor user's traffic usage andalert on unusual volumes of traffic.


Log source types


Related conceptsUBA : D/DoS Attack DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Honeytoken ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : Network Traffic : Capture, Monitoring and Analysis Program UsageThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Behavior, Session Anomaly by Destination (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : User Event Frequency Anomaly Categories (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

QRadar DNS AnalyzerFor more information, see IBM QRadar DNS Analyzer.

UBA : Potential Access to Blacklist DomainThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Potential Access to Blacklist Domain

Enabled by default

False

Default senseValue

5

DescriptionDetects events that indicate the user potentially accessed a blacklist domain. Requires the IBM QRadarDNS Analyzer app.


Before enabling this rule, you must install the IBM QRadar DNS Analyzer app. For more information, seeIBM QRadar DNS Analyzer.

Log source types

IBM QRadar DNS Analyzer

UBA : Potential Access to DGA DomainThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Potential Access to DGA Domain




Enabled by default

False

Default senseValue

5

DescriptionDetects events that indicate the user potentially accessed a DGA (Domain Generated by Algorithm)domain. Requires the IBM QRadar DNS Analyzer app.



Log source types


UBA : Potential Access to Squatting DomainThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Potential Access to Squatting Domain

Enabled by default

False

Default senseValue

5

DescriptionDetects events that indicate the user potentially accessed a squatting domain. Requires the IBM QRadarDNS Analyzer app.



Log source types


UBA : Potential Access to Tunneling DomainThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Potential Access to Tunneling Domain

Enabled by default

False




Default senseValue

5

DescriptionDetects events that indicate the user potentially accessed a tunneling domain. Requires the IBM DNSAnalyzer app.



Log source types


QRadar Network Insights (QNI)For more information about installing QNI rules in QRadar V7.2.8, see QRadar Network Insights Contentv7.2.8.

For QRadar V7.3.0 and later, see QRadar Network Insights Content v7.3.0+.

UBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Access to Improperly Secured Service - Certificate Expired

Enabled by default

False

Default senseValue

5

Description

QRadar Network Insights (QNI) detected an SSL/TLS session which uses an expired certificate. Serversand clients use certificates when establishing communication using Secure Sockets Layer (SSL) orTransport Layer Security (TLS). Certificates are issued with an expiration date that indicates how long thecertificate remains valid.


Before enabling this QNI rule, you must install the QRadar Network Insights content pack and enable it'srule contents. For QRadar 7.2.8, see QRadar Network Insights Content v7.2.8. For QRadar 7.3.0 or later,see QRadar Network Insights Content v7.3.0+.

Log source types

QRadar Network Insights (QNI)

Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate Invalid








The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Access to Improperly Secured Service - Certificate Invalid

Enabled by default

False

Default senseValue

5

Description

QRadar Network Insights (QNI) has detected an SSL/TLS session that uses an invalid certificate. Serversand clients use X.509 certificates when establishing communication using Secure Sockets Layer (SSL).Certificates are issued with a Not Before date that indicates the earliest date the certificate is valid.



Log source types


Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate Expired




The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length

Enabled by default

False

Default senseValue

5

Description

QRadar Network Insights (QNI) detected an SSL/TLS session that uses a certificate with a low public keybit count of less than 2048. A server that provides a weak Public Key Certificate (less than 1024 bits) canrepresent a security risk. According to NIST publication 800-57, the recommended minimum RSA keybeginning in 2011 is 2048 bits.



Log source types





Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate

Enabled by default

False

Default senseValue

5

Description

QRadar Network Insights (QNI) detected an SSL/TLS session that uses a self-signed certificate. A self-signed certificate in a public-facing or production server application might allow a remote attacker to starta man-in-the-middle attack.



Log source types





Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Confidential Content Being Transferred to Foreign Geography

Enabled by default

False

Default senseValue

5

Description

Detects confidential content that is being transferred to countries and regions with restricted access.Note that these countries and regions are defined in the following building block: "Countries/Regions withRestricted Access". Before you enable this rule, ensure the building block is set up according to yourbusiness use case.



Log source types





Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Observed File Hash Associated with Malware Threat

Enabled by default

False

Default senseValue

15

Description

This rule triggers when flow content includes a file hash that matches known bad file hashes included in aThreat Intelligence data feed. Indicates that someone has transferred malware over the network.



Log source types





Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Observed File Hash Seen Across Multiple Hosts

Enabled by default

False

Default senseValue

15

Description

This rule triggers when the same file hash associated with malware is seen being transferred to multipledestinations.



Log source types





Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient

Enabled by default

False

Default senseValue

5

Description

This rule triggers when rejected email events sent to a non-existing recipient address are seen in thesystem. This can indicate a spam or phishing attempt. Configure the BB:CategoryDefinition: RejectedEmail Recipient building block to include QIDs relevant to your organization. It is pre-populated with thefollowing QIDs that are good for monitoring: Microsoft Exchange; Linux OS [running sendmail]; SolarisOperating System Sendmail Logs and Barracuda Spam and Virus Firewall.






Log source types


Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending ServersThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers

Enabled by default

False

Default senseValue

5

Description

This rule triggers when multiple sending servers send the same email subject in a period of time whichmay indicate spam or phishing.






Log source types


Related conceptsUBA : QNI - Access to Improperly Secured Service - Certificate ExpiredThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Certificate InvalidThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Weak Public Key LengthThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Access to Improperly Secured Service - Self Signed CertificateThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Confidential Content Being Transferred to Foreign GeographyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Associated with Malware ThreatThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Observed File Hash Seen Across Multiple HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email RecipientThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

ReconnaissanceFor more information, see IBM Security Reconnaissance Content.

UBA : Unusual Scanning of DHCP Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of DHCP Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to DHCP servers.


Before enabling this rule, you must install the IBM Security Reconnaissance Content pack and enable it'srule contents. For more information, see IBM Security Reconnaissance Content.




UBA : Unusual Scanning of Database Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Database Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to database servers.



UBA : Unusual Scanning of DNS Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of DNS Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to DNS servers.



UBA : Unusual Scanning of FTP Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of FTP Servers Detected

Enabled by default

False

Default senseValue

15




DescriptionDetects unusual scanning in network to FTP server.



UBA : Unusual Scanning of Game Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Game Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to game servers.



UBA : Unusual Scanning of Generic ICMP DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Generic ICMP Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network on servers that use ICMP protocol.



UBA : Unusual Scanning of Generic TCP DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Generic TCP Detected





Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network on servers using common TCP ports.



UBA : Unusual Scanning of Generic UDP DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Generic UDP Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network on servers using common UDP ports.



UBA : Unusual Scanning of IRC Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of IRC Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to IRC servers.







UBA : Unusual Scanning of LDAP Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of LDAP Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to LDAP servers.



UBA : Unusual Scanning of Mail Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Mail Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to mail servers.



UBA : Unusual Scanning of Messaging Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Messaging Servers Detected

Enabled by default

False

Default senseValue

15




DescriptionDetects unusual scanning in network to messaging servers.



UBA : Unusual Scanning of P2P Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of P2P Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to P2P servers.



UBA : Unusual Scanning of Proxy Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Proxy Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to proxy servers.



UBA : Unusual Scanning of RPC Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of RPC Servers Detected





Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to RPC servers.



UBA : Unusual Scanning of SNMP Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of SNMP Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to SNMP servers.



UBA : Unusual Scanning of SSH Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of SSH Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to SSH servers.







UBA : Unusual Scanning of Web Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Web Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to Web servers.



UBA : Unusual Scanning of Windows Servers DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Unusual Scanning of Windows Servers Detected

Enabled by default

False

Default senseValue

15

DescriptionDetects unusual scanning in network to Windows servers.



System monitoring (Sysmon)For more information, see IBM QRadar Content Extension for Sysmon.

UBA : Common Exploit Tools DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Common Exploit Tools Detected

Enabled by default

False





Default senseValue

10

DescriptionDetects the use of commonly used exploit tools such as keyloggers and PsExec.


Before enabling this rule, you must install the IBM QRadar Content Extension for Sysmon pack and enableit's rule contents. For more information, see IBM QRadar Content Extension for Sysmon.

Log source typesMicrosoft Windows Security Event Logs

UBA : Common Exploit Tools Detected (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Common Exploit Tools Detected

Enabled by default

False

Default senseValue

10

DescriptionDetects the use of commonly used exploit tools such as keyloggers and PsExec.




UBA : Malicious Process DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Malicious Process Detected

Enabled by default

False

Default senseValue

10

Description

Detects processes that indicate malicious behavior on Windows hosts.






Log source types


UBA : Network Share AccessedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Network Share Accessed

Enabled by default

False

Default senseValue

10

Description

Detects suspicious activities that involve network shares.



Log source types

Sysmon rules

UBA : Process Creating Suspicious Remote Threads Detected (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Process Creating Suspicious Remote Threads Detected (Asset)

Enabled by default

False

Default senseValue

10

DescriptionDetects processes that are suspiciously creating threads on a remote machine.








UBA : Suspicious Activities on Compromised HostsThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Activities on Compromised Hosts

Enabled by default

False

Default senseValue

10

DescriptionDetects activities that are performed on a compromised host.




UBA : Suspicious Activities on Compromised Hosts (Assets)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Activities on Compromised Hosts (Assets)

Enabled by default

False

Default senseValue

10

DescriptionDetects activities that are performed on a compromised host.




UBA : Suspicious Administrative Activities DetectedThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Administrative Activities Detected

Enabled by default

False




Default senseValue

10

DescriptionDetects rarely performed administrative activities that appear suspicious.




UBA : Suspicious Command Prompt ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Command Prompt Activity

Enabled by default

False

Default senseValue

10

Description

Detects activities around command prompt scripts.



Log source types


UBA : Suspicious Entries in System Registry (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Entries in System Registry (Asset)

Enabled by default

False

Default senseValue

10

DescriptionDetects suspicious activities that involve Windows Registry modifications or updates.







UBA : Suspicious Image Load Detected (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Image Load Detected (Asset)

Enabled by default

False

Default senseValue

10

DescriptionDetects suspicious images that are uploaded into sensitive locations.




UBA : Suspicious Pipe Activities (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Pipe Activities (Asset)

Enabled by default

False

Default senseValue

10

DescriptionDetect suspicious activities that involve process pipes on Windows hosts.








UBA : Suspicious PowerShell ActivityThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious PowerShell Activity

Enabled by default

False

Default senseValue

10

Description

Detect activities around Microsoft PowerShell scripts.



Log source types


UBA : Suspicious PowerShell Activity (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious PowerShell Activity (Asset)

Enabled by default

False

Default senseValue

10

Description

Detects activities around Microsoft PowerShell scripts. This rule requires the "Search assets forusername, when username is not available for event or flow data"' functionality to be enabled.



Log source types


UBA : Suspicious Scheduled Task ActivitiesThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Scheduled Task Activities




Enabled by default

False

Default senseValue

10

DescriptionDetects the suspicious creation of scheduled tasks on Windows hosts




UBA : Suspicious Service ActivitiesThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Service Activities

Enabled by default

False

Default senseValue

10

Description

Detects suspicious service activities on Windows computers.




UBA : Suspicious Service Activities (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Suspicious Service Activities (Asset)

Enabled by default

False

Default senseValue

10




Description

Detects suspicious service activities on Windows computers.




UBA : User Access Control Bypass Detected (Asset)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Access Control Bypass Detected (Asset)

Enabled by default

False

Default senseValue

10

DescriptionDetects process activities that indicate User Access Control (UAC) bypass.




Threat intelligence

UBA : Abnormal visits to Risky Resources (ADE rule)The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.


• UBA : Abnormal visits to Risky Resources• UBA : Abnormal visits to Risky Resources Found


Enabled by default

False

Default senseValue

15




Description

UBA : Abnormal visits to Risky Resources This rule uses the Anomaly Detection engine to monitor thenumber of times a user accesses a risky resource (such as suspicious URLs, anonymizers, and malwarehosts) and alerts when the number of visits changes abnormally.

UBA : Abnormal visits to Risky Resources Found This is a CRE rule that supports the identical respectiveADE rule : UBA : Abnormal visits to Risky Resources, which uses the Anomaly Detection engine to monitorthe number of times a user accesses risky resources (such as suspicious URLs, anonymizers, malwarehosts) and alerts when the number of visits changes abnormally.

Log source types


UBA : Detect IOCs For LockyThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Detect IOCs For Locky

Enabled by default

False

Default senseValue

10

Description

Detects user computers that show Indicators of Compromise (IOCs) for Locky by using URLs or IPs thatare populated from X-Force campaign feeds.

Support rules

• BB:UBA : Common Log Source Filters• BB:UBA : Detect Locky Using IP• BB:UBA : Detect Locky Using URL


• Add the appropriate values to the following reference sets: UBA : IOCs-Locky IP and UBA : IOCs-LockyURL.

• Enable "User Lookup from Asset" in Admin Settings > UBA Settings.

Log source types


UBA : Detect IOCs for WannaCryThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : Detect IOCs For WannaCry

Enabled by default

False


Default senseValue

10

Description

Detects user computers that show Indicators of Compromise (IOCs) for WannaCry by using URLs, IPs, orhashes that are populated from X-Force campaign feeds.

Support rules

• BB:UBA : Common Log Source Filters• BB:UBA : Detect WannaCry Using Hashes• BB:UBA : Detect WannaCry Using IP• BB:UBA : Detect WannaCry Using URL

Required configuration:

• Add the appropriate values to the following reference sets: UBA : Malware Activity WannaCry - Hash,UBA : Malware Activity WannaCry - IP, and UBA : Malware Activity WannaCry - URL.

• Enable "User Lookup from Asset" in Admin Settings > UBA Settings.

Log source types


UBA : ShellBags Modified By RansomwareThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : ShellBags Modified By Ransomware

Enabled by default

True

Default senseValue

10

Description

Detects ShellBag registry modifications that indicate typical malware or ransomware behavior.

Support rules


Log source types


UBA : User Accessing Risky ResourcesThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.


UBA : User Accessing Risky Resources is disabled by default starting with V2.3.0. The rules are now listedby the following types and enabled by default:


• UBA : User Accessing Risky IP, Anonymization• UBA : User Accessing Risky IP, Botnet• UBA : User Accessing Risky IP, Dynamic• UBA : User Accessing Risky IP, Malware• UBA : User Accessing Risky IP, Spam

Enabled by default

False

Default senseValue

15

Description

Indicates that a user accessed an external resource that is deemed to be inappropriate or risky, or thatshows signs of infection.

Log source types


UBA : User Accessing Risky IP, AnonymizationThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Accessing Risky IP, Anonymization (previously called X-Force Risky IP, Anonymization)

Enabled by default

True

Description

This rule detect when a local user or host is connecting to an external anonymization service.

Support rules

• X-Force Risky IP, Anonymization• BB:UBA : Common Event Filters


• Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.• Enable the following rule: X-Force Risky IP, Anonymization.

Log source types


UBA : User Accessing Risky IP, BotnetThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Accessing Risky IP, Botnet (previously called X-Force Risky IP, Botnet)


Enabled by default

True

Description

This rule detects when a local user or host is connecting to a botnet command and control server.

Support rules

• X-Force Risky IP, Botnet• BB:UBA : Common Event Filters


• Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.• Enable the following rule: X-Force Risky IP, Botnet.

Log source types


UBA : User Accessing Risky IP, DynamicThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Accessing Risky IP, Dynamic (previously called X-Force Risky IP, Dynamic)

Enabled by default

True

Description

This rule detects when a local user or host is connecting to a dynamically assigned IP address.

Support rules

• X-Force Risky IP, Dynamic• BB:UBA : Common Event Filters


• Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.• Enable the following rule: X-Force Risky IP, Dynamic.

Log source types


UBA : User Accessing Risky IP, MalwareThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Accessing Risky IP, Malware (previously called X-Force Risky IP, Malware)

Enabled by default

True


Description

This rule detects when a local user or host is connecting to a malware host.

Support rules

• X-Force Risky IP, Malware• BB:UBA : Common Event Filters


• Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.• Enable the following rule: X-Force Risky IP, Malware.

Log source types


UBA : User Accessing Risky IP, SpamThe QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioralanomalies.

UBA : User Accessing Risky IP, Spam (previously called X-Force Risky IP, Spam)

Enabled by default

True

Description

This rule detects when a local user or host is connecting to a spam-sending host.

Support rules

• X-Force Risky IP, Spam• BB:UBA : Common Event Filters


• Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.• Enable the following rule: X-Force Risky IP, Spam.

Log source types



Chapter 8. Reference Data Import - LDAP appUse the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAPsources into your QRadar Console.

Attention: The Reference Data Import - LDAP app is not supported on QRadar on Cloud.

When you install the IBM® QRadar® User Behavior Analytics (UBA) app, the Reference Data Import LDAPapp is also installed. You can use the LDAP app to import user data from an LDAP/AD server or CSV fileinto a QRadar reference table. The reference table is then consumed by the UBA app or can be used forQRadar searches or rules.

Note: The Reference Data Import - LDAP app requires QRadar V7.2.8 or later.

Using the LDAP data in QRadar

Every time the reference table is updated, a ReferenceDataUpdated event is triggered. You can set atime-to-live value for the LDAP data in the reference table. When the time-to-live period is exceeded, aReferenceDataExpiry event is triggered. You can create rules that respond to these events, or createsearches to query the payloads of these events on the QRadar Log Activity tab.

Accessing the Reference Data Import - LDAP app

Access the QRadar Reference Data Import - LDAP app by clicking the Reference Data Import LDAP iconfrom the Admin settings.

For more information on reference data collections in QRadar, see IBM QRadar SIEM AdministrationGuide.

Supported browsers for the LDAP appFor the features in IBM Security QRadar products to work properly, you must use a supported webbrowser.

The following table lists the supported versions of web browsers.

Table 1. Supported web browsers for the QRadar Reference Data Import LDAP app


Mozilla Firefox 45.2 Extended Support Release


Table 1. Supported web browsers for the QRadar Reference Data Import LDAP app (continued)


Google Chrome Latest

Importing user data from a CSV fileYou can upload a CSV file that contains user data with the Reference Data Import - LDAP app

About this taskIf you have user data in a standard CSV format, you can import the data from a CSV file into the UBA app.

Procedure

1. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open theadmin tab.

2. In QRadar 7.3.1 or later, click Apps > Reference Data Import - LDAP > Reference Data Import - File.

3. On the Reference Data Import (File) window, click Configure to create an authorized service token.4. On the Reference Data Import (File) window, click Import.5. On the Add user data screen, browse for a CSV file that contains user data.

Note:

The file must be 5 MB or less, contain a header row with the column names, and must have at leastone column that contains unique data.

6. Click Next and select whether you want to merge data with an existing reference table or to create areference table.

• If you choose to merger into an existing reference table, click Next and select an existing referencetable.

• If you choose to create a reference table, click Next and create a reference table.7. Click Next.8. On the Attribute Mapping screen, set the attribute names and the key for the reference table and click

Import.


Creating an authorized service tokenBefore you can configure LDAP server to add data to a reference table, you must create an authorizedservice token.

Before you begin

Attention: QRadar on Cloud administrators cannot create an authorized service token for QRadarapps due to limited administrator capabilities. If you're a QRadar on Cloud customer, contactCustomer Support to create an authorized service token for you.

About this task

Note: After you submit the authorized service token, you must deploy changes for the new authorizedservice token to take effect.

IBM QRadar requires that you use an authentication token to authenticate the API calls that theReference Data Import - LDAP app makes. You use the Manage Authorized Services window in theAdmin settings to create authorized service token.

Procedure

1. On the Reference Data Import - LDAP app window, click Configure.2. In the Configure Authorized Service Token dialog box, click Manage Authorized Services.3. In the Manage Authorized Services window, click Add Authorized Service.4. Add the relevant information in the following fields and click Create Service:

a) In the Service Name field, type a name for this authorized service. The name can be up to 255characters in length.

b) From the User Role list, select Admin.c) From the Security Profile list, select the security profile that you want to assign to this authorized

service. The security profile determines the networks and log sources that this service can accesson the QRadar user interface.

d) In the Expiry Date list, type or select a date for this service to expire. If an expiry date is notnecessary, select No Expiry.

5. Click the row that contains the service you created, select and copy the token string in the SelectedToken field on the menu bar, and close the Manage Authorized Services window.

6. In the Configure Authorized Service Token dialog box, paste the token string into the Token field,and click OK.

7. Deploy changes for the new authorized service token to take effect.

What to do next“Adding an LDAP configuration” on page 196

Adding a private root certificate authorityYou can upload a private root certificate authority (CA) bundle to IBM QRadar for use with the LDAP app.

Procedure




Chapter 8. Reference Data Import - LDAP app 195

2. Click the Reference Data Import LDAP icon.3. On the Reference Data Import LDAP app main window, click Configure.4. Click Choose File and then click Upload. Only the .pem file type is supported.5. Click OK.

Adding an LDAP configurationAdd LDAP server information that you use to insert user data into a reference map of maps.

Before you beginYou must create and add an authentication token to the Reference Data Import - LDAP app before youcan add an LDAP configuration.

Procedure

1. On the Reference Data Import - LDAP app window, click Add Import.2. Enter the following information on the LDAP Configuration tab:

a) Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field.b) Enter the point in the LDAP directory tree from where the server must search for users in the Base

DN field.

For example, if your LDAP server was on the domain example.com, you might use:dc=example,dc=com

c) Enter the attribute or attributes you want to use to sort the data that is imported into the referencetable in the Filter field.For example:

cn=*; uid=*; sn=*

The following default values will work with Active Directory: (&(sAMAccountName=*)(samAccountType=805306368)).

d) Enter attributes you want to import into the reference table in the Attribute List field.

The following default values will work with Active Directory:userPrincipalName,cn,sn,telephoneNumber,l,co,department,displayName,mail,title.

e) Enter the user name that is used to authenticate the LDAP server in the Username field.f) Enter the password for the LDAP server in the Password field.

3. Click Test Connection to confirm that IBM QRadar can connect to the LDAP server before youproceed.

If your connection attempt is successful, information from your LDAP server is displayed on the LDAPConfiguration tab.

4. Click Next.

What to do next“Selecting attributes” on page 197.Related tasksCreating an authorized service tokenBefore you can configure LDAP server to add data to a reference table, you must create an authorizedservice token.Adding LDAP attribute mappingsYou can add aliases and set the key for the reference table.“Adding a private root certificate authority ” on page 195


You can upload a private root certificate authority (CA) bundle to IBM QRadar for use with the LDAP app.

Selecting attributesSelect the attributes to extract from your LDAP server.

Procedure

1. On the Select Attributes tab, search for specific attributes and select the attributes that you want toextract from your LDAP server.

2. Click Next.

What to do nextAdd LDAP attribute mappings.

Adding LDAP attribute mappingsYou can add aliases and set the key for the reference table.

About this task

If you want to merge LDAP data from multiple sources into the same reference table, you can use customaliases to differentiate LDAP attributes with the same name in different sources.

Procedure

1. On the Attribute Mapping tab, set the key for the reference table.

Tip: You can create new LDAP Attribute fields by clicking Add and combining two attributes. Forexample, you can use the following syntax: "Last: {ln}, First: {fn}".

2. Click Next.

What to do nextConfigure a reference data table to store LDAP data..Related tasksAdding a reference data configurationUse the Reference Configuration tab to set up a reference data table to store LDAP data.Creating a rule that responds to LDAP data updatesAfter you have configured the IBM QRadar Reference Data Import - LDAP app to store data from yourLDAP server in a reference table in QRadar, you can use the data to create event rules.

Adding a reference data configurationUse the Reference Configuration tab to set up a reference data table to store LDAP data.

Before you beginAfter you configure your LDAP server information, you must set up a reference table to store the LDAPdata that is passed to the app. You can then use the stored data to construct rules in QRadar or createsearches and reports.

Procedure

1. Use the Reference Configuration tab to enter a new reference table or designate an existing referencetable to which you want to add LDAP data.


a) Enter a name for the reference data collection in the Reference Data field or select an existingreference data collection from the list.

b) The Generate map of sets check box is disabled by default. If you enable the check box, it sendsdata to a reference set format to improve QRadar searching and might impact performance.

c) Use the Time to live fields to define how long you want the data to persist in the reference table. Bydefault, the data you add never expires. When the time-to-live period is exceeded, aReferenceDataExpiry event is triggered.

Note: If you append data to an existing reference map of maps, the app uses the original time-to-live parameters. These parameters cannot be overridden on the Reference Configuration tab.

2. Click Next.

What to do nextSet the polling interval.Related tasksConfiguring pollingUse the Polling Interval tab to configure how often the app polls your LDAP server for new information.

Configuring pollingUse the Polling Interval tab to configure how often the app polls your LDAP server for new information.

Before you beginAfter you configure your LDAP server information and reference data collection, you configure how oftenyou want the app to draw down data from the LDAP server.

Procedure

1. Use the Polling Interval in minutes field to define in minutes how often you want the app to poll yourLDAP server for data.

The minimum permissible polling interval value is 120.2. Enter a value for the number of records you want the poll to return in the Record retrieval limit field.

By default, 100,000 records are returned. The maximum number of records that can be returned is200,000.

3. The Paged results check box is selected by default to avoid limiting the number of records the LDAPserver returns for each poll.

Note: Paged results are not supported by all LDAP servers.4. Click Save.


Results

Data from your LDAP server is added to the reference data collection you selected at the interval youconfigured. You can use the API page on your IBM QRadar console to check that data was added to thereference data collection.

Related tasksChecking that data is added to the reference data collectionYou can use the IBM QRadar API documentation page to test if data was added to the reference datacollection you created.

Checking that data is added to the reference data collectionYou can use the IBM QRadar API documentation page to test if data was added to the reference datacollection you created.

About this task

The API Documentation page on your QRadar Console can show the data that is stored in the referencetable that you created in the Reference Data Import - LDAP app. You can use the API Documentationpage to check that LDAP information was updated by the app.

Procedure

1. Log in to the QRadar API Documentation page.

https://<Console_IP>/api_doc2. In the navigation tree, open the most recent API.3. Go to /reference_data > /table > /name > GET4. In the Value field of the Name parameter, enter the name of the reference data collection you created

to store LDAP information, and click Try it out!.

The data added by the app is returned in the Response Body field.


Creating a rule that responds to LDAP data updatesAfter you have configured the IBM QRadar Reference Data Import - LDAP app to store data from yourLDAP server in a reference table in QRadar, you can use the data to create event rules.

About this task

When you poll your LDAP server and data are added to the reference table, ReferenceDataUpdatedevents are triggered. When the time-to-live period you configured on the Reference Configuration tab isexceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to contentwithin a ReferenceDataUpdated or ReferenceDataExpiry event payloads.

LDAP data stored by the app in a reference data collection is available to rules you can configure by usingthe QRadar Rules Wizard. The Rules Wizard can be accessed from the Offenses, Log Activity, orNetwork Activity tabs.

Procedure

1. Click Log Activity > Rules > Actions > New Event Rule.2. On the Rule Wizard introduction page, click Next.3. Ensure that the Events radio button is selected, and click Next.4. Enter a name for the rule in the field provided.5. Select a test from the Test Group list, and click the + icon beside the test you want to use:

The rule test you select depends on the information you want to retrieve from the reference datacollection that holds your LDAP data.

The following reference maps of maps event property test is designed to test events that triggeredwhen the Reference Data Import - LDAP app reference table is updated:

when any of these event properties is the key of the first map and any of these event properties is the key of the second map and any of these event properties is the value in any of these reference map of maps.

A rule is configured to test the ReferenceDataExpiry event payload if the LDAP attributePasswordIsExpired is updated to true for any UID in a the LDAPtest1 reference data collection.


To use this event property test, you must create custom event properties for the outer key (the key ofthe first map), inner key (the key of the second map) and value fields. In the following example, theReference Data Import - LDAP app was configured to import information on users whose password isexpired from an LDAP server at example.com.


The outer keyThis property contains the data entered in the LDAP fields specified in the Base DN and Filterfields in the app LDAP configuration tab. The regex for the custom event property might look likethis:

(uid=(.*?),dc=example,dc=com)

The inner keyThis property contains the data entered in the LDAP fields specified in the Attribute field in theapp LDAP configuration tab. You can use attribute aliases in this field. The regex for the customevent property might look like this:

(passwordIsExpired)

The value fieldThis property contains the data retrieved for passwordIsExpired LDAP attribute for each user. Theregex for the custom event property might look like this:

(\['true'\])

For more information about custom event properties, see the IBM QRadar SIEM Users Guide.6. Click Next.7. Select the rule action, rule response and rule limiter you want to apply to the rule and click Finish.

For more information on custom event rules, see the IBM QRadar SIEM Users Guide.

ResultsThe next time you poll your LDAP server and the reference data collection you created is updated, yourrule is triggered.Related tasksAdding LDAP attribute mappingsYou can add aliases and set the key for the reference table.Adding a reference data configurationUse the Reference Configuration tab to set up a reference data table to store LDAP data.


Chapter 9. Machine Learning Analytics appThe Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadarUser Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the MachineLearning Analytics models, you can gain additional insight into user behavior with predictive modeling.The ML app helps your system to learn the expected behavior of the users in your network.

Attention: You must install IBM QRadar V7.2.8 or later before you install the UBA app and the MLapp.

Important:

• It is best to enable Machine Learning Analytics Settings one day after you initially configure the UBAapp. This waiting period ensures that the UBA app has sufficient time to create risk profiles for users.

• The QRadar console limits the amount of memory that can be used by apps. The ML app installation sizeoptions are based on how much memory QRadar currently has for applications.

– The minimum amount of free memory required to install the ML app is 2 GB. However, 5 GB or higheris recommended.

– The number of users monitored by the ML app depends on the ML app installation size and thespecific Machine Learning analytic. Starting at 5 GB the maximum number of monitored users by anyMachine Learning model is 40,000 per 5 GB up to 160,000 users total. For example, 5 GB would beup to 40,000 users and 15 GB would be up to 120,000 users.

• The installation might fail due to a lack of available memory. This situation can occur if the amount ofmemory available for applications is decreased because other applications are installed.

Known issues for Machine Learning AnalyticsThe Machine Learning Analytics app has required information for installation and known issues.

The Machine Learning Analytics app has the following known issues:

• The Machine Learning app might show warning messages in the Status of Machine Learning section. Formore information, see “Machine Learning app status shows warning on dashboard” on page 258.

• The installation might fail due to a lack of available memory. This situation can occur on 128 GBconsoles if several other apps are already installed and less than 10 GB remains for the ML app to use.If the installation fails, the error message "FAILED" is displayed. To remedy this situation, uninstallsome of the other apps and then try again.

Prerequisites for installing the Machine Learning Analytics appBefore you install the Machine Learning Analytics app, ensure that you meet the requirements.

You must meet the following system requirements and fully install and configure the User BehaviorAnalytics (UBA) app before you can install the Machine Learning Analytics app.

Component Minimum requirements

System memory 2 GB of free memory from the QRadar application pool ofmemory

IBM QRadar version V7.2.8 or later

Sense DSM Install the DSM RPM file.

UBA app • Install the UBA V3.3.0 app.


Component Minimum requirements

• Configure the UBA Settings.• Click the User Analytics tab and confirm that the UBA

Dashboard contains user data.

Installing the IBM Sense DSM manually

The UBA app and the Machine Learning Analytics app use the following IBM Sense DSM files to add userrisk scores and offenses into QRadar.

• For QRadar V7.2.8: DSM-IBMSense-7.2-20190423155729.noarch.rpm• For QRadar V7.3.1 and later: DSM-IBMSense-7.3-20190423195729.noarch.rpm

Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar.

1. Copy the DSM RPM file to your QRadar Console.2. Use SSH to log in to the QRadar host as the root user.3. Go to the directory that includes the downloaded file.4. Type the following command:

rpm -Uvh <rpm_filename>5. From the Admin settings, click Advanced > Deploy Full Configuration.

Note: Instructions for installing and configuring the UBA app are on the IBM Knowledge Center.

Related tasks“Installing the User Behavior Analytics app” on page 13Use the IBM QRadar Extension Management tool to upload and install your app archive directly to yourQRadar Console.“Configuring UBA settings” on page 23To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBAapplication settings.

Installing the Machine Learning Analytics appInstall the Machine Learning Analytics (ML) app after you have installed the UBA app from the ExtensionManager.

Before you beginMake sure you have completed all of the Prerequisites for installing the Machine Learning Analytics app.

About this taskAfter you install the User Behavior Analytics (UBA) app, you can install the ML app from the MachineLearning Settings page.

Procedure




2. Click the Machine Learning Settings icon.

• In QRadar V7.3.0 or earlier, click Plugins > User Analytics > Machine Learning Settings.


http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.UBAapp.doc/c_Qapps_UBA_intro.html

• In QRadar 7.3.1 or later, click Apps > User Analytics > Machine Learning Settings.

3. On the Machine Learning Settings page, click Install ML App.4. At the prompt, click Yes to install the app. The ML app takes several minutes to install.

What to do next

When the installation is complete, you can enable ML use cases and then click Save Configuration.

Upgrading the Machine Learning Analytics appUpgrade the Machine Learning Analytics app from the Machine Learning Settings page.

Before you beginThe Machine Learning app is automatically upgraded with the UBA app. After you install or upgrade yourUser Behavior Analytics (UBA) app, you can upgrade your existing Machine Learning Analytics app fromthe Machine Learning Settings page.

Attention: If you have the Machine Learning Analytics (ML) app V2.0.0 installed and you upgradeto the latest version of the UBA app, do not uninstall the Machine Learning Analytics app from the

Chapter 9. Machine Learning Analytics app 205

QRadar Extension Manager. If you attempt to uninstall the Machine Learning Analytics app fromthe Extension Manager, you might encounter issues with your ML app installation.

Procedure





• In QRadar V7.3.0 or earlier, click Plugins > User Analytics > Machine Learning Settings.• In QRadar 7.3.1 or later, click Apps > User Analytics > Machine Learning Settings.

3. On the Machine Learning Settings page, click Upgrade ML App.4. At the prompt, click Yes. The ML app takes several minutes to upgrade.5. After the upgrade is complete, the model building restarts.

What to do nextVerify that your Machine Learning Settings are configured correctly. If you change any settings, make sureto Save Configuration.

UBA dashboard with Machine Learning V3.3.0The IBM QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes theMachine Learning model status and additional details for the selected user.

Dashboard

After you enable the Machine Learning models, click the User Analytics tab to open the dashboard.

The Status of Machine Learning Models section shows you the ingestion and the building progress foreach model you have enabled.

• The light blue progress bar indicates that the model is ingesting data.• The blue progress bar indicates that the model is building.• The green progress bar indicates that the model is training.• The green check mark indicates that the model is enabled.• The yellow warning icon indicates a problem was encountered during the model building phase. See

“Machine Learning app status shows warning on dashboard” on page 258.

Click the ML Settings icon to open the Machine Learning Analytics page and edit the configurationfor the Machine Learning Analytics models.

Note: If you edit the configuration after it has been saved, a new model will be built and the time to waitfor the ingestion and model building is reset.


User details page

You can click a user name from anywhere in the app to see details for the selected user.

You can learn more about the user's activities with the event viewer pane. The event viewer pane showsinformation about a selected activity or point in time. Clicking an event in the event viewer pane revealsmore details such as syslog events and payload information. The event viewer pane is available for alldonut and line graphs on the User details page.

The following table describes the Machine Learning Analytics graphs available on the User Details page.

Access Activity Shows actual and expected user activity behavior patterns by Access high-levelcategory. The actual values are the number of events per high-level category for thatuser during the selected time period. The expected values are the predicted numberof events per high-level category for that user during the selected time period. A redcircle indicates that an anomaly was detected and a sense event was generated bymachine learning.

On the Access Activity graph, you can:

• Click the Calendar icon to specify a time and date.• Click a category to open the timeline graph for the selected category.

On the timeline graph for the selected category, you can:

• Click a data node and get a query listing of the events that represent that node.• Click the Calendar icon to specify a custom date range.

ActivityDistribution

Shows dynamic behavior clusters for all users that are monitored by machinelearning. The clusters are inferred by the low-level activity categories for all usersthat are monitored by machine learning. The actual values are the percent match tothat cluster. The expected values are the predicted percent match to that cluster.Each color in the graph represents a unique dynamic behavior cluster for all usersmonitored by machine learning. A color used to denote a particular group is thesame for all users. A red vertical line indicates that an anomaly was detected and asense event was generated by machine learning.


On the Activity Distribution graph, you can:

• Hover over each cluster to view the actual and predicted activity percentiles andthe top 3 contributing low-level categories.

• Click the Calendar icon to specify a date range.

AggregatedActivity

Shows the actual and expected (learned) amount of activity of users throughout theday. The actual values are the number of events for that user during the selectedtime period. The expected values are the number of events predicted for that userduring the selected time period. A red circle indicates that an anomaly was detectedand a sense event was generated by machine learning.

On the Aggregated Activity graph, you can:

• Click a data node and get a query listing of the events that make up the anomaly.• Click the Calendar icon to specify a custom date range.

AuthenticationActivity

Shows actual and expected user activity behavior patterns by Authentication high-level category. The actual values are the number of events per high-level categoryfor that user during the selected time period. The expected values are the predictednumber of events per high-level category for that user during the selected timeperiod. A red circle indicates that an anomaly was detected and a sense event wasgenerated by machine learning.

On the Authentication Activity graph, you can:




Data Downloaded Shows if a user's inbound traffic usage has deviated from their expected behavior.The actual values are the volume of data received during the selected time period.The learned values are the model's predicted volume of data received. A red circleindicates that an anomaly was detected and a sense event was generated bymachine learning.

Data Uploaded toRemoteNetworks

Shows if a user's outbound traffic volume has deviated from their expected behavior.The actual values are the volume of data that is sent for that user during the selectedtime period. The learned values are the model's predicted volume of data that issent. A red circle indicates that an anomaly was detected and a sense event wasgenerated by machine learning.

Defined peergroup

Shows how much a user's event activity deviates from that of their defined peergroup. The analytic uses the low-level activity categories of the users' events todetermine the users' deviation from their defined peer group.


A red circle indicates that an anomaly was detected and a sense event wasgenerated by machine learning. Deviation from peer group signifies the percentagea user has deviated from their defined peer group. Confidence is the percentile ofthe deviation in the context of historical data upon which the model is built. An alertis triggered if the deviation and the confidence both exceed their thresholds.

To view the Defined peer group analytic, you must define user groups. For moreinformation, see “User groups for the defined peer group analytic” on page 253.

On the Defined Peer Group graph, you can:

• Click a data point to view the Peers in "your defined peer group" table.• Click the Calendar icon to specify a date range.

The Peers in "your defined peer group" table shows you the riskiest users in thecurrent user's group. You can:

• Click a user name to open the User Details page• Click the drop-down list to select the user attributes to display• Search to filter the user names

Learned PeerGroup

Shows how much the user deviated from the inferred peer group they were expectedto be in. The Learned Peer Group is inferred by the low-level activity categories forthe user.

A red circle indicates that an anomaly was detected and a sense event wasgenerated by machine learning. Deviation from peer group signifies the percentagea user has deviated from their inferred peer group. Confidence is the percentile ofthe deviation in the context of historical data upon which the model is built. An alertis triggered if the deviation and the confidence both exceed their thresholds.

On the Learned Peer Group graph, you can:

• Click a data point to view the Peers in Group table.• Click the Calendar icon to specify a date range.

The Peers in Group table shows you all the users that are expected and that areactually in the group. You can:

• Click a user name to open the User Details page• Expected match shows how confident the analytic is for that user to be in the

group• Click the drop-down list to select the user attributes to display• Search to filter the user names


OutboundTransferAttempts

Shows if a user's outbound traffic usage has deviated from their expected behavior.The actual values are the number of transfer attempts for that user during theselected time period. The learned values are the model's predicted number oftransfer attempts. A red circle indicates that an anomaly was detected and a senseevent was generated by machine learning.

On the Abnormal Outbound Transfer Attempts graph, you can:

• Click a node and get a query listing of the events.• Click the Calendar icon to specify a custom date range.

Risk Posture Shows if a user's risk score deviates from their expected risk score pattern. Theactual values are the sum of the sense values for the sense events for that userduring the selected time period. The expected values are the predicted sum of thesense values for the sense events for that user during the selected time period. A redcircle indicates that an anomaly was detected and a sense event was generated bymachine learning.

On the Risk Posture graph, you can:

• Click a node and get a query listing of the events.• Click the Calendar icon to specify a custom date range.

SuspiciousActivity

Shows actual and expected user activity behavior patterns by Suspicious high-levelcategory. The actual values are the number of events per high-level category for thatuser during the selected time period. The expected values are the predicted numberof events per high-level category for that user during the selected time period. A red


circle indicates that an anomaly was detected and a sense event was generated bymachine learning.

On the Suspicious Activity graph, you can:




Related tasks“Enabling user models V3.3.0” on page 211To view information in the Machine Learning Analytics app, you must configure Machine Learning settingsfor User Models.

Enabling user models V3.3.0To view information in the Machine Learning Analytics app, you must configure Machine Learning settingsfor User Models.

About this taskStarting with V3.3.0 of the UBA app, the Machine Learning Settings page has a new look and feel. You canenable models or select a model to edit the default settings. You can also create your own custom modelswith the included templates. You can enable up to 17 models.

Example


Access ActivityEnable the Access Activity machine learning model to display the user’s activity in the Access high-levelcategory on the UBA Dashboard.

Before you begin

Review the following model details.

• Event Name: UBA : Abnormal increase in Access activity• sensevalue: 5• Required configuration: System is monitoring events that have QRadar high-level category of Access.• Log source types: Akamai KONA, Amazon AWS CloudTrail, Apache HTTP Server, Application Security

DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, ArubaMobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web ApplicationFirewall, Barracuda Web Filter, BeyondTrust PowerBroker, Bit9 Security Platform, Blue Coat WebSecurity Service, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CASiteMinder, CA Top Secret, CRE System, Carbon Black Protection, Centrify Identity Platform, CheckPoint, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco CSA, Cisco CallManager, Cisco CatOS for Catalyst Switches, Cisco Cloud Web Security, Cisco FireSIGHT ManagementCenter, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, CiscoIntrusion Prevention System (IPS), Cisco IronPort, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000Series Concentrator, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler,CloudPassage Halo, Configurable Firewall Filter, CorreLog Agent for IBM zOS, Custom Rule Engine, DCNDCS/DCRS Series, EMC VMWare, Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, ExtremeHiPath, Extreme Matrix K/N/S Series Switch, Extreme NAC, Extreme Stackable and StandaloneSwitches, Extreme XSR Security Routers, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5Networks BIG-IP LTM, F5 Networks FirePass, Fidelis XPS, Flow Classification Engine, ForcepointSidewinder, Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C ComwarePlatform, HP Network Automation, HP ProCurve, HP Tandem, Honeycomb Lexicon File IntegrityMonitor, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Server, IBM Bluemix Platform, IBMDB2, IBM DataPower, IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Informix Audit, IBM LotusDomino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS,IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Manager, IBM Security Network IPS(GX), IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/OS,IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform, Imperva Incapsula, ImpervaSecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper DX Application Acceleration Platform, JuniperJunos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN,Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Kisco Information SystemsSafeNet/i, Lieberman Random Password Manager, Linux OS, Linux iptables Firewall, Mac OS X, McAfeeApplication/Change Control, McAfee Network Security Platform, McAfee ePolicy Orchestrator, MicrosoftAzure, Microsoft Exchange Server, Microsoft Hyper-V, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server, Microsoft Windows SecurityEvent Log, Motorola SymbolAP, NCC Group DDos Secure, NGINX HTTP Server, Netskope Active, NortelContivity VPN Switch, Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel SecureRouter, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC, Okta, Open LDAPSoftware, OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle RDBMS OS Audit Record, PaloAlto PA Series, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure PulseConnect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE,Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT,Salesforce Security Auditing, Snort Open Source IDS, Solaris Operating System AuthenticationMessages, Solaris Operating System DHCP Logs, Solaris Operating System Sendmail Logs, SonicWALLSonicOS, Sophos Astaro Security Gateway, Sophos Enterprise Console, Squid Web Proxy, StarentNetworks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, Sybase ASE, SymantecCritical System Protection, Symantec Encryption Management Server, Symantec Endpoint Protection,


Symantec Gateway Security (SGS) Appliance, Symantec System Center, TippingPoint IntrusionPrevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend InterScan VirusWall,Trend Micro Deep Security, Universal DSM, Venustech Venusense Security Platform, Verdasys DigitalGuardian, Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, iT-CUBEagileSI

About this task

Enable the Access Activity model to track a user’s activity in the Access high-level category and create alearned behavioral model for each hour of the day. If the user’s Access activity deviates from the learnedbehavior, it is deemed suspicious and a Sense Event is generated to increase the user’s risk score.

Attention: After you configure or modify your settings, it takes a minimum of 1 hour to ingest data,build an initial model, and see initial results for users.

Active users are monitored continuously. If a user has no activity for 28 days, the user and the user's dataare removed from the model. If the user is active again, they will return as a new user.

Procedure






3. On the Machine Learning Settings page, click Enabled to turn on the Access Activitymodel.

4. Click Access Activity if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a

sense event is triggered. The default value is 5.6. Enable the toggle to scale the risk value. When enabled, the base risk value is multiplied by a factor

(range 1 - 10). This factor is determined by how much the user deviates from their expected behaviorand not just that they deviated.

7. In the Confidence interval to trigger anomaly field, enter the percentage for how confident themachine learning algorithm should be before it triggers an anomalous event. The default value is0.95.

8. In the Data Retention Period field, set the number of days you want to save the model data. Thedefault value is 30.

9. The Show graph on User Details page toggle is enabled by default to display the Access Activitygraph on the User Details page. If you do not want to display the Access Activity graph on the UserDetails page, click the toggle.

10. In the AQL Search Filter field, you can add an AQL filter to narrow the data that the analytic queriesfor in QRadar. By filtering with an AQL query, you can reduce the number of users or the types of datathe analytic is analyzing. Before you save your settings, click Validate Query to launch a full AQLquery in QRadar so that you can review the query and verify the results.

Important: If you modify the AQL filter, the existing model is marked invalid and is then rebuilt. Thelength of time the rebuild takes depends on the amount of data that is returned by the modified filter.

You can filter on specific log sources, network names, or reference sets that contain specific users.See the following examples:


• REFERENCESETCONTAINS('Important People', username)• LOGSOURCETYPENAME(devicetype) in ('Linux OS', 'Blue Coat SG Appliance', 'Microsoft

Windows Security Event Log')• INCIDR('172.16.0.0/12', sourceip) or INCIDR('10.0.0.0/8', sourceip) or

INCIDR('192.168.0.0/16', sourceip)

For more information, see Ariel Query Language.11. Click Save.

ResultsIt can take a minimum of 1 hour for the app to ingest data and build an initial model.Related tasksActivity Distribution


https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_aql_introduction.html

Configure the Activity Distribution machine learning model to display dynamic behavior clusters for allusers that are monitored by machine learning on the UBA Dashboard.Aggregated ActivityEnable the Aggregated Activity machine learning model to display the user’s general activity by time onthe UBA Dashboard.Authentication ActivityEnable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Activity DistributionConfigure the Activity Distribution machine learning model to display dynamic behavior clusters for allusers that are monitored by machine learning on the UBA Dashboard.

Before you begin


• Event Name: UBA : Deviation from normal activity patterns• sensevalue: 5• Log source types: Any log source with events that provide a username.

About this task

Enable the Activity Distribution model so that the model can learn behavior clusters that represent groupsof similar activity (similar low-level categories of QRadar). Search for deviations from the normaldistribution of these clusters over time. Malicious behavior can manifest as changes in the distribution ofa user’s behavior cluster; that is, the user’s activities begin to deviate from his customary activities.Similar activities are represented by the same colors for all users.

Attention: After you configure or modify your settings, it takes a minimum of 2 days to ingest data,build an initial model, and see initial results for users.


Procedure






3. On the Machine Learning Settings page, click Enabled to turn on the Activity Distributionmodel.

Important: You must have 7 days of data available for the analytic to generate a model.4. Click Activity Distribution if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Activity Distributiongraph on the User Details page. If you do not want to display the Activity Distribution graph on theUser Details page, click the toggle.










ResultsIt can take a minimum of 1 hour for the app to ingest data and build an initial model.Related tasksAccess ActivityEnable the Access Activity machine learning model to display the user’s activity in the Access high-levelcategory on the UBA Dashboard.Aggregated ActivityEnable the Aggregated Activity machine learning model to display the user’s general activity by time onthe UBA Dashboard.Authentication ActivityEnable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data Downloaded


Enable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Aggregated ActivityEnable the Aggregated Activity machine learning model to display the user’s general activity by time onthe UBA Dashboard.

Before you begin


• Event Name: UBA : Abnormal increase in User activity• sensevalue: 5• Log source types: Any log source with events that provide a username.

About this task

Enable the Aggregated Activity model to track a user’s general activity by time and create a model for thepredicted weekly behavior patterns. If the user’s activity deviates from the learned behavior, it is deemedsuspicious and a Sense Event is generated to increase the user’s risk score.



Procedure







3. On the Machine Learning Settings page, click Enabled to turn on the Aggregated Activitymodel.

4. Click Aggregated Activity if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Aggregated Activitygraph on the User Details page. If you do not want to display the Aggregated Activity graph on theUser Details page, click the toggle.










ResultsIt can take a minimum of 1 hour for the app to ingest data and build an initial model.Related tasksAccess ActivityEnable the Access Activity machine learning model to display the user’s activity in the Access high-levelcategory on the UBA Dashboard.Activity DistributionConfigure the Activity Distribution machine learning model to display dynamic behavior clusters for allusers that are monitored by machine learning on the UBA Dashboard.Authentication ActivityEnable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data Downloaded



Authentication ActivityEnable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.

Before you begin


• Event Name: UBA : Abnormal increase in Authentication activity• sensevalue: 5• Required configuration: System is monitoring events that have QRadar high-level category of

Authentication.• Log source types: 3Com 8800 Series Switch, APC UPS, AhnLab Policy Center APC, Amazon AWS

CloudTrail, Apache HTTP Server, Application Security DbProtect, Arbor Networks Pravail, ArpeggioSIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Introspect,Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda WebApplication Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAAService Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System,CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Identity Platform, Centrify InfrastructureServices, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), CiscoAironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHTManagement Center, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIXFirewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless ServicesModule (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator,Configurable Authentication message filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host,Custom Rule Engine, Cyber-Ark Vault, CyberGuard TSP Firewall/VPN, DCN DCS/DCRS Series, DGTechnology MEAS, EMC VMWare, ESET Remote Administrator, Enterprise-IT-Security.com SF-Sherlock,Epic SIEM, Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, ExtremeHiPath, Extreme Matrix E1 Switch, Extreme Matrix K/N/S Series Switch, Extreme NAC, ExtremeNetsightASM, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and


Standalone Switches, Extreme XSR Security Routers, F5 Networks BIG-IP APM, F5 Networks BIG-IPASM, F5 Networks BIG-IP LTM, F5 Networks FirePass, FireEye, Flow Classification Engine, ForcepointSidewinder, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron,FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP ProCurve,HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit,IBM AIX Server, IBM BigFix, IBM Bluemix Platform, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360,IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS),IBM QRadar Network Security XGS, IBM QRadar Packet Capture, IBM Resource Access Control Facility(RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager forMobile, IBM Security Directory Server, IBM Security Identity Governance, IBM Security IdentityManager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphereApplication Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform,Imperva SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform, Juniper JunosWebApp Secure, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN,Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and SecurityManager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LiebermanRandom Password Manager, LightCyber Magna, Linux OS, Mac OS X, McAfee Application/ChangeControl, McAfee Network Security Platform, McAfee ePolicy Orchestrator, Metainfo MetaIP, MicrosoftAzure, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft Hyper-V, Microsoft IAS Server,Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM,Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security Event Log, Motorola SymbolAP,NCC Group DDos Secure, Netskope Active, Nortel Application Switch, Nortel Contivity VPN Switch,Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, NortelEthernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch(SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC,ObserveIT, Okta, Open LDAP Software, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault,Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS AuditRecord, Oracle RDBMS OS Audit Record, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, RadwareAppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSHCryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce SecurityAuditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud SecurityPlatform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages,Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, SquidWeb Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, SymantecEncryption Management Server, Symantec Endpoint Protection, ThreatGRID Malware ThreatIntelligence Platform, TippingPoint Intrusion Prevention System (IPS), TippingPoint X SeriesAppliances, Top Layer IPS, Trend Micro Deep Discovery Email Inspector, Trend Micro Deep DiscoveryInspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSM, VMwarevCloud Director, VMware vShield, Vectra Networks Vectra, Venustech Venusense Security Platform,Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, iT-CUBEagileSI

About this task

Enable the Authentication Activity model to track a user’s activity in the Authentication high-level categoryand create a learned behavioral model for each hour of day. If the user’s Authentication activity deviatesfrom the learned behavior, it is deemed suspicious and a Sense Event is generated to increase the user’srisk score.




Procedure






3. On the Machine Learning Settings page, click Enabled to turn on the AuthenticationActivity model.

4. Click Authentication Activity if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the AuthenticationActivity graph on the User Details page. If you do not want to display the Authentication Activitygraph on the User Details page, click the toggle.










ResultsIt can take a minimum of 1 hour for the app to ingest data and build an initial model.Related tasksAccess ActivityEnable the Access Activity machine learning model to display the user’s activity in the Access high-levelcategory on the UBA Dashboard.Activity DistributionConfigure the Activity Distribution machine learning model to display dynamic behavior clusters for allusers that are monitored by machine learning on the UBA Dashboard.Aggregated ActivityEnable the Aggregated Activity machine learning model to display the user’s general activity by time onthe UBA Dashboard.Data Downloaded



Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.

Before you begin


• Event Name : UBA : Abnormal Data Downloaded• sensevalue: 5• Required configuration Custom event property "BytesReceived" must exist for the desired log source

type.• Log source types: Pulse Secure Pulse Connect Secure, Fortinet FortiGate Security Gateway, Blue Coat

SG Appliance, Juniper SRX Series Services Gateway, Microsoft ISA, Citrix NetScaler

About this task

Enable the Data Downloaded model to monitor data that is downloaded for each user and then alerts onabnormal behavior. When the actual volume of data that is downloaded exceeds the model’s predictednumber, a Sense Event is generated to increase the user’s risk score.



Procedure







3. On the Machine Learning Settings page, click Enabled to turn on the Data Downloadedmodel.

4. Click Data Downloaded if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Data Downloadedgraph on the User Details page. If you do not want to display the Data Downloaded graph on the UserDetails page, click the toggle.










ResultsIt can take a minimum of 1 hour for the app to ingest data and build an initial model.Related tasksAccess ActivityEnable the Access Activity machine learning model to display the user’s activity in the Access high-levelcategory on the UBA Dashboard.Activity DistributionConfigure the Activity Distribution machine learning model to display dynamic behavior clusters for allusers that are monitored by machine learning on the UBA Dashboard.Aggregated ActivityEnable the Aggregated Activity machine learning model to display the user’s general activity by time onthe UBA Dashboard.Authentication Activity


Enable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.

Before you begin


• Event Name: UBA : Abnormal Volume of Data to External Domains• sensevalue: 5• Required configuration: Custom event property "BytesSent" must exist for the desired log source type.• Log source types: Pulse Secure Pulse Connect Secure, Fortinet FortiGate Security Gateway, Blue Coat


About this task

Enable the Data Uploaded to Remote Networks model to monitor external domain data usage for eachuser and alerts on abnormal behavior. When the actual number of external domain data usage exceedsthe model’s predicted number, a Sense Event is generated to increase the user’s risk score.



Procedure







3. On the Machine Learning Settings page, click Enabled to turn on the Data Uploaded toRemote Networks model.

4. Click Data Uploaded to Remote Networks if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Data Uploaded toRemote Networks graph on the User Details page. If you do not want to display the Data Uploaded toRemote Networks graph on the User Details page, click the toggle.










Enable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.

Before you begin


• Event Name: UBA : Deviation from define peer group• sensevalue: 5• Required configuration: Configure LDAP to ensure the desired grouping data is present.• Log source types: Any log source with events that provide a username.

• To enable the Defined Peer Group analytic, you must have valid user groups in a reference table andthen configure UBA Settings > Display Attributes > Custom Groups to use the reference table. Formore information, see “User groups for the defined peer group analytic” on page 253.

• You must have 7 days of event data available for the analytic to generate a model.

About this task

Enable the Defined Peer Group model to show users grouped and analyzed based on the Group by field. Ifa user’s current behavior is significantly different from the user’s defined group, it is deemed suspiciousand a Sense Event is generated to increase the user’s risk score. Note: You must have a minimum of twodefined groups that each contains 5 or more users. If you change the group selection, a new model needsto be constructed. A significant amount of time and computer resources are required to complete themodel creation. It is not recommended to change this value frequently.

Attention: After you configure or modify your settings, it takes a minimum of 1 day to ingest data,build an initial model, and see initial results for users.


Procedure






3. On the Machine Learning Settings page, click Enabled to turn on the Defined Peer Groupmodel.

Important: You must have 7 days of data available for the analytic to generate a model.4. Click Defined Peer Group if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Defined Peer Groupgraph on the User Details page. If you do not want to display the Defined Peer Group graph on theUser Details page, click the toggle.

10. In the Group By field, select the group that you want the Defined Peer Group analytic to use.11. In the AQL Search Filter field, you can add an AQL filter to narrow the data that the analytic queries

for in QRadar. By filtering with an AQL query, you can reduce the number of users or the types of datathe analytic is analyzing. Before you save your settings, click Validate Query to launch a full AQLquery in QRadar so that you can review the query and verify the results.









Enable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.

Before you begin


• Event Name: UBA :Deviation from learned peer group• sensevalue: 5• Log source types: Any log source with events that provide a username.

• To enable the Learned Peer Group model on QRadar V7.3.1 and earlier, you must install an App Node.For more information, see https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_adm_appnode_intro.html.

• To enable the Learned Peer Group model on QRadar V7.3.2 and later, you must install an App Host. Formore information, see https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_adm_apphost.html.

• You must have 7 days of event data available for the Learned Peer Group analytic to generate a model.

About this task

Enable the Learned Peer Group model to identifies users who engage in similar activities and then placesthem into peer groups. If a user’s current peer group is significantly different from former groups, then aSense Event is generated to increase the user’s risk score.

Attention: After you configure or modify your settings, it takes a minimum of 1 day to ingest data,build an initial model, and see initial results for users.

Procedure



https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_adm_appnode_intro.html

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_adm_appnode_intro.html

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_adm_apphost.html

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_adm_apphost.html





3. On the Machine Learning Settings page, click Enabled to turn on the Learned Peer Groupmodel.

Important: You must have 7 days of data available for the analytic to generate a model.4. Click Learned Peer Group if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Learned Peer Groupgraph on the User Details page. If you do not want to display the Learned Peer Group graph on theUser Details page, click the toggle.










Enable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.

Before you begin


• Event Name : UBA : Abnormal Outbound Transfer Attempts• sensevalue: 5• Required configuration : Custom event property 'BytesSent' must exist for the desired log source type.• Log source types: Pulse Secure Pulse Connect Secure, Fortinet FortiGate Security Gateway, Blue Coat


About this task

Enable the Outbound Transfer Attempts to monitor outbound traffic usage for each user and alert onabnormal behavior. When the actual number of transfer attempts exceeds the model’s predicted number,a Sense Event is generated to increase the user’s risk score.



Procedure







3. On the Machine Learning Settings page, click Enabled to turn on the Outbound TransferAttempts model.

4. Click Outbound Transfer Attempts if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Outbound TransferAttempts graph on the User Details page. If you do not want to display the Outbound TransferAttempts graph on the User Details page, click the toggle.










ResultsIt can take a minimum of 1 hour for the app to ingest data and build an initial model.Related tasksAccess ActivityEnable the Access Activity machine learning model to display the user’s activity in the Access high-levelcategory on the UBA Dashboard.Activity DistributionConfigure the Activity Distribution machine learning model to display dynamic behavior clusters for allusers that are monitored by machine learning on the UBA Dashboard.Aggregated Activity


Enable the Aggregated Activity machine learning model to display the user’s general activity by time onthe UBA Dashboard.Authentication ActivityEnable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.

Before you begin


• Event Name: UBA : Deviation from normal Risk posture• sensevalue: 5• Required configuration: UBA is configured and sense events are being created.• Log source types: Any log sources with events that trigger sense events.

About this task

Enable the Risk Posture model to track a user’s risky activity by the rate of sense events generated andcreate a baseline model. If the user’s risky activity deviates from the baseline, it is deemed suspiciousand a sense event is generated to increase the user’s overall risk score.



Procedure







3. On the Machine Learning Settings page, click Enabled to turn on the Risk Posture model.4. Click Risk Posture if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





9. The Show graph on User Details page toggle is enabled by default to display the Risk Posture graphon the User Details page. If you do not want to display the Risk Posture graph on the User Detailspage, click the toggle.










Enable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.

Before you begin


• Event Name: UBA : Abnormal increase in Suspicious activity• sensevalue: 5• Required configuration: System is monitoring events that have QRadar high level category of Suspicious

Activity.• Log source types: 3Com 8800 Series Switch, Akamai KONA, Application Security DbProtect, Arbor

Networks Peakflow SP, Aruba Introspect, Aruba Mobility Controller, Avaya VPN Gateway, BarracudaSpam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bridgewater SystemsAAA Service Controller, Brocade FabricOS, CRE System, Carbon Black, Carbon Black Protection, CheckPoint, Cilasoft QJRN/400, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, CiscoCatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco IntrusionPrevention System (IPS), Cisco IronPort, Cisco Meraki, Cisco NAC Appliance, Cisco PIX Firewall, CiscoStealthwatch, Cisco Umbrella, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers,Cisco Wireless Services Module (WiSM), CloudLock Cloud Security Fabric, CrowdStrike Falcon Host,Custom Rule Engine, CyberArk Privileged Threat Analytics, CyberGuard TSP Firewall/VPN, DamballaFailsafe, EMC VMWare, ESET Remote Administrator, Enterprise-IT-Security.com SF-Sherlock, EventCRE Injected, Exabeam, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiGuard,Extreme HiPath, Extreme Matrix K/N/S Series Switch, Extreme Networks ExtremeWare OperatingSystem (OS), Extreme XSR Security Routers, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5Networks BIG-IP LTM, F5 Networks FirePass, Fair Warning, Fidelis XPS, FireEye, Flow ClassificationEngine, Forcepoint Sidewinder, ForeScout CounterACT, Fortinet FortiGate Security Gateway,FreeRADIUS, H3C Comware Platform, Huawei AR Series Router, Huawei S Series Switch, IBM AIXServer, IBM BigFix Detect, IBM Guardium, IBM Lotus Domino, IBM Proventia Network IntrusionPrevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Network IPS (GX),


IBM Security Trusteer Apex Advanced Malware Protection, IBM WebSphere Application Server, IBM i,IBM z/OS, ISC BIND, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Junos WebAppSecure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention(IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Kaspersky CyberTrace,Kaspersky Security Center, Kisco Information Systems SafeNet/i, Lastline Enterprise, LightCyberMagna, Linux DHCP Server, Linux OS, McAfee Application/Change Control, McAfee Network SecurityPlatform, McAfee ePolicy Orchestrator, Microsoft DHCP Server, Microsoft DNS Debug, MicrosoftEndpoint Protection, Microsoft Hyper-V, Microsoft Operations Manager, Microsoft Windows SecurityEvent Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niksun 2005 v3.5, NortelContivity VPN Switch, Nortel Secure Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC,ObserveIT, Onapsis Inc Onapsis Security Platform, Palo Alto Endpoint Security Manager, Palo Alto PASeries, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy,Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, RadwareDefensePro, Riverbed SteelCentral NetProfiler, SAP Enterprise Threat Detection, SSH CryptoAuditor,STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Samhain HIDS, Sentrigo Hedgehog,Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, SolarWinds Orion, Solaris OperatingSystem Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS,Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos PureMessage, Squid Web Proxy,Starent Networks Home Agent (HA), Stonesoft Management Center, Symantec Endpoint Protection,Symantec System Center, ThreatGRID Malware Threat Intelligence Platform, TippingPoint IntrusionPrevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Deep DiscoveryEmail Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Universal DSM,Vectra Networks Vectra, Verdasys Digital Guardian, WatchGuard Fireware OS, Zscaler Nss, genuagenugate, iT-CUBE agileSI

About this task

Enable the Suspicious Activity model to track a user’s activity in the Suspicious Activity high-levelcategory and create a learned behavioral model for each hour of the day. If the user’s Suspicious Activitydeviates from the learned behavior, it is deemed suspicious and a Sense Event is generated to increasethe user’s risk score.



Procedure






3. On the Machine Learning Settings page, click Enabled to turn on the Suspicious Activitymodel.

4. Click Suspicious Activity if you want to edit the default settings.5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a

sense event is triggered. The default value is 5.


6. Enable the toggle to scale the risk value. When enabled, the base risk value is multiplied by a factor(range 1 - 10). This factor is determined by how much the user deviates from their expected behaviorand not just that they deviated.



9. The Show graph on User Details page toggle is enabled by default to display the Suspicious Activitygraph on the User Details page. If you do not want to display the Suspicious Activity graph on theUser Details page, click the toggle.










Enable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Creating a custom modelCreate a custom model to measure and baseline a numeric feature for a person per hour.

Before you begin

Review the following model details for each model template:

• Application Events• Source IP• Destination Port• Office File Access• AWS Access• Process• Website• Risky IP

About this task

You can create a custom model so that you can review the learned behavior and the actual data for users.If significant changes from the baseline behavior are detected, you will receive alerts that the user's riskscore is raised. Examples of models you can create include: showing how much data a user downloads,how many applications a user runs, or how many emails a user send per hour.




Procedure






3. On the Machine Learning Settings page, click Create Model.4. On the Model Definition tab, you can select a template to populate the AQL field or you can create a

custom AQL query.5. Click Next.


6. On the General Settings tab, enter a name and description.7. In the Risk value of sense event field, enter the amount to increase the user's risk score when a





11. The Show graph on User Details page toggle is enabled by default to display the custom modelgraph on the User Details page. If you do not want to display the graph on the User Details page,click the toggle.










Related tasksAccess ActivityEnable the Access Activity machine learning model to display the user’s activity in the Access high-levelcategory on the UBA Dashboard.Activity DistributionConfigure the Activity Distribution machine learning model to display dynamic behavior clusters for allusers that are monitored by machine learning on the UBA Dashboard.Aggregated ActivityEnable the Aggregated Activity machine learning model to display the user’s general activity by time onthe UBA Dashboard.Authentication Activity


Enable the Authentication Activity machine learning model to display the user’s activity in theAuthentication high-level category on the UBA Dashboard.Data DownloadedEnable the Data Downloaded machine learning model to display data that is downloaded for each user onthe UBA Dashboard.Data Uploaded to Remote NetworksEnable the Data Uploaded to Remote Networks machine learning model to display the actual andexpected (learned) amount of local to remote upload volume for each user on the UBA Dashboard.Defined Peer GroupConfigure the Defined Peer Group machine learning model to display how much a user's event activitydeviates from the event activity of their defined peer group on the UBA Dashboard.Learned Peer GroupEnable the Learned Peer Group machine learning model to display how much the user deviated from theinferred peer group they were expected to be in on the UBA Dashboard.Outbound Transfer AttemptsEnable the Outbound Transfer Attempts machine learning model to display outbound traffic usage foreach user on the UBA Dashboard.Risk PostureEnable the Risk Posture machine learning model to display the user's risk score deviation on the UBADashboard.Suspicious ActivityEnable the Suspicious Activity machine learning model to display the actual and expected (learned)amount of Suspicious Activity high-level category on the UBA Dashboard.

Application Events

Procedure

• Event Name : UBA : Custom Analytic Anomaly• senseValue = 5• Required configuration: System is monitoring events that have QRadar high level category of

Application.• Log source types: APC UPS, Apache HTTP Server, Application Security DbProtect, Array Networks SSL

VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPNGateway, Barracuda Web Application Firewall, Barracuda Web Filter, Blue Coat Web Security Service,BlueCat Networks Adonis, CRE System, Centrify Infrastructure Services, Check Point, Cilasoft QJRN/400, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center,Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco Meraki, Cisco Nexus, Cisco PIX Firewall, Cisco Stealthwatch, Cisco Umbrella, Cisco WirelessServices Module (WiSM), Citrix Access Gateway, Citrix NetScaler, Custom Rule Engine, Cyber-ArkVault, DG Technology MEAS, EMC VMWare, Event CRE Injected, Extreme Matrix K/N/S Series Switch,Extreme Stackable and Standalone Switches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5Networks BIG-IP LTM, Fidelis XPS, FireEye, Flow Classification Engine, Flow Device Type, ForcepointSidewinder, Forcepoint V Series, Fortinet FortiGate Security Gateway, FreeRADIUS, H3C ComwarePlatform, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2,IBM DataPower, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBMResource Access Control Facility (RACF), IBM Security Directory Server, IBM Tivoli Access Manager fore-business, IBM i, IBM z/OS, ISC BIND, Imperva SecureSphere, Infoblox NIOS, Juniper Junos OSPlatform, Juniper MX Series Ethernet Services Router, Juniper Networks AVT, Juniper NetworksFirewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper WirelessLAN,Kisco Information Systems SafeNet/i, Linux DHCP Server, McAfee Network Security Platform, McAfeeWeb Gateway, Metainfo MetaIP, Microsoft DHCP Server, Microsoft DNS Debug, Microsoft ExchangeServer, Microsoft IIS, Microsoft Office 365, Microsoft Operations Manager, Microsoft Windows SecurityEvent Log, Motorola SymbolAP, NGINX HTTP Server, Nortel Contivity VPN Switch, Nortel VPN Gateway,


OS Services Qidmap, OSSEC, ObserveIT, Okta, Open LDAP Software, OpenBSD OS, Oracle BEAWebLogic, Oracle Database Listener, PostFix MailTransferAgent, ProFTPD Server, ProofpointEnterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA AuthenticationManager, Radware DefensePro, SSH CryptoAuditor, Skyhigh Networks Cloud Security Platform, SolarisOperating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALLSonicOS, Sophos Astaro Security Gateway, Sophos Web Security Appliance, Squid Web Proxy, StarentNetworks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, Symantec Critical SystemProtection, Symantec Encryption Management Server, Symantec Endpoint Protection, TippingPointIntrusion Prevention System (IPS), Top Layer IPS, Trend InterScan VirusWall, Trend Micro DeepSecurity, Universal DSM, Venustech Venusense Security Platform, Verdasys Digital Guardian,WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI

SourceIP

Procedure

• Event Name : UBA : Custom Analytic Anomaly• sensevalue: 5• Log source types: Any log source that contains username and source ip in the events.

Destination Port

Procedure

• Event Name : UBA : Custom Analytic Anomaly• sensevalue: 5• Log source types: Any log source that contains username and destination port in the events

Office File Access

Procedure

• Event Name : UBA : Custom Analytic Anomaly• sensevalue: 5• Required configuration : System is monitoring event that have QRadar event names that include the

word "file".• Log source type: Microsoft Office 365

AWS Access

Procedure

• Event Name : UBA : Custom Analytic Anomaly• sensevalue: 5• Required configuration: System is monitoring events that contain QRadar event names that include the

word "bucket".• Log source types: Amazon AWS Cloudtrail

Process

Procedure

• Event Name : UBA : Custom Analytic Anomaly• sensevalue: 5• Required configuration: Custom event property 'Process' must exist for the desired log source type.


• Log source types: Microsoft Windows Security Event Log; Linux OS

Website

Procedure

• Event Name : UBA : Custom Analytic Anomaly• sensevalue: 5• Support rules: 'UBA : Browsed to Entertainment Website', 'UBA : Browsed to LifeStyle Website', 'UBA :

Browsed to Business/Service Website', 'UBA : Browsed to Communications Website'• Required configuration: Custom event property 'Web Category' must exist for the desired log source

type.• Log source types: Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid

Web Proxy, Palo Alto PA Series; Forcepoint V Series, Fortinet FortiGate Security Gateway

Risky IP

Procedure

• Event Name : UBA : Custom Analytic Anomaly• sensevalue: 5• Required configuration: Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings >

System Settings.• Log source types: Any log source with events that have a user name.

User groups for the defined peer group analyticYou can enable the Defined Peer Group analytic in the Machine Learning app if UBA is configured to use areference table that contains at least two groupings with a minimum of five users using one of the groupby selections.

Note: In V2.6.0 or later, you can extract user groups in UBA and enable the Defined Peer Group analytic.

The grouping selections are Job Title, Department, or a custom property that you define on the UBASettings page in the Custom Group field under Display Attributes. When UBA detects more than twodistinct groups each with five or more users, the Defined Peer Group analytic can be enabled. To havevalid user groups, you can configure the Reference Data Import LDAP App so that the user properties (JobTitle, Department, or other LDAP attribute grouping) can be extracted as a reference table. You can thenconfigure UBA to use the reference table that you created.

The Defined Peer Group analytic can monitor up to 20 groups. The largest 20 groups in the configuredGroup By field are chosen. The number of users to monitor is proportionally reduced from each group tomeet the monitored user limit for your Machine Learning installation size.

Remember: The reference table import has a 2-hour minimum repeating schedule as configured on theUBA Settings page. Any new user grouping attributes are imported when the import is scheduled to run.

Uninstalling the Machine Learning Analytics appUninstall the Machine Learning Analytics app from the Machine Learning Settings page.

About this taskBefore you uninstall the UBA app, you must complete the following procedure for uninstalling the ML app.If you do not uninstall the ML app before you uninstall UBA, you must remove it from the interactive APIdocumentation interface.


Procedure






3. On the Machine Learning Settings screen, click Uninstall ML App.

4. At the uninstall prompt, click Yes.


What to do nextYou must clear your browser cache before logging back in to the QRadar Console.


Chapter 10. Troubleshooting and supportTo isolate and resolve problems with your IBM product, you can use the troubleshooting and supportinformation.

For answers to common support questions about the User Behavior Analytics app and the MachineLearning Analytics app, see https://developer.ibm.com/answers/topics/uba/

Help and support page for UBAThe UBA app (V2.5.0) includes a Help and Support section for using the UBA app, the LDAP app, and theMachine Learning Analytics app.

Accessing the Help and Support page for UBA

The Help and Support page provides links to documentation, troubleshooting and support, videotutorials, log files, and administrative functions. You must have QRadar® administrator privileges to viewlog files and complete administrative functions from the Help and support page.

After you install the UBA app, you can access the Help and Support page from the following locations:

• From the Admin settings:

– In QRadar V7.3.0 or earlier, click Plugins > User Analytics > Help and Support.– In QRadar 7.3.1 or later, click Apps > User Analytics > Help and Support.

• From the User Analytics tab, click the Help and Support icon.

Administrative functions

You must have QRadar® administrator privileges to view log files and complete administrative functions.

Administrative functions include the ability to complete the following actions:

• Click Clear UBA Data to remove all UBA user data but maintain all of your current UBA configurationsettings. Clearing UBA data makes the UBA app behave as if you just installed and configured the UBASettings. If the Machine Learning app is installed, the Clear UBA Data button also resets the ML app.

• Click Reset ML Setting if the Machine Learning app is installed and you want to reset all of your MachineLearning settings and disable all of the analytics that are enabled.


https://developer.ibm.com/answers/topics/uba/

Service requestsService requests are also known as Problem Management Records (PMRs).

Several methods exist to submit diagnostic information to IBM Software Technical Support. To open aservice request, or to exchange information with technical support, view the IBM Software SupportExchanging information with Technical Support page (http://www.ibm.com/software/support/exchangeinfo.html). Service requests can also be submitted directly by using the Service requests (PMRs)tool (http://www.ibm.com/support/entry/portal/Open_service_request).

Machine Learning app status shows warning on dashboardIf the Status of Machine Learning Models on the UBA dashboard shows warning messages, review theprocedures to resolve the issue.

If the Status of Machine Learning Models shows Model failed to build for an analytic, you can try thefollowing suggestions to resolve the issue:

• See the error logs for the ML App.• Check the disk space on the system that is running the Machine Learning app.• Verify that the UBA app has users with events.• Contact IBM Customer Support.

Related concepts“Extracting UBA and Machine Learning logs” on page 260Use the UBA and Machine Learning log files to help troubleshoot problems.

Machine Learning app status shows no progress for data ingestionIf the Status of Machine Learning Models on the UBA dashboard appears to be stuck during the dataingestion phase, review the procedure to resolve the issue.

If the Status of Machine Learning Models shows no progress for data ingestion for an analytic, you can trythe following suggestions to resolve the issue:

• Restart the Ariel Server Service• Check the disk space on the system running the Machine Learning app.• Check inside the ML container to see if the UBAController process is running.• Contact IBM Customer Support.

ML app status is in an error stateIf the Machine Learning Analytics (ML) app fails to install and the Machine Learning Settings shows anError status, you can use the cURL command line tool and the API Documentation settings to uninstallthe ML app.

Procedure

If the ML App Status in the Machine Learning Settings page shows Error, complete the procedure touninstall the failed app.


http://www.ibm.com/software/support/exchangeinfo.html

http://www.ibm.com/software/support/exchangeinfo.html

http://www.ibm.com/support/entry/portal/Open_service_request

Note: You must have a valid authentication token. You can see the list of configured authenticationtokens in the Authorized Services section in the Admin settings of the QRadar Console.

1. Using SSH, log in to the QRadar Console.2. Run the following command:

# psql -U qradar -c 'select id,name,status from installed_application'

Example output:

id | name | status-----+---------------------------------+--------- 1356 | User Analytics | RUNNING1358 | Machine Learning Analytics | ERROR1357 | dataimport.ldap.applicationname | RUNNING

3. Locate and record the id value for Machine Learning Analytics from the output of the command.4. Using a valid authentication token in the place of <valid token> and the recorded id value in place of

<id>, run the following command to uninstall the failed Machine Learning app: # curl -X DELETE -k -H 'SEC:<valid token>' https://127.0.0.1/api/gui_app_framework/applications/<id>

Removing the Machine Learning app

To remove the Machine Learning app using the gui_app_framework API, complete the following steps:

1. Open the QRadar Console and navigate to the API doc page at the following location: https://<host_address_port>/api_doc

2. Open the folder for the highest API version number (the number is different based on the QRadarversion; for example, 7.0 on QR 7.2.8).

3. Open the /gui_app_framework folder and then select /applications.4. At this point, you should be at the GET API. Click the "Try It Out!" button to get the list of installed

applications.

Chapter 10. Troubleshooting and support 259

5. Search for Machine Learning Analytics in the results from step 4 and get the application_idattribute value.

6. Expand the /applications menu in the API docs (same location as step 3), select the /application_id API and click the DELETE tab.

7. Enter the application ID value from step 5 and then click the "Try It Out!" button to remove theapplication.

8. The API should return an HTTP 204 status code to indicate the application was successfully removed.

Extracting UBA and Machine Learning logsUse the UBA and Machine Learning log files to help troubleshoot problems.

Downloading app log files

You can easily download log files for the UBA app and the Machine Learning app from “Help and supportpage for UBA” on page 257.

UBA app log files

Follow these steps to manually extract the UBA app log files from the docker container.

1. On the QRadar host running UBA, navigate to a directory that has enough space to create a zip file thatincludes all of the app's log files.

2. Run the following command:

find /store/docker/v* -name uba.db3. Copy the directory path that precedes uba.db

For example, in the following directory path/store/docker/volumes/qapp-1001/uba.dbyou would copy/store/docker/volumes/qapp-1001/

4. Run the following command substituting the directory path from step 1:

zip -qr uba_logs.zip <your_path_here>log*

For example:zip -qr uba_logs.zip /store/docker/volumes/qapp-1001/log*

Machine Learning app log files

Follow these steps to manually extract the Machine Learning app log files from the docker container.

1. On the QRadar host running UBA, navigate to a directory that has enough space to create a zip file thatincludes all of the app's log files.

2. Run the following command:

find /store/docker/v* -name itproot3. Copy the directory path that precedes itproot.

For example, in the following directory path:/store/docker/volumes/qapp-1003/itprootyou would copy/store/docker/volumes/qapp-1003/

4. Run the following command substituting the directory path from step 1:

zip -qr ml_logs.zip <your_path_here>log*


For example:zip -qr ml_logs.zip /store/docker/volumes/qapp-1003/log*

Chapter 10. Troubleshooting and support 261

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply that onlythat IBM product, program, or service may be used. Any functionally equivalent product, program, orservice that does not infringe any IBM intellectual property right may be used instead. However, it is theuser's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.


The licensed program described in this document and all licensed material available for it are provided byIBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or anyequivalent agreement between us.

The performance data and client examples cited are presented for illustrative purposes only. Actualperformance results may vary depending on specific configurations and operating conditions..

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to actual people or business enterprises isentirely coincidental.

TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks ortrademarks of Adobe Systems Incorporated in the United States, and/or other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/orits affiliates.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBM website.

Personal use

You may reproduce these publications for your personal, noncommercial use provided that all proprietarynotices are preserved. You may not distribute, display or make derivative work of these publications, orany portion thereof, without the express consent of IBM.

264 Notices

http://www.ibm.com/legal/copytrade.shtml

Commercial use

You may reproduce, distribute and display these publications solely within your enterprise provided thatall proprietary notices are preserved. You may not make derivative works of these publications, orreproduce, distribute or display these publications or any portion thereof outside your enterprise, withoutthe express consent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses or rights are granted, eitherexpress or implied, to the publications or any information, data, software or other intellectual propertycontained therein.

IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use ofthe publications is detrimental to its interest or, as determined by IBM, the above instructions are notbeing properly followed.

You may not download, export or re-export this information except in full compliance with all applicablelaws and regulations, including all United States export laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS AREPROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“Software Offerings”) may use cookiesor other technologies to collect product usage information, to help improve the end user experience, totailor interactions with the end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offerings can help enable you tocollect personally identifiable information. If this Software Offering uses cookies to collect personallyidentifiable information, specific information about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use session cookies that collecteach user’s session id for purposes of session management and authentication. These cookies can bedisabled, but disabling them will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer the ability to collectpersonally identifiable information from end users via cookies and other technologies, you should seekyour own legal advice about any laws applicable to such data collection, including any requirements fornotice and consent.

For more information about the use of various technologies, including cookies, for these purposes, seethe IBM Privacy Policy at http://www.ibm.com/privacy and the IBM Online Privacy Statement at http://www.ibm.com/privacy/details the section entitled "Cookies, Web Beacons and Other Technologies" andthe "IBM Software Products and Software-as-a-Service Privacy Statement" at http://www.ibm.com/software/info/product-privacy.

General Data Protection RegulationClients are responsible for ensuring their own compliance with various laws and regulations, including theEuropean Union General Data Protection Regulation. Clients are solely responsible for obtaining advice ofcompetent legal counsel as to the identification and interpretation of any relevant laws and regulationsthat may affect the clients’ business and any actions the clients may need to take to comply with suchlaws and regulations. The products, services, and other capabilities described herein are not suitable forall client situations and may have restricted availability. IBM does not provide legal, accounting orauditing advice or represent or warrant that its services or products will ensure that clients are incompliance with any law or regulation.

Notices 265

http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/software/info/product-privacy

http://www.ibm.com/software/info/product-privacy

To learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings, see thefollowing information: https://ibm.com/gdpr.


https://ibm.com/gdpr

version 3.3.0 app ibm qradar user behavior...

Documents