UEBA : Initial Access Followed by Suspicious Activity

The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.

UEBA : Initial Access Followed by Suspicious Activity

Enabled by default

False

Default senseValue

15

Default senseValueSource

5

Description

Detects the scenario of phishing or malware activity followed by suspicious access activity within 24 hours. Note: Edit the supported building blocks to monitor any rules that are appropriate for the environment.

Support rules

BB:UBA : Compromised Account - Initial Access
BB:UBA : Compromised Account - Execution

Required configuration

See supported rules

Log source types

See supported rules