UEBA : Multiple blocked file uploads followed by a successful upload
The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.
UEBA : Multiple blocked file uploads followed by a successful upload
Enabled by default
False
Default senseValue
10
Default senseValueSource
10
Default senseValueDestination
10
Description
Detects when there is a high volume of blocked file uploads followed by a successful upload.
Support rules
- BB:UBA : Successful File Upload
- BB:UBA : Multiple Blocked File Uploads
- BB:UBA : Common Log Source Filters
Note: Events for both building blocks are over ports 443, 80 and 21
Required configuration
Enable Search assets for username, when username is not available for event or flow data in .
Log source types
Blocked file uploads: events categories: (Access.FTP Action Denied, Access.Firewall Session Closed, Access.Access Denied)
Successful file upload: event categories: (Access.FTP Action Allowed, Access.Firewall Session Opened, Access.Access Permitted)