EBA: Excessive Connection Attempts to High Risky Remote Access Ports on events which are detected by the Local system

The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.

EBA: Excessive Connection Attempts to High Risky Remote Access Ports on events which are detected by the Local system

Enabled by default

True

Default senseValueDestination

5

Default senseValueSource

10

Description

Detects excessive connection attempts to critical remote access and service ports by identifying a source IP generating at least 20 connections to critical service ports within 5 minutes.

Support rules

  • BB:UBA : Common Log Source Filters
  • BB:UBA : Critical Service Ports

Log source types

Firewall logs, Network Flow (NetFlow), EDR Telemetry