EBA: Host Infection Pattern on events which are detected by the Local system
The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.
EBA: Host Infection Pattern on events which are detected by the Local system
Enabled by default
True
Default senseValueDestination
0
Default senseValueSource
10
Description
Detects a potential host compromise sequence where a system establishes an outbound connection to an external IP, subsequently exhibits internal lateral movement activity, and generates multiple access-denied events within a 15-minute period.
Support rules
- BB:UBA : Common Log Source Filters
- BB:UBA : Outbound Connection to External IP
- BB:UBA : Internal Lateral Movement Activity
- BB:UBA : Access Denies
Log source types
Firewall logs, Network Flow (NetFlow), EDR Telemetry