EBA: Host Infection Pattern on events which are detected by the Local system

The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.

EBA: Host Infection Pattern on events which are detected by the Local system

Enabled by default

True

Default senseValueDestination

0

Default senseValueSource

10

Description

Detects a potential host compromise sequence where a system establishes an outbound connection to an external IP, subsequently exhibits internal lateral movement activity, and generates multiple access-denied events within a 15-minute period.

Support rules

  • BB:UBA : Common Log Source Filters
  • BB:UBA : Outbound Connection to External IP
  • BB:UBA : Internal Lateral Movement Activity
  • BB:UBA : Access Denies

Log source types

Firewall logs, Network Flow (NetFlow), EDR Telemetry