UBA : DoS Attack by Account Deletion

The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : DoS Attack by Account Deletion

Enabled by default

False

Default senseValue

10

Description

Detects DoS attack by checking the number of account deletion events against a fixed threshold within fixed time span.

Support rules

  • BB:UBA : Common Event Filters
  • BB:UBA : User Account Deleted

Log source types

Amazon AWS CloudTrail (EventID: DeleteUser)

Application Security DbProtect (EventID: Login revoked - Windows, Login dropped - standard, Database role - dropped, Database user revoked)

Aruba Mobility Controller (EventID: authmgr_user_del)

Box (EventID: DELETE_USER)

Brocade FabricOS (EventID: SEC-1181, SEC-3028)

CA ACF2 (EventID: ACF2-L)

Check Point (EventID: user_deleted, device_deleted, User Deleted)

Cilasoft QJRN/400 (EventID: C20020)

Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502102, %ASA-5-502102)

Cisco FireSIGHT Management Center (EventID: USER_REMOVED_CHANGE_EVENT)

Cisco Firewall Services Module (FWSM) (EventID: 502102)

Cisco Identity Services Engine (EventID: 86008, 86028)

Cisco NAC Appliance (EventID: CCA-1453, CCA-1502)

Cisco Nexus (EventID: SECURITYD-6-DELETE_STALE_USER_ACCOUNT)

Cisco Wireless LAN Controllers (EventID: 1.3.6.1.4.1.9.9.515.0.1)

CloudPassage Halo (EventID: Halo user deleted, Local account deleted (linux only))

CorreLog Agent for IBM zOS (EventID: RACF DELUSER: No Violations)

Custom Rule Engine (EventID: 3035, 3043)

Cyber-Ark Vault (EventID: 276)

EMC VMWare (EventID: AccountRemovedEvent)

Extreme Dragon Network IPS (EventID: HOST:LINUX:USER-DELETED, HOST:WIN:ACCOUNT-DELETED)

Extreme Matrix K/N/S Series Switch (EventID: User Deleted Event, has been deleted)

Extreme NAC (EventID: Deleted registered user)

Extreme NetsightASM (EventID: UserRemove)

Flow Classification Engine (EventID: 3035, 3043)

Forcepoint Sidewinder (EventID: passport deletion, all passports revoked)

HBGary Active Defense (EventID: DeleteUser)

HP Network Automation (EventID: User Deleted)

Huawei S Series Switch (EventID: SSH/6/DELUSER_SUCCESS)

IBM AIX Audit (EventID: USER_Remove SUCCEEDED)

IBM AIX Server (EventID: USER_Remove)

IBM DB2 (EventID: DROP_USER SUCCESS)

IBM DataPower (EventID: 0x81000136)

IBM IMS (EventID: USER DELETED)

IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Delete User)

IBM Resource Access Control Facility (RACF) (EventID: 80 17.2, DELUSER_SUCCESS, 80 17.0)

IBM Security Access Manager for Enterprise Single Sign-On (EventID: REVOKE_IMS_ID, DELETE_IMS_ID)

IBM Security Directory Server (EventID: SDS Audit)

IBM Security Identity Governance (EventID: 50, 43, 70005)

IBM Security Identity Manager (EventID: Delete SUCCESS, Delete SUBMITTED, Delete Success)

IBM SmartCloud Orchestrator (EventID: user)

IBM Tivoli Access Manager for e-business (EventID: 13408 - Succeeded, 13408 Command Succeeded)

IBM i (EventID: GSL2502, M250100, DO_USRPRF, GSL2602, GSL2601, M260100, MC@0400, GSL2501)

IBM z/OS (EventID: 80 1.35)

Juniper Networks Network and Security Manager (EventID: adm24473)

Linux OS (EventID: userDel, Account Deleted, DEL_USER)

McAfee Application/Change Control (EventID: USER_ACCOUNT_DELETED)

McAfee ePolicy Orchestrator (EventID: 20793)

Microsoft ISA (EventID: user removed)

Microsoft Office 365 (EventID: Delete User-PartiallySucceded, Delete user-success, Delete User-success, Delete user-PartiallySucceded)

Microsoft SQL Server (EventID: 24129, DR - US, DR - SL, DR - LX, DR - AR,DR - SU, 24076, 24123, 38)

Microsoft Windows Security Event Log (EventID: 4743, 630, 1327, 647, 4726)

Netskope Active (EventID: Delete Admin, Deleted admin)

Nortel Application Switch (EventID: User Deleted)

Novell eDirectory (EventID: DELETE_ACCOUNT)

OS Services Qidmap (EventID: Account Deleted, User Deleted)

OSSEC (EventID: 18112)

Okta (EventID: core.user_group_member.user_remove, app.generic.import.details.delete_user)

Oracle Enterprise Manager (EventID: Computer Delete (successful), User Delete (successful))

Oracle RDBMS Audit Record (EventID: DROP USER-Standard:1, 53:1, 53:0,DROP USER-Standard:0, 53)

PGP Universal Server (EventID: ADMIN_DELETED_USER)

Palo Alto Endpoint Security Manager (EventID: User Deleted)

Pulse Secure Pulse Connect Secure (EventID: SYN24849, ADM20722, ADM24473, SYN24745, SYN24850)

RSA Authentication Manager (EventID: unknown, Deleted user, REMOVE_ORPHANED_PRINCIPALS, REMOTE_PRINCIPAL_DELETE, DELETE_PRINCIPAL)

SIM Audit (EventID: Configuration-UserAccount-AccountDeleted)

STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject DeletedTrueFalse, Active DirectoryuserObject DeletedTrueFalse, Console user/group deleted, Console user/group deleted)

SafeNet DataSecure/KeySecure (EventID: Removed user)

Skyhigh Networks Cloud Security Platform (EventID: 10017)

Solaris BSM (EventID: delete user)

SonicWALL SonicOS (EventID: 559, 1157, 1158)

Trend Micro Deep Security (EventID: 651)

Universal DSM (EventID: Computer Account Removed, User Account Removed)

VMware vCloud Director (EventID: com/vmware/vcloud/event/user/remove, com/vmware/vcloud/event/user/delete)

Vormetric Data Security (EventID: DAO0090I)

iT-CUBE agileSI (EventID: AU8, U0)