UBA : DoS Attack by Account Deletion
The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : DoS Attack by Account Deletion
Enabled by default
False
Default senseValue
10
Description
Detects DoS attack by checking the number of account deletion events against a fixed threshold within fixed time span.
Support rules
- BB:UBA : Common Event Filters
- BB:UBA : User Account Deleted
Log source types
Amazon AWS CloudTrail (EventID: DeleteUser)
Application Security DbProtect (EventID: Login revoked - Windows, Login dropped - standard, Database role - dropped, Database user revoked)
Aruba Mobility Controller (EventID: authmgr_user_del)
Box (EventID: DELETE_USER)
Brocade FabricOS (EventID: SEC-1181, SEC-3028)
CA ACF2 (EventID: ACF2-L)
Check Point (EventID: user_deleted, device_deleted, User Deleted)
Cilasoft QJRN/400 (EventID: C20020)
Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502102, %ASA-5-502102)
Cisco FireSIGHT Management Center (EventID: USER_REMOVED_CHANGE_EVENT)
Cisco Firewall Services Module (FWSM) (EventID: 502102)
Cisco Identity Services Engine (EventID: 86008, 86028)
Cisco NAC Appliance (EventID: CCA-1453, CCA-1502)
Cisco Nexus (EventID: SECURITYD-6-DELETE_STALE_USER_ACCOUNT)
Cisco Wireless LAN Controllers (EventID: 1.3.6.1.4.1.9.9.515.0.1)
CloudPassage Halo (EventID: Halo user deleted, Local account deleted (linux only))
CorreLog Agent for IBM zOS (EventID: RACF DELUSER: No Violations)
Custom Rule Engine (EventID: 3035, 3043)
Cyber-Ark Vault (EventID: 276)
EMC VMWare (EventID: AccountRemovedEvent)
Extreme Dragon Network IPS (EventID: HOST:LINUX:USER-DELETED, HOST:WIN:ACCOUNT-DELETED)
Extreme Matrix K/N/S Series Switch (EventID: User Deleted Event, has been deleted)
Extreme NAC (EventID: Deleted registered user)
Extreme NetsightASM (EventID: UserRemove)
Flow Classification Engine (EventID: 3035, 3043)
Forcepoint Sidewinder (EventID: passport deletion, all passports revoked)
HBGary Active Defense (EventID: DeleteUser)
HP Network Automation (EventID: User Deleted)
Huawei S Series Switch (EventID: SSH/6/DELUSER_SUCCESS)
IBM AIX Audit (EventID: USER_Remove SUCCEEDED)
IBM AIX Server (EventID: USER_Remove)
IBM DB2 (EventID: DROP_USER SUCCESS)
IBM DataPower (EventID: 0x81000136)
IBM IMS (EventID: USER DELETED)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Delete User)
IBM Resource Access Control Facility (RACF) (EventID: 80 17.2, DELUSER_SUCCESS, 80 17.0)
IBM Security Access Manager for Enterprise Single Sign-On (EventID: REVOKE_IMS_ID, DELETE_IMS_ID)
IBM Security Directory Server (EventID: SDS Audit)
IBM Security Identity Governance (EventID: 50, 43, 70005)
IBM Security Identity Manager (EventID: Delete SUCCESS, Delete SUBMITTED, Delete Success)
IBM SmartCloud Orchestrator (EventID: user)
IBM Tivoli Access Manager for e-business (EventID: 13408 - Succeeded, 13408 Command Succeeded)
IBM i (EventID: GSL2502, M250100, DO_USRPRF, GSL2602, GSL2601, M260100, MC@0400, GSL2501)
IBM z/OS (EventID: 80 1.35)
Juniper Networks Network and Security Manager (EventID: adm24473)
Linux OS (EventID: userDel, Account Deleted, DEL_USER)
McAfee Application/Change Control (EventID: USER_ACCOUNT_DELETED)
McAfee ePolicy Orchestrator (EventID: 20793)
Microsoft ISA (EventID: user removed)
Microsoft Office 365 (EventID: Delete User-PartiallySucceded, Delete user-success, Delete User-success, Delete user-PartiallySucceded)
Microsoft SQL Server (EventID: 24129, DR - US, DR - SL, DR - LX, DR - AR,DR - SU, 24076, 24123, 38)
Microsoft Windows Security Event Log (EventID: 4743, 630, 1327, 647, 4726)
Netskope Active (EventID: Delete Admin, Deleted admin)
Nortel Application Switch (EventID: User Deleted)
Novell eDirectory (EventID: DELETE_ACCOUNT)
OS Services Qidmap (EventID: Account Deleted, User Deleted)
OSSEC (EventID: 18112)
Okta (EventID: core.user_group_member.user_remove, app.generic.import.details.delete_user)
Oracle Enterprise Manager (EventID: Computer Delete (successful), User Delete (successful))
Oracle RDBMS Audit Record (EventID: DROP USER-Standard:1, 53:1, 53:0,DROP USER-Standard:0, 53)
PGP Universal Server (EventID: ADMIN_DELETED_USER)
Palo Alto Endpoint Security Manager (EventID: User Deleted)
Pulse Secure Pulse Connect Secure (EventID: SYN24849, ADM20722, ADM24473, SYN24745, SYN24850)
RSA Authentication Manager (EventID: unknown, Deleted user, REMOVE_ORPHANED_PRINCIPALS, REMOTE_PRINCIPAL_DELETE, DELETE_PRINCIPAL)
SIM Audit (EventID: Configuration-UserAccount-AccountDeleted)
STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject DeletedTrueFalse, Active DirectoryuserObject DeletedTrueFalse, Console user/group deleted, Console user/group deleted)
SafeNet DataSecure/KeySecure (EventID: Removed user)
Skyhigh Networks Cloud Security Platform (EventID: 10017)
Solaris BSM (EventID: delete user)
SonicWALL SonicOS (EventID: 559, 1157, 1158)
Trend Micro Deep Security (EventID: 651)
Universal DSM (EventID: Computer Account Removed, User Account Removed)
VMware vCloud Director (EventID: com/vmware/vcloud/event/user/remove, com/vmware/vcloud/event/user/delete)
Vormetric Data Security (EventID: DAO0090I)
iT-CUBE agileSI (EventID: AU8, U0)