UEBA : Suspicious Activity Followed by Exfiltration
The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.
UEBA : Suspicious Activity Followed by Exfiltration
Enabled by default
False
Default senseValue
15
Default senseValueSource
15
Default senseValueDestination
15
Description
Detects scenario of suspicious activity followed by exfiltration within 24 hours.
Support rules
BB:UBA : Compromised Account - Execution
- UEBA : User Geography Change
- UBA : Unauthorized Access
- UEBA : User Access - Failed Access to Critical Assets
- UBA : Login Anomaly
- UEBA : User Accessing Account from Anonymous Source
- UBA : Account or Group or Privileges Added
- UBA : Account or Group or Privileges Modified
- UBA : User Account Created and Deleted in a Short Period of Time
- UBA : Dormant Account Use Attempted
- UBA : Dormant Account Used
- UBA : User Time, Access at Unusual Times
- UEBA : Suspicious Privileged Activity (Rarely Used Privilege)
BB:UBA : Compromised Account - Exfiltration
Required configuration
See supported rules
Log source types
See supported rules