UEBA 5.x rules
The following rules are modified for UEBA 5.x.
- UEBA : Dormant Account Used
- UEBA : Large number of denied access events towards external domain
- UEBA : Remote access hole in corporate firewall
- UEBA : Executive only asset accessed by non-executive user from external network
- UEBA : Detected Activity from a Locked Machine
- UEBA : Bruteforce Authentication Attempts
- UEBA : High Risk User Access to Critical Asset
- UEBA : Multiple VPN Accounts Logged In From Single IP
- UEBA : Multiple VPN Accounts Failed Login From Single IP
- UEBA : Executive only asset accessed by non-executive user from internal network
- UEBA : User Attempt to Use Disabled Account
- UEBA : Dormant Account Use Attempted
- UEBA : Expired Account Used
- UEBA : Suspicious Privileged Activity (First Observed Privilege Use)
- UEBA : Suspicious Privileged Activity (Rarely Used Privilege)
- UEBA : User Attempt to Use a Suspended Account
- UEBA : Large Outbound Transfer by High Risk User
- UEBA : Multiple Blocked File Transfers Followed by a File Transfer
- UEBA : Suspicious Access Followed by Data Exfiltration
- UEBA : Data Exfiltration by Print
- UEBA : Initial Access Followed by Suspicious Activity
- UEBA : Potentially Compromised Account
- UEBA : Multiple blocked file uploads followed by a successful upload
- UEBA : User Potentially Phished
- UEBA : Suspicious Activity Followed by Exfiltration
- UEBA : Data Loss Possible
- UEBA : Data Exfiltration by Removable Media
- UEBA : Data Exfiltration by Cloud Services
- UEBA : Repeat Unauthorized Access
- UEBA : User Access - Failed Access to Critical Assets
- UEBA : Unix/Linux System Accessed With Service or Machine Account
- Critical Systems Users Seen Update
- UEBA : User Accessing Account from Anonymous Source
- UEBA : User Access at Unusual Times
- UEBA : User Access to Internal Server From Jump Server
- Populate Multiple VPN Accounts Failed Login From Single IP
- UEBA : First Access to Critical Assets
- UEBA : First Privilege Escalation
- UEBA : User Account Created and Deleted in a Short Period of Time
- UEBA : Account or Group or Privileges Modified
- UEBA : Browsed to Pornography Website
- UEBA : Browsed to Uncategorized Website
- UEBA : Browsed to LifeStyle Website
- UEBA : Browsed to Gambling Website
- UEBA : Anonymous User Accessed a Resource
- UEBA : Inbox Set to Forward to External Inbox
- UEBA : TGT Ticket Used by Multiple Hosts
- UEBA : Kerberos Account Enumeration Detected
- UEBA : Detect Persistent SSH session
- UEBA : Restricted Program Usage
- UEBA : Detect Insecure Or Non-Standard Protocol
- UEBA : Ransomware Behavior Detected
- UEBA : User Access from Restricted Location
- UEBA : User Access from Prohibited Location
- UEBA : User Geography Change
- UEBA : D/DoS Attack Detected
- UEBA : Honeytoken Activity
- UEBA : User Accessing Risky IP Anonymization
- UEBA : User Accessing Risky IP Malware
- UEBA : User Accessing Risky IP Spam
- UEBA : Detect IOCs for WannaCry
- UEBA : User Accessing Risky IP Dynamic