UEBA 5.x rules

The following rules are modified for UEBA 5.x.

  1. UEBA : Dormant Account Used
  2. UEBA : Large number of denied access events towards external domain
  3. UEBA : Remote access hole in corporate firewall
  4. UEBA : Executive only asset accessed by non-executive user from external network
  5. UEBA : Detected Activity from a Locked Machine
  6. UEBA : Bruteforce Authentication Attempts
  7. UEBA : High Risk User Access to Critical Asset
  8. UEBA : Multiple VPN Accounts Logged In From Single IP
  9. UEBA : Multiple VPN Accounts Failed Login From Single IP
  10. UEBA : Executive only asset accessed by non-executive user from internal network
  11. UEBA : User Attempt to Use Disabled Account
  12. UEBA : Dormant Account Use Attempted
  13. UEBA : Expired Account Used
  14. UEBA : Suspicious Privileged Activity (First Observed Privilege Use)
  15. UEBA : Suspicious Privileged Activity (Rarely Used Privilege)
  16. UEBA : User Attempt to Use a Suspended Account
  17. UEBA : Large Outbound Transfer by High Risk User
  18. UEBA : Multiple Blocked File Transfers Followed by a File Transfer
  19. UEBA : Suspicious Access Followed by Data Exfiltration
  20. UEBA : Data Exfiltration by Print
  21. UEBA : Initial Access Followed by Suspicious Activity
  22. UEBA : Potentially Compromised Account
  23. UEBA : Multiple blocked file uploads followed by a successful upload
  24. UEBA : User Potentially Phished
  25. UEBA : Suspicious Activity Followed by Exfiltration
  26. UEBA : Data Loss Possible
  27. UEBA : Data Exfiltration by Removable Media
  28. UEBA : Data Exfiltration by Cloud Services
  29. UEBA : Repeat Unauthorized Access
  30. UEBA : User Access - Failed Access to Critical Assets
  31. UEBA : Unix/Linux System Accessed With Service or Machine Account
  32. Critical Systems Users Seen Update
  33. UEBA : User Accessing Account from Anonymous Source
  34. UEBA : User Access at Unusual Times
  35. UEBA : User Access to Internal Server From Jump Server
  36. Populate Multiple VPN Accounts Failed Login From Single IP
  37. UEBA : First Access to Critical Assets
  38. UEBA : First Privilege Escalation
  39. UEBA : User Account Created and Deleted in a Short Period of Time
  40. UEBA : Account or Group or Privileges Modified
  41. UEBA : Browsed to Pornography Website
  42. UEBA : Browsed to Uncategorized Website
  43. UEBA : Browsed to LifeStyle Website
  44. UEBA : Browsed to Gambling Website
  45. UEBA : Anonymous User Accessed a Resource
  46. UEBA : Inbox Set to Forward to External Inbox
  47. UEBA : TGT Ticket Used by Multiple Hosts
  48. UEBA : Kerberos Account Enumeration Detected
  49. UEBA : Detect Persistent SSH session
  50. UEBA : Restricted Program Usage
  51. UEBA : Detect Insecure Or Non-Standard Protocol
  52. UEBA : Ransomware Behavior Detected
  53. UEBA : User Access from Restricted Location
  54. UEBA : User Access from Prohibited Location
  55. UEBA : User Geography Change
  56. UEBA : D/DoS Attack Detected
  57. UEBA : Honeytoken Activity
  58. UEBA : User Accessing Risky IP Anonymization
  59. UEBA : User Accessing Risky IP Malware
  60. UEBA : User Accessing Risky IP Spam
  61. UEBA : Detect IOCs for WannaCry
  62. UEBA : User Accessing Risky IP Dynamic