UBA : Login Anomaly
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Login Anomaly
Enabled by default
False
Default senseValue
5
Description
Indicates a sequence of login failures on a local asset. The rule might also indicate an account compromise or lateral movement activity. Ensure that the Multiple Login Failures for Single Username rule is enabled. Adjust the match and time duration parameters for this rule to tune the responsiveness.
Support rules
- BB:UBA : Common Event Filters
- Multiple Login Failures for Single Username
Required configuration
Enable the following rule: "Multiple Login Failures for Single Username"
Log source types
All supported log sources.