UBA : Suspicious Access Followed by Data Exfiltration

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Suspicious Access Followed by Data Exfiltration

Enabled by default

False

Default senseValue

15

Description

Detects access from unusual, restricted, or prohibited locations followed by a data exfiltration attempt.

Support rule

  • BB:UBA : Common Event Filters
  • BB:UBA : Data Exfiltration
  • UBA : User Access from Restricted Location
  • UBA : User Access from Prohibited Location
  • UBA : User Geography, Access from Unusual Locations

Required configuration

Enable the following rules:
  • UBA : User Access from Restricted Location
  • UBA : User Access from Prohibited Location
  • UBA : User Geography, Access from Unusual Locations

Log source types

Cisco Stealthwatch (EventID: 45)

IBM Security Trusteer Apex Advanced Malware Protection (EventID: ConnectionCreate.Connection_Test, CerberusNG.ent_create_remote_thread, ConnectionCreate.in_suspend_state, ConnectionCreate.orphant_thread_connect, close.file_inspection, processcreate.file_inspection)

Skyhigh Networks Cloud Security Platform (EventID: 10003, 10004)