UBA : Suspicious Access Followed by Data Exfiltration
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Suspicious Access Followed by Data Exfiltration
Enabled by default
False
Default senseValue
15
Description
Detects access from unusual, restricted, or prohibited locations followed by a data exfiltration attempt.
Support rule
- BB:UBA : Common Event Filters
- BB:UBA : Data Exfiltration
- UBA : User Access from Restricted Location
- UBA : User Access from Prohibited Location
- UBA : User Geography, Access from Unusual Locations
Required configuration
Enable the following rules:
- UBA : User Access from Restricted Location
- UBA : User Access from Prohibited Location
- UBA : User Geography, Access from Unusual Locations
Log source types
Cisco Stealthwatch (EventID: 45)
IBM Security Trusteer Apex Advanced Malware Protection (EventID: ConnectionCreate.Connection_Test, CerberusNG.ent_create_remote_thread, ConnectionCreate.in_suspend_state, ConnectionCreate.orphant_thread_connect, close.file_inspection, processcreate.file_inspection)
Skyhigh Networks Cloud Security Platform (EventID: 10003, 10004)