UBA : User Attempt to Use Disabled Account

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : User Attempt to Use Disabled Account

Enabled by default

False

Default senseValue

10

Description

Detects when a user tries to access the organization resources by using a disabled account.

Support rules

  • BB:CategoryDefinition: Authentication to Disabled Account
  • BB:UBA : Disabled Accounts (Kerberos)
  • BB:UBA : Common Log Source Filters

Log source types

Extreme Dragon Network IPS (EventID: HOST:TACACS:REJECTED-USER, HOST:TACACS:REJECTED-USER2, HOST:WIN:530-FAILED-RESTRICTED, HOST:WIN:531-ACCOUNT-DISABLED, HOST:WIN:533-FAILED-NOT-ALLOWED, HOST:WIN:539-ACCOUNT-LOCKED, HOST:WIN:DIAL-IN-LOCKOUT, HOST:WU-FTP:DISABLED-ACCOUNT)

Microsoft Windows Security Event Log (EventID: 530, 531, 533, 534, 644, 1327, 644, 4769, 4771, 4773, 4625 Account Disabled, 4625 Account Expired, 4625 Logon Outside Normal Time, 4625 User Locked Out)

IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Disabled Account Blank Pwd, Disabled Account User Pwd, Failed_login-account_disabled, Failed_login-account_locked_out, Failed_login-not_authorized_for_console_login, Failed_login-time_restriction_violation, Guessed Disabled Account Pwd, User_account_disabled, User_account_locked_out)

Cisco Intrusion Prevention System (IPS) (EventID: 3343)

Microsoft IAS Server (EventID: IAS_ACCOUNT_DISABLED, IAS_ACCOUNT_LOCKED_OUT, IAS_DIALIN_DISABLED, IAS_DIALIN_LOCKED_OUT)