UBA : User Attempt to Use Disabled Account
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : User Attempt to Use Disabled Account
Enabled by default
False
Default senseValue
10
Description
Detects when a user tries to access the organization resources by using a disabled account.
Support rules
- BB:CategoryDefinition: Authentication to Disabled Account
- BB:UBA : Disabled Accounts (Kerberos)
- BB:UBA : Common Log Source Filters
Log source types
Extreme Dragon Network IPS (EventID: HOST:TACACS:REJECTED-USER, HOST:TACACS:REJECTED-USER2, HOST:WIN:530-FAILED-RESTRICTED, HOST:WIN:531-ACCOUNT-DISABLED, HOST:WIN:533-FAILED-NOT-ALLOWED, HOST:WIN:539-ACCOUNT-LOCKED, HOST:WIN:DIAL-IN-LOCKOUT, HOST:WU-FTP:DISABLED-ACCOUNT)
Microsoft Windows Security Event Log (EventID: 530, 531, 533, 534, 644, 1327, 644, 4769, 4771, 4773, 4625 Account Disabled, 4625 Account Expired, 4625 Logon Outside Normal Time, 4625 User Locked Out)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Disabled Account Blank Pwd, Disabled Account User Pwd, Failed_login-account_disabled, Failed_login-account_locked_out, Failed_login-not_authorized_for_console_login, Failed_login-time_restriction_violation, Guessed Disabled Account Pwd, User_account_disabled, User_account_locked_out)
Cisco Intrusion Prevention System (IPS) (EventID: 3343)
Microsoft IAS Server (EventID: IAS_ACCOUNT_DISABLED, IAS_ACCOUNT_LOCKED_OUT, IAS_DIALIN_DISABLED, IAS_DIALIN_LOCKED_OUT)