UBA : Multiple Sessions to Monitored Log Sources (NIS Directive)
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Multiple Sessions to Monitored Log Sources (NIS Directive)
Enabled by default
False
Default senseValue
15
Description
Detects more than 2 connections to the same QRadar log source system within 5 minutes from a single user.
Support rules
BB:UBA : Common Event Filters
BB:CategoryDefinition: Authentication Success
Required configuration
Add the appropriate values to the following reference sets: "UBA : Monitored Log Sources (NIS Directive)".
Log source types
Linux OS (EventID: CRYPTO_LOGIN, ANOM_ROOT_TRANS, Accepted Password, GRP_AUTH, session opened, Privilege escalation, CRED_ACQ, Accepted password, USER_LOGIN, Successful Login, password changed, LOGIN)
Microsoft Windows Security Event Log (EventID: Login succeeded for user, 18454, 193, 18455, 627, 4648, 1202, 680, 18453, 628, 621, 4624, 552, 672, 673_Attempt, 4672, 169, 10015, 10014, 678, 671, 6280, 4717, 4723, 4724, 540, 528, 673_Request, 673_Granted, 4776, 405, 5823, 1200, 682)