UBA : Data Loss Possible

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Data Loss Possible

Enabled by default


Default senseValue



Detects possible data loss determined by either the data source, event category or specific events related to data loss detection and prevention.

Support rules

  • BB:UBA : Data Loss Categories
  • BB:UBA : Data Loss Devices
  • BB:UBA : Data Loss Events

Log source types

Check Point (EventID: Detect)

Cisco Stealthwatch (EventID: 40, 45)

Forcepoint V Series (EventID: BLOCKED_BY_WEB_DLP)

Fortinet FortiGate Security Gateway (EventID: dlp passthrough, 43720)

IBM Proventia Network Intrusion Prevention System (IPS) (EventID: BsdlprSymlink,FreebsdLpdBo, HummingbirdLpdBo, MozillaSenduidlPop3Bo, BsdLpdBo)

McAfee Network Security Platform (EventID: 0x4517f400)

Netskope Active (EventID: dlp)

Pulse Secure Pulse Connect Secure (EventID: SYS24815, SYS24843, SYS24844)

Skyhigh Networks Cloud Security Platform (EventID: Anomaly, Incident, 10003, 10004, 10005, 10036)

Symantec DLP (EventID: all ids)

TippingPoint Intrusion Prevention System (IPS) (EventID: 26335,26334, 26336,27318, 27494, 27515)

Universal DSM (EventID: Data Loss Possible, Data Loss Prevention Policy Violation)

Verdasys Digital Guardian (EventID: ADE Screen Capture, Application Data Exchange, Attach Mail, CD Burn, File Archive, File Copy, File Delete, File Move, File Recycle, File Rename, File Save As, Network Transfer Download, Network Transfer Upload, Print, Print Screen, ADE Print Process)

WatchGuard Fireware OS (EventID: 1CFF0011, 1AFF002F, 1AFF0030, 1AFF0031, 1BFF0024, 1BFF0025, 1BFF0026, 1BFF0027, 1CFF0012, 1CFF0013, 1CFF0014)