UBA : Initial Access Followed by Suspicious Activity
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Initial Access Followed by Suspicious Activity
Enabled by default
False
Default senseValue
15
Description
Detects the scenario of phishing or malware activity followed by suspicious access activity within 24 hours. Note: Edit the supported building blocks to monitor any rules that are appropriate for the environment.
Support rules
BB:UBA : Compromised Account - Initial Access
BB:UBA : Compromised Account -
Execution
- UBA : User Geography Change
- UBA : Unauthorized Access
- UBA : User Access - Failed Access to Critical Assets
- UBA : User Access Login Anomaly
- UBA : User Accessing Account from Anonymous Source
- UBA : Account or Group or Privileges Added
- UBA : Account or Group or Privileges Modified
- UBA : User Account Created and Deleted in a Short Period of Time
- UBA : Dormant Account Use Attempted
- UBA : Dormant Account Used
- UBA : User Time, Access at Unusual Times
- UBA : Suspicious Privileged Activity (Rarely Used Privilege)
Required configuration
See supported rules
Log source types
See supported rules