UBA : Detect IOCs For Locky

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Detect IOCs For Locky

Enabled by default


Default senseValue



Detects user computers that show Indicators of Compromise (IOCs) for Locky by using URLs or IPs that are populated from X-Force campaign feeds.

Support rules

  • BB:UBA : Common Log Source Filters
  • BB:UBA : Detect Locky Using IP
  • BB:UBA : Detect Locky Using URL

Required configuration

  • Add the appropriate values to the following reference sets: UBA : IOCs-Locky IP and UBA : IOCs-Locky URL.
  • Enable Search assets for username, when username is not available for event or flow data in Admin Settings > UBA Settings.

Log source types

All supported log sources.