UBA : Login Anomaly

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Login Anomaly

Enabled by default


Default senseValue



Indicates a sequence of login failures on a local asset. The rule might also indicate an account compromise or lateral movement activity. Ensure that the Multiple Login Failures for Single Username rule is enabled. Adjust the match and time duration parameters for this rule to tune the responsiveness.

Support rules

  • BB:UBA : Common Event Filters
  • Multiple Login Failures for Single Username

Required configuration

Enable the following rule: "Multiple Login Failures for Single Username"

Log source types

All supported log sources.