UBA : Remote access hole in corporate firewall

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Remote access hole in corporate firewall

Enabled by default

False

Default senseValue

10

Description

Detects when there is a remote access hole in the firewall created by GotoMyPC and OpenVPN applications.

Support rules

  • BB:UBA : GoToMyPC and OpenVPN ports
  • BB:UBA : Gotomypc Process Creation and Openvpn File Creation
  • BB:UBA : Common Log Source Filters

Required configuration

Ensure the following custom property is defined: Filename and Process Commandline
Note: Process Commandline matches: g2tray\.exe or Filename matches .*\.(ovpn) over ports 8200, 1194 or 943

Enable Search assets for username, when username is not available for event or flow data in Admin Settings > UBA Settings.

Log source types

Microsoft Windows Security Event Logon