UBA : Unix/Linux System Accessed With Service or Machine Account

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Unix/Linux® System Accessed With Service or Machine Account

Enabled by default


Default senseValue



Detects any interactive session (through GUI and CLI, both local and remote login) that is initiated by a service or machine account in UNIX and Linux servers. Accounts and allowed interactive sessions are listed in the UBA : Service, Machine Account and the UBA : Allowed Interaction Session reference sets. Edit the reference sets to add or remove any interactive session that you want to flag from your environment.

Support rules

  • BB:UBA : Common Event Filters
  • BB:CategoryDefinition: Firewall or ACL Accept
  • BB:CategoryDefinition: Authentication Success

Required configuration

Add the appropriate values to the following reference sets: "UBA : Service, Machine Account" and "UBA : Allowed Interactive Session".

Log source types

Linux OS