UBA : Unix/Linux System Accessed With Service or Machine Account
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Unix/Linux® System Accessed With Service or Machine Account
Enabled by default
False
Default senseValue
15
Description
Detects any interactive session (through GUI and CLI, both local and remote login) that is initiated by a service or machine account in UNIX and Linux servers. Accounts and allowed interactive sessions are listed in the UBA : Service, Machine Account and the UBA : Allowed Interaction Session reference sets. Edit the reference sets to add or remove any interactive session that you want to flag from your environment.
Support rules
- BB:UBA : Common Event Filters
- BB:CategoryDefinition: Firewall or ACL Accept
- BB:CategoryDefinition: Authentication Success
Required configuration
Add the appropriate values to the following reference sets: "UBA : Service, Machine Account" and "UBA : Allowed Interactive Session".
Log source types
Linux OS