UBA : Unix/Linux System Accessed With Service or Machine Account
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Unix/Linux® System Accessed With Service or Machine Account
Enabled by default
Detects any interactive session (through GUI and CLI, both local and remote login) that is initiated by a service or machine account in UNIX and Linux servers. Accounts and allowed interactive sessions are listed in the UBA : Service, Machine Account and the UBA : Allowed Interaction Session reference sets. Edit the reference sets to add or remove any interactive session that you want to flag from your environment.
- BB:UBA : Common Event Filters
- BB:CategoryDefinition: Firewall or ACL Accept
- BB:CategoryDefinition: Authentication Success
Add the appropriate values to the following reference sets: "UBA : Service, Machine Account" and "UBA : Allowed Interactive Session".
Log source types