UBA : Detect IOCs for WannaCry

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Detect IOCs For WannaCry

Enabled by default


Default senseValue



Detects user computers that show Indicators of Compromise (IOCs) for WannaCry by using URLs, IPs, or hashes that are populated from X-Force campaign feeds.

Support rules

  • BB:UBA : Common Log Source Filters
  • BB:UBA : Detect WannaCry Using Hashes
  • BB:UBA : Detect WannaCry Using IP
  • BB:UBA : Detect WannaCry Using URL

Required configuration

  • Add the appropriate values to the following reference sets: UBA : Malware Activity WannaCry - Hash, UBA : Malware Activity WannaCry - IP, and UBA : Malware Activity WannaCry - URL.
  • Enable Search assets for username, when username is not available for event or flow data in Admin Settings > UBA Settings.

Log source types

All supported log sources.