UBA : Detect IOCs for WannaCry

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Detect IOCs For WannaCry

Enabled by default

False

Default senseValue

10

Description

Detects user computers that show Indicators of Compromise (IOCs) for WannaCry by using URLs, IPs, or hashes that are populated from X-Force campaign feeds.

Support rules

  • BB:UBA : Common Log Source Filters
  • BB:UBA : Detect WannaCry Using Hashes
  • BB:UBA : Detect WannaCry Using IP
  • BB:UBA : Detect WannaCry Using URL

Required configuration

  • Add the appropriate values to the following reference sets: UBA : Malware Activity WannaCry - Hash, UBA : Malware Activity WannaCry - IP, and UBA : Malware Activity WannaCry - URL.
  • Enable Search assets for username, when username is not available for event or flow data in Admin Settings > UBA Settings.

Log source types

All supported log sources.