UBA : User Accessing Risky IP Botnet

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : User Accessing Risky IP Botnet (previously called X-Force® Risky IP, Botnet)

Enabled by default



This rule detects when a local user or host is connecting to a botnet command and control server.

Support rules

  • X-Force Risky IP, Botnet
  • BB:UBA : Common Event Filters

Required configuration

  • Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.
  • Enable the following rule: X-Force Risky IP Botnet.

Log source types

All supported log sources.