Suspicious Activity

The Suspicious Activity model tracks a user’s activity in the Suspicious Activity high-level category and creates a learned behavioral model for each hour of the day.

Enable the Suspicious Activity machine learning model to display the actual and expected (learned) amount of Suspicious Activity high-level category on the User Details page. If the user’s Suspicious Activity deviates from the learned behavior, it is deemed suspicious and a Sense Event is generated to increase the user’s risk score.

Event name

UBA : Abnormal increase in Suspicious activity



Required configuration

System is monitoring events that have QRadar high level category of Suspicious Activity.

Log source types

Log source types: 3Com 8800 Series Switch, Akamai KONA, Application Security DbProtect, Arbor Networks Peakflow SP, Aruba Introspect, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CRE System, Carbon Black, Carbon Black Protection, Check Point, Cilasoft QJRN/400, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Meraki, Cisco NAC Appliance, Cisco PIX Firewall, Cisco Stealthwatch, Cisco Umbrella, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), CloudLock Cloud Security Fabric, CrowdStrike Falcon Host, Custom Rule Engine, CyberArk Privileged Threat Analytics, CyberGuard TSP Firewall/VPN, Damballa Failsafe, EMC VMWare, ESET Remote Administrator, SF-Sherlock, Event CRE Injected, Exabeam, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiGuard, Extreme HiPath, Extreme Matrix K/N/S Series Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme XSR Security Routers, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Fair Warning, Fidelis XPS, FireEye, Flow Classification Engine, Forcepoint Sidewinder, ForeScout CounterACT, Fortinet FortiGate Security Gateway, FreeRADIUS, H3C Comware Platform, Huawei AR Series Router, Huawei S Series Switch, IBM AIX Server, IBM BigFix Detect, IBM Guardium, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Network IPS (GX), IBM Security Trusteer Apex Advanced Malware Protection, IBM WebSphere Application Server, IBM i, IBM z/OS, ISC BIND, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Kaspersky CyberTrace, Kaspersky Security Center, Kisco Information Systems SafeNet/i, Lastline Enterprise, LightCyber Magna, Linux DHCP Server, Linux OS, McAfee Application/Change Control, McAfee Network Security Platform, McAfee ePolicy Orchestrator, Microsoft DHCP Server, Microsoft DNS Debug, Microsoft Endpoint Protection, Microsoft Hyper-V, Microsoft Operations Manager, Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niksun 2005 v3.5, Nortel Contivity VPN Switch, Nortel Secure Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, ObserveIT, Onapsis Inc Onapsis Security Platform, Palo Alto Endpoint Security Manager, Palo Alto PA Series, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler, SAP Enterprise Threat Detection, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Samhain HIDS, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, SolarWinds Orion, Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos PureMessage, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Symantec Endpoint Protection, Symantec System Center, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Universal DSM, Vectra Networks Vectra, Verdasys Digital Guardian, WatchGuard Fireware OS, Zscaler Nss, genua genugate, iT-CUBE agileSI