UBA : Multiple VPN Accounts Logged In From Single IP
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Multiple VPN Accounts Logged In From Single IP
Enabled by default
False
Default senseValue
5
Description
Maps multiple VPN users that are coming from the same IP address and then raises the risk score. When the rule detects VPN users coming from the same IP address, the IP address is added to the "UBA : Multiple VPN Accounts Logged In From Single IP". Before enabling this rule, make sure the rule "UBA : Populate Multiple VPN Accounts Logged In From Single IP" is enabled and the "UBA : Multiple VPN Accounts Logged In From Single IP" reference set has data.
Support rules
- UBA : Populate Multiple VPN Accounts Logged In from Single IP
- BB:UBA : VPN Login Successful
Required configuration
Enable the following rule: "UBA : Populate Multiple VPN Accounts Logged In from Single IP"
Log source types
Cisco Adaptive Security Appliance (ASA)