UBA : Multiple VPN Accounts Logged In From Single IP

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Multiple VPN Accounts Logged In From Single IP

Enabled by default

False

Default senseValue

5

Description

Maps multiple VPN users that are coming from the same IP address and then raises the risk score. When the rule detects VPN users coming from the same IP address, the IP address is added to the "UBA : Multiple VPN Accounts Logged In From Single IP". Before enabling this rule, make sure the rule "UBA : Populate Multiple VPN Accounts Logged In From Single IP" is enabled and the "UBA : Multiple VPN Accounts Logged In From Single IP" reference set has data.

Support rules

  • UBA : Populate Multiple VPN Accounts Logged In from Single IP
  • BB:UBA : VPN Login Successful

Required configuration

Enable the following rule: "UBA : Populate Multiple VPN Accounts Logged In from Single IP"

Log source types

Cisco Adaptive Security Appliance (ASA)