New accounts

A user can have several accounts (aliases) associated to them. This association is achieved by configuring coalescing when you tune your Import Configurations for User Imports. Accounts that are owned by a user are added to UBA by using three methods:
  • Importing attributes from an LDAP source.
  • Adding users from a QRadar® reference set from a watchlist that is created within UBA.
  • Discovering users from a sense event. This can be limited to the first two methods by setting the Monitor imported users only in the Application settings section on UBA Settings page.

An account added to UBA from LDAP or watchlist will not have a score until they are seen on any event consumed by QRadar. An account added from a sense event will have a score, immediately, from the sense event that detected it.

Responses to new accounts

New accounts are set to active after being seen on an event. For more information on account status, see Dormant Accounts. The "UBA : New Account Use Detected" rule is also triggered by the one-time event sent by the app. Custom responses can be created by using the event: "New Account Use Detected (QID 104000014)".