Changed implementation for rules
The QRadar® User Behavior Analytics (UBA) app no longer supports some rules. The functions that the rules provided are now integrated into the app, available in separate content packs, or implemented with machine learning models.
With UBA 3.5.0 and later, during the upgrade, a one-time task runs to disable all unsupported UBA rules found on the system. If any of the rules are enabled at a later time, they will not be disabled again by the application.
Although the following lists of UBA rules and building blocks are no longer supported by the UBA app, the rules or the functions that the rules provided are still available.
The following rules, and the functionality they provided, are now managed by Machine
Learning:
- UBA : Abnormal Outbound Transfer Attempts
UBA : Abnormal Outbound Transfer Attempts Found
- UBA : Abnormal data volume to external domain
UBA : Abnormal data volume to external domain Found
- UBA : Abnormal visits to Risky Resources
UBA : Abnormal visits to Risky Resources FoundUBA : User Accessing Risky ResourcesUBA : Risky Resources
- UBA : User Behavior, Session Anomaly by Destination
UBA : User Behavior, Session Anomaly by Destination Found
- UBA : User Event Frequency Anomaly - Categories
UBA : User Event Frequency Anomaly - Categories Found
- UBA : User Running New Process (replaced with Process Usage ML user model in UBA 3.8.0)
- UBA : User Volume Activity Anomaly - Traffic to External Domains
UBA : User Volume Activity Anomaly - Traffic to External Domains Found
- UBA : User Volume Activity Anomaly - Traffic to Internal Domains
UBA : User Volume Activity Anomaly - Traffic to Internal Domains Found
- UBA : User Volume of Activity Anomaly - Traffic
UBA : User Volume of Activity Anomaly - Traffic Found
The following rules and building blocks, and the functionality they provided, are now managed
within the UBA application:
- UBA : User Has Gone Dormant (no activity anomaly rule)
BB:UBA : Dormant User First Login (logic)
BB:UBA : Dormant User Subsequent Login (logic)
UBA : Username to User Accounts, Successful, Dormant - New Account UBA : Username to User Accounts, Successful, Observed
UBA : Username to User Accounts, Successful, Recent
UBA : Username to User Accounts, Successful, Recent Update
BB:UBA : User First Time Access (logic)
The following rules and building blocks, and the functionality they provided, are now handled by
allowing non-UBA rules to work
with UBA:
- QNIUBA : QNI - Access to Improperly Secured Service - Certificate Expired
UBA : QNI - Access to Improperly Secured Service - Certificate Invalid
UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate
UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length
UBA : QNI - Observed File Hash Associated with Malware Threat
UBA : QNI - Observed File Hash Seen Across Multiple Hosts
UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient
UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers
UBA : QNI - Confidential Content Being Transferred to Foreign Geography - SYSMONUBA : Suspicious PowerShell Activity
UBA : Suspicious PowerShell Activity (Asset)
UBA : Suspicious Command Prompt Activity
UBA : User Access Control Bypass Detected (Asset)
UBA : Suspicious Scheduled Task Activities
UBA : Suspicious Service Activities
UBA : Suspicious Service Activities (Asset)
UBA : Suspicious Entries in System Registry (Asset)
UBA : Suspicious Image Load Detected (Asset)
UBA : Suspicious Pipe Activities (Asset)
UBA : Suspicious Activities on Compromised Hosts
UBA : Suspicious Activities on Compromised Hosts (Asset)
UBA : Suspicious Administrative Activities Detected
UBA : Process Creating Suspicious Remote Threads Detected (Asset)
UBA : Common Exploit Tools Detected
UBA : Common Exploit Tools Detected (Asset)
UBA : Malicious Process Detected
UBA : Network Share Accessed - ReconUBA : Unusual Scanning of DHCP Servers Detected
UBA : Unusual Scanning of DNS Servers Detected
UBA : Unusual Scanning of Database Servers Detected
UBA : Unusual Scanning of FTP Servers Detected
UBA : Unusual Scanning of Game Servers Detected
UBA : Unusual Scanning of Generic ICMP Detected
UBA : Unusual Scanning of Generic TCP Detected
UBA : Unusual Scanning of Generic UDP Detected
UBA : Unusual Scanning of IRC Servers Detected
UBA : Unusual Scanning of LDAP Servers Detected
UBA : Unusual Scanning of Mail Servers Detected
UBA : Unusual Scanning of Messaging Servers Detected
UBA : Unusual Scanning of P2P Servers Detected
UBA : Unusual Scanning of Proxy Servers Detected
UBA : Unusual Scanning of RPC Servers Detected
UBA : Unusual Scanning of SNMP Servers Detected
UBA : Unusual Scanning of SSH Servers Detected
UBA : Unusual Scanning of Web Servers Detected
UBA : Unusual Scanning of Windows Servers Detected