UBA : VPN Certificate Sharing

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : VPN Certificate Sharing

Enabled by default

False

Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall DSM to the following:
  • For V7.3.1 and later: DSM-CiscoFirewallDevices-7.3-20170619132427.noarch.rpm

Default senseValue

15

Description

This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who's done what. This can complicate taking next steps in the event of a compromise.

Support rules

  • BB:UBA : VPN Mapping (logic)
  • UBA : Subject_CN and Username Map Update
  • UBA : Subject_CN and Username Mapping

These rules update the associated reference sets with the required data.

Required configuration

Enable the following rules:
  • UBA : Subject_CN and Username Map Update
  • UBA : Subject_CN and Username Mapping

Log source types

Cisco Adaptive Security Appliance (ASA)