UBA : VPN Certificate Sharing
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : VPN Certificate Sharing
Enabled by default
False
Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall
DSM to the following:
- For V7.3.1 and later: DSM-CiscoFirewallDevices-7.3-20170619132427.noarch.rpm
Default senseValue
15
Description
This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who's done what. This can complicate taking next steps in the event of a compromise.
Support rules
- BB:UBA : VPN Mapping (logic)
- UBA : Subject_CN and Username Map Update
- UBA : Subject_CN and Username Mapping
These rules update the associated reference sets with the required data.
Required configuration
Enable the following rules:- UBA : Subject_CN and Username Map Update
- UBA : Subject_CN and Username Mapping
Log source types
Cisco Adaptive Security Appliance (ASA)