UBA : Internal User Failed Mailbox Login Followed by Success

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Internal User Failed Mailbox Login Followed by Success

Enabled by default

False

Default senseValue

5

Description

Detects several mailbox login failures before a successful login from an internal user.

Support rules

  • BB:UBA : Common Event Filters
  • BB:UBA : Mailbox Login Success
  • BB:UBA : Multiple Mailbox Login Failed in a Short Period of Time

Log source types

Microsoft Office 365 (EventID: MailboxLogin-false & EventID: MailboxLogin-true)