UBA : Internal User Failed Mailbox Login Followed by Success
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Internal User Failed Mailbox Login Followed by Success
Enabled by default
False
Default senseValue
5
Description
Detects several mailbox login failures before a successful login from an internal user.
Support rules
- BB:UBA : Common Event Filters
- BB:UBA : Mailbox Login Success
- BB:UBA : Multiple Mailbox Login Failed in a Short Period of Time
Log source types
Microsoft Office 365 (EventID: MailboxLogin-false & EventID: MailboxLogin-true)