UBA : Data Loss Possible
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Data Loss Possible
Enabled by default
False
Default senseValue
15
Description
Detects possible data loss determined by either the data source, event category or specific events related to data loss detection and prevention.
Support rules
- BB:UBA : Data Loss Categories
- BB:UBA : Data Loss Devices
- BB:UBA : Data Loss Events
Log source types
Check Point (EventID: Detect)
Cisco Stealthwatch (EventID: 40, 45)
Forcepoint V Series (EventID: BLOCKED_BY_WEB_DLP)
Fortinet FortiGate Security Gateway (EventID: dlp passthrough, 43720)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: BsdlprSymlink,FreebsdLpdBo, HummingbirdLpdBo, MozillaSenduidlPop3Bo, BsdLpdBo)
McAfee Network Security Platform (EventID: 0x4517f400)
Netskope Active (EventID: dlp)
Pulse Secure Pulse Connect Secure (EventID: SYS24815, SYS24843, SYS24844)
Skyhigh Networks Cloud Security Platform (EventID: Anomaly, Incident, 10003, 10004, 10005, 10036)
Symantec DLP (EventID: all ids)
TippingPoint Intrusion Prevention System (IPS) (EventID: 26335,26334, 26336,27318, 27494, 27515)
Universal DSM (EventID: Data Loss Possible, Data Loss Prevention Policy Violation)
Verdasys Digital Guardian (EventID: ADE Screen Capture, Application Data Exchange, Attach Mail, CD Burn, File Archive, File Copy, File Delete, File Move, File Recycle, File Rename, File Save As, Network Transfer Download, Network Transfer Upload, Print, Print Screen, ADE Print Process)
WatchGuard Fireware OS (EventID: 1CFF0011, 1AFF002F, 1AFF0030, 1AFF0031, 1BFF0024, 1BFF0025, 1BFF0026, 1BFF0027, 1CFF0012, 1CFF0013, 1CFF0014)