UBA : Suspicious Activity Followed by Exfiltration
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Suspicious Activity Followed by Exfiltration
Enabled by default
False
Default senseValue
15
Description
Detects scenario of suspicious activity followed by exfiltration within 24 hours.
Support rules
BB:UBA : Compromised Account - Execution
- UBA : User Geography Change
- UBA : Unauthorized Access
- UBA : User Access - Failed Access to Critical Assets
- UBA : Login Anomaly
- UBA : User Accessing Account from Anonymous Source
- UBA : Account or Group or Privileges Added
- UBA : Account or Group or Privileges Modified
- UBA : User Account Created and Deleted in a Short Period of Time
- UBA : Dormant Account Use Attempted
- UBA : Dormant Account Used
- UBA : User Time, Access at Unusual Times
- UBA : Suspicious Privileged Activity (Rarely Used Privilege)
BB:UBA : Compromised Account - Exfiltration
Required configuration
See supported rules
Log source types
See supported rules