UBA : Anomalous Account Created From New Location
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Anomalous Account Created From New Location
Enabled by default
False
Default senseValue
5
Description
Detects anomalous account creation activity from new location.
Support rules
- BB:UBA : Cloud Endpoints
- BB:UBA : User Account Created
- BB:UBA : Common Event Filters
- UBA : User Geography Change
Required configuration
Enable the following rule: "UBA : User Geography Change".
Log source types
AhnLab Policy Center APC (EventID: Administrator Account Add:Succeeded, ADD_ADMIN_ACCOUNT_SUCCESS)
Application Security DbProtect (EventID: Database user created, Login created - standard, Login added - Windows, Database role - created)
Aruba Mobility Controller (EventID: authmgr_user_add)
Bit9 Security Platform (EventID: User_group_created, User_group_modified, User_group_deleted, Console_user_created, Console_user_modified, Console_user_deleted)
Box (EventID: NEW_USER)
Brocade FabricOS (EventID: SEC-1180,SEC-3025, SEC-1182)
CA ACF2 (EventID: ACF2-L)
Check Point (EventID: User Added, device_added)
Cilasoft QJRN/400 (EventID: C20010, C20011)
Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502101, %ASA-5-502101)
Cisco Firewall Services Module (FWSM) (EventID: 502101, 504001)
Cisco IOS (EventID: %APF-6-USER_NAME_CREATED)
Cisco Identity Services Engine (EventID: 86006)
Cisco NAC Appliance (EventID: CCA-1500)
Cisco PIX Firewall (EventID: %PIX-0-502101, %PIX-1-502101, %PIX-2-502101, %PIX-3-502101, %PIX-4-502101, %PIX-5-502101, %PIX-6-502101, %PIX-7-502101)
Cisco PIX Firewall (EventID: 502101)
Cisco Wireless LAN Controllers (EventID: %APF-6-USER_NAME_CREATED, 1.3.6.1.4.1.9.9.515.0.2)
Cisco Wireless Services Module (WiSM) (EventID: %AAA-6-GUEST_ACCOUNT_CREATE, %APF-6-USER_NAME_CREATED)
CloudPassage Halo (EventID: Halo user added, Halo user re-added, Local account created (linux only))
CorreLog Agent for IBM zOS (EventID: RACF ADDUSER: No Violations)
Cyber-Ark Vault (EventID: 180, 2)
EMC VMWare (EventID: AccountCreatedEvent)
Extreme Dragon Network IPS (EventID: HOST:WIN:ACCOUNT-CREATED)
Extreme Matrix K/N/S Series Switch (EventID: created with, User Created Event)
Extreme NAC (EventID: Added registered user, Add Registered User)
Flow Classification Engine (EventID: 3031, 3041)
Forcepoint Sidewinder (EventID: passport addition)
Fortinet FortiGate Security Gateway (EventID: add, auth-logon)
Foundry Fastiron (EventID: SNMP_USER_ADDED)
HBGary Active Defense (EventID: CreateUser)
HP Network Automation (EventID: User Added)
IBM AIX Audit (EventID: USER_Create SUCCEEDED)
IBM AIX Server (EventID: USER_Create)
IBM DB2 (EventID: ADD_USER SUCCESS)
IBM IMS (EventID: USER CREATED)
IBM Resource Access Control Facility (RACF) (EventID: 80 10.0, 80 10.2)
IBM Security Access Manager for Enterprise Single Sign-On (EventID: PRE_PROVISION_IMS_USER, AA_SCR_REGISTRATION, REGISTER_MAC_IDENTITY, REGISTER_IDENTITY)
IBM Security Directory Server (EventID: SDS Audit)
IBM Security Identity Governance (EventID: 49, 70004, 42)
IBM Security Identity Manager (EventID: Add Success, Add SUBMITTED, Add SUCCESS)
IBM SmartCloud Orchestrator (EventID: user)
IBM Tivoli Access Manager for e-business (EventID: 13402 - Succeeded, 13401 - Succeeded, 13402 Command Succeeded, 13401 Command Succeeded)
IBM i (EventID: GSL2401,MC@0300, GSL2402, M240100, CP_CRT)
Imperva SecureSphere (EventID: NEW_USERS_ACCOUNT, SOX_NEW_USERS, SOX - New users, New Users Account)
Itron Smart Meter (EventID: CEUI-AUDIT-27, CEUI.AUDIT.26)
Juniper Networks Network and Security Manager (EventID: adm23303, aut20167, adm30407, aut20168, adm20716, adm20717)
Linux OS (EventID: ADD_USER)
McAfee Application/Change Control (EventID: USER_ACCOUNT_CREATED)
McAfee ePolicy Orchestrator (EventID: 20792)
Microsoft ISA (EventID: user added)
Microsoft SQL Server (EventID: CR - SU, CR - US, CR - SL, CR - LX, CR - AR, CR - WU, 24127, 24121, 24075)
Microsoft SharePoint (EventID: 37)
Microsoft Windows Security Event Log (EventID: 624, 645, 1318, 4720, 4741)
NCC Group DDos Secure (EventID: 1003)
Netskope Active (EventID: Create Admin, Created new admin)
Novell eDirectory (EventID: CREATE_ACCOUNT)
OS Services Qidmap (EventID: User Account Added)
OSSEC (EventID: 5902, 18110)
Okta (EventID: app.user_management.push_new_user_success, app.generic.import.details.add_user, app.generic.import.new_user, app.user_management.provision_user, app.user_management.push_new_user, app.user_management.push_profile_success, core.user.config.user_creation.success, core.user_group_member.user_add, cvd.user_profile_bootstrapped, cvd.appuser_profile_bootstrapped)
OpenBSD OS (EventID: add user)
Oracle Enterprise Manager (EventID: User Create (successful), Computer Create (successful))
Oracle RDBMS Audit Record (EventID: 51:1, 51:0, CREATE USER-Standard:1, CREATE USER-Standard:0)
Oracle RDBMS OS Audit Record (EventID: 51)
Pirean Access: One (EventID: IsimUserRegistration;*;1)
Pulse Secure Pulse Connect Secure (EventID: ADM23303, ADM20265, AUT20167, ADM30407, AUT20168)
RSA Authentication Manager (EventID: Added user, unknown, REMOTE_PRINCIPAL_CREATE, CREATE_PRINCIPAL, CREATE_AM_PRINCIPAL)
SIM Audit (EventID: Configuration-UserAccount-AccountAdded)
STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject AddedTrueFalse, Console ? user/group added, Console � user/group added, Active DirectoryuserObject AddedTrueFalse, Console - user/group added)
SafeNet DataSecure/KeySecure (EventID: Added user)
Salesforce Security Auditing (EventID: Created new Customer User, Created new user)
Skyhigh Networks Cloud Security Platform (EventID: 10016)
Solaris BSM (EventID: create user)
SonicWALL SonicOS (EventID: 558)
Symantec Encryption Management Server (EventID: ADMIN_IMPORTED_USER)
ThreatGRID Malware Threat Intelligence Platform (EventID: user-account-creation)
Trend Micro Deep Discovery Email Inspector (EventID: SYSTEM_EVENT_ACCOUNT_CREATED)
Trend Micro Deep Security (EventID: 650)
Universal DSM (EventID: Computer Account Added, User Account Added)
VMware vCloud Director (EventID: com/vmware/vcloud/event/user/create, com/vmware/vcloud/event/user/import)
Vormetric Data Security (EventID: DAO0089I)
iT-CUBE agileSI (EventID: U0, AU7)