UBA : Anomalous Account Created From New Location

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Anomalous Account Created From New Location

Enabled by default

False

Default senseValue

5

Description

Detects anomalous account creation activity from new location.

Support rules

  • BB:UBA : Cloud Endpoints
  • BB:UBA : User Account Created
  • BB:UBA : Common Event Filters
  • UBA : User Geography Change

Required configuration

Enable the following rule: "UBA : User Geography Change".

Log source types

AhnLab Policy Center APC (EventID: Administrator Account Add:Succeeded, ADD_ADMIN_ACCOUNT_SUCCESS)

Application Security DbProtect (EventID: Database user created, Login created - standard, Login added - Windows, Database role - created)

Aruba Mobility Controller (EventID: authmgr_user_add)

Bit9 Security Platform (EventID: User_group_created, User_group_modified, User_group_deleted, Console_user_created, Console_user_modified, Console_user_deleted)

Box (EventID: NEW_USER)

Brocade FabricOS (EventID: SEC-1180,SEC-3025, SEC-1182)

CA ACF2 (EventID: ACF2-L)

Check Point (EventID: User Added, device_added)

Cilasoft QJRN/400 (EventID: C20010, C20011)

Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502101, %ASA-5-502101)

Cisco Firewall Services Module (FWSM) (EventID: 502101, 504001)

Cisco IOS (EventID: %APF-6-USER_NAME_CREATED)

Cisco Identity Services Engine (EventID: 86006)

Cisco NAC Appliance (EventID: CCA-1500)

Cisco PIX Firewall (EventID: %PIX-0-502101, %PIX-1-502101, %PIX-2-502101, %PIX-3-502101, %PIX-4-502101, %PIX-5-502101, %PIX-6-502101, %PIX-7-502101)

Cisco PIX Firewall (EventID: 502101)

Cisco Wireless LAN Controllers (EventID: %APF-6-USER_NAME_CREATED, 1.3.6.1.4.1.9.9.515.0.2)

Cisco Wireless Services Module (WiSM) (EventID: %AAA-6-GUEST_ACCOUNT_CREATE, %APF-6-USER_NAME_CREATED)

CloudPassage Halo (EventID: Halo user added, Halo user re-added, Local account created (linux only))

CorreLog Agent for IBM zOS (EventID: RACF ADDUSER: No Violations)

Cyber-Ark Vault (EventID: 180, 2)

EMC VMWare (EventID: AccountCreatedEvent)

Extreme Dragon Network IPS (EventID: HOST:WIN:ACCOUNT-CREATED)

Extreme Matrix K/N/S Series Switch (EventID: created with, User Created Event)

Extreme NAC (EventID: Added registered user, Add Registered User)

Flow Classification Engine (EventID: 3031, 3041)

Forcepoint Sidewinder (EventID: passport addition)

Fortinet FortiGate Security Gateway (EventID: add, auth-logon)

Foundry Fastiron (EventID: SNMP_USER_ADDED)

HBGary Active Defense (EventID: CreateUser)

HP Network Automation (EventID: User Added)

IBM AIX Audit (EventID: USER_Create SUCCEEDED)

IBM AIX Server (EventID: USER_Create)

IBM DB2 (EventID: ADD_USER SUCCESS)

IBM IMS (EventID: USER CREATED)

IBM Resource Access Control Facility (RACF) (EventID: 80 10.0, 80 10.2)

IBM Security Access Manager for Enterprise Single Sign-On (EventID: PRE_PROVISION_IMS_USER, AA_SCR_REGISTRATION, REGISTER_MAC_IDENTITY, REGISTER_IDENTITY)

IBM Security Directory Server (EventID: SDS Audit)

IBM Security Identity Governance (EventID: 49, 70004, 42)

IBM Security Identity Manager (EventID: Add Success, Add SUBMITTED, Add SUCCESS)

IBM SmartCloud Orchestrator (EventID: user)

IBM Tivoli Access Manager for e-business (EventID: 13402 - Succeeded, 13401 - Succeeded, 13402 Command Succeeded, 13401 Command Succeeded)

IBM i (EventID: GSL2401,MC@0300, GSL2402, M240100, CP_CRT)

Imperva SecureSphere (EventID: NEW_USERS_ACCOUNT, SOX_NEW_USERS, SOX - New users, New Users Account)

Itron Smart Meter (EventID: CEUI-AUDIT-27, CEUI.AUDIT.26)

Juniper Networks Network and Security Manager (EventID: adm23303, aut20167, adm30407, aut20168, adm20716, adm20717)

Linux OS (EventID: ADD_USER)

McAfee Application/Change Control (EventID: USER_ACCOUNT_CREATED)

McAfee ePolicy Orchestrator (EventID: 20792)

Microsoft ISA (EventID: user added)

Microsoft SQL Server (EventID: CR - SU, CR - US, CR - SL, CR - LX, CR - AR, CR - WU, 24127, 24121, 24075)

Microsoft SharePoint (EventID: 37)

Microsoft Windows Security Event Log (EventID: 624, 645, 1318, 4720, 4741)

NCC Group DDos Secure (EventID: 1003)

Netskope Active (EventID: Create Admin, Created new admin)

Novell eDirectory (EventID: CREATE_ACCOUNT)

OS Services Qidmap (EventID: User Account Added)

OSSEC (EventID: 5902, 18110)

Okta (EventID: app.user_management.push_new_user_success, app.generic.import.details.add_user, app.generic.import.new_user, app.user_management.provision_user, app.user_management.push_new_user, app.user_management.push_profile_success, core.user.config.user_creation.success, core.user_group_member.user_add, cvd.user_profile_bootstrapped, cvd.appuser_profile_bootstrapped)

OpenBSD OS (EventID: add user)

Oracle Enterprise Manager (EventID: User Create (successful), Computer Create (successful))

Oracle RDBMS Audit Record (EventID: 51:1, 51:0, CREATE USER-Standard:1, CREATE USER-Standard:0)

Oracle RDBMS OS Audit Record (EventID: 51)

Pirean Access: One (EventID: IsimUserRegistration;*;1)

Pulse Secure Pulse Connect Secure (EventID: ADM23303, ADM20265, AUT20167, ADM30407, AUT20168)

RSA Authentication Manager (EventID: Added user, unknown, REMOTE_PRINCIPAL_CREATE, CREATE_PRINCIPAL, CREATE_AM_PRINCIPAL)

SIM Audit (EventID: Configuration-UserAccount-AccountAdded)

STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject AddedTrueFalse, Console ? user/group added, Console � user/group added, Active DirectoryuserObject AddedTrueFalse, Console - user/group added)

SafeNet DataSecure/KeySecure (EventID: Added user)

Salesforce Security Auditing (EventID: Created new Customer User, Created new user)

Skyhigh Networks Cloud Security Platform (EventID: 10016)

Solaris BSM (EventID: create user)

SonicWALL SonicOS (EventID: 558)

Symantec Encryption Management Server (EventID: ADMIN_IMPORTED_USER)

ThreatGRID Malware Threat Intelligence Platform (EventID: user-account-creation)

Trend Micro Deep Discovery Email Inspector (EventID: SYSTEM_EVENT_ACCOUNT_CREATED)

Trend Micro Deep Security (EventID: 650)

Universal DSM (EventID: Computer Account Added, User Account Added)

VMware vCloud Director (EventID: com/vmware/vcloud/event/user/create, com/vmware/vcloud/event/user/import)

Vormetric Data Security (EventID: DAO0089I)

iT-CUBE agileSI (EventID: U0, AU7)