UBA : Anomalous Cloud Account Created From New Location

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Anomalous Cloud Account Created From New Location

Enabled by default

False

Default senseValue

10

Description

Detects cloud account creation activities from a new location.

Support rules

  • BB:UBA : Common Event Filters
  • BB:UBA : Cloud Endpoints
  • BB:UBA : User Account Created
  • UBA : User Geography Change

Required configuration

Enable the following rule: "UBA : User Geography Change".

Log source types

Amazon AWS CloudTrail (EventID: CreateUser)

Microsoft Office 365 (EventID: Add User-success, Add user-PartiallySucceded)