UBA : Anomalous Cloud Account Created From New Location
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Anomalous Cloud Account Created From New Location
Enabled by default
False
Default senseValue
10
Description
Detects cloud account creation activities from a new location.
Support rules
- BB:UBA : Common Event Filters
- BB:UBA : Cloud Endpoints
- BB:UBA : User Account Created
- UBA : User Geography Change
Required configuration
Enable the following rule: "UBA : User Geography Change".
Log source types
Amazon AWS CloudTrail (EventID: CreateUser)
Microsoft Office 365 (EventID: Add User-success, Add user-PartiallySucceded)