Creating a custom model
Create a custom model to measure and baseline a numeric feature for a person per hour.
Before you begin
Review the following model details for each model template:
About this task
You can create a custom model so that you can review the learned behavior and the actual data for users. If significant changes from the baseline behavior are detected, you will receive alerts that the user's risk score is raised. Examples of models you can create include: showing how much data a user downloads, how many applications a user runs, or how many emails a user send per hour.
Attention: After you configure or modify your settings, it takes a minimum of 1 hour to
ingest data, build an initial model, and see initial results for users.
Active users are monitored continuously. If a user has no activity for 28 days, the user and the user's data are removed from the model. If the user is active again, they will return as a new user.
Procedure
Application Events
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- senseValue = 5
- Required configuration: System is monitoring events that have QRadar high level category of Application.
- Log source types: APC UPS, Apache HTTP Server, Application Security DbProtect, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Blue Coat Web Security Service, BlueCat Networks Adonis, CRE System, Centrify Infrastructure Services, Check Point, Cilasoft QJRN/400, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Meraki, Cisco Nexus, Cisco PIX Firewall, Cisco Stealthwatch, Cisco Umbrella, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, Custom Rule Engine, Cyber-Ark Vault, DG Technology MEAS, EMC VMWare, Event CRE Injected, Extreme Matrix K/N/S Series Switch, Extreme Stackable and Standalone Switches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Fidelis XPS, FireEye, Flow Classification Engine, Flow Device Type, Forcepoint Sidewinder, Forcepoint V Series, Fortinet FortiGate Security Gateway, FreeRADIUS, H3C Comware Platform, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2, IBM DataPower, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Directory Server, IBM Tivoli Access Manager for e-business, IBM i, IBM z/OS, ISC BIND, Imperva SecureSphere, Infoblox NIOS, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks AVT, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper WirelessLAN, Kisco Information Systems SafeNet/i, Linux DHCP Server, McAfee Network Security Platform, McAfee Web Gateway, Metainfo MetaIP, Microsoft DHCP Server, Microsoft DNS Debug, Microsoft Exchange Server, Microsoft IIS, Microsoft Office 365, Microsoft Operations Manager, Microsoft Windows Security Event Log, Motorola SymbolAP, NGINX HTTP Server, Nortel Contivity VPN Switch, Nortel VPN Gateway, OS Services Qidmap, OSSEC, ObserveIT, Okta, Open LDAP Software, OpenBSD OS, Oracle BEA WebLogic, Oracle Database Listener, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware DefensePro, SSH CryptoAuditor, Skyhigh Networks Cloud Security Platform, Solaris Operating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Sophos Web Security Appliance, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, Symantec Encryption Management Server, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), Top Layer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech Venusense Security Platform, Verdasys Digital Guardian, WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI
SourceIP
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- sensevalue: 5
- Log source types: Any log source that contains username and source ip in the events.
Destination Port
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- sensevalue: 5
- Log source types: Any log source that contains username and destination port in the events
Office File Access
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- sensevalue: 5
- Required configuration : System is monitoring event that have QRadar event names that include the word "file".
- Log source type: Microsoft Office 365
AWS Access
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- sensevalue: 5
- Required configuration: System is monitoring events that contain QRadar event names that include the word "bucket".
- Log source types: Amazon AWS Cloudtrail
Process
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- sensevalue: 5
- Required configuration: Custom event property 'Process' must exist for the desired log source type.
- Log source types: Microsoft Windows Security Event Log; Linux OS
Website
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- sensevalue: 5
- Support rules: 'UBA : Browsed to Entertainment Website', 'UBA : Browsed to LifeStyle Website', 'UBA : Browsed to Business/Service Website', 'UBA : Browsed to Communications Website'
- Required configuration: Custom event property 'Web Category' must exist for the desired log source type.
- Log source types: Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series; Forcepoint V Series, Fortinet FortiGate Security Gateway
Risky IP
Procedure
- Event Name: UBA : Custom Analytic Anomaly
- sensevalue: 5
- Required configuration: Set "Enable X-Force Threat Intelligence Feed" to Yes in .
- Log source types: Any log source with events that have a user name.