UBA : Account or Group or Privileges Modified
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Account or Group or Privileges Modified (formerly called UBA : User Account Change)
Enabled by default
False
Default senseValue
10
Description
Indicates when a user account was affected by an action which changes the user’s effective
privileges, either up or down.
False positive note: This event might
misattribute modifications to an account name to the user making the changes. If you want to reduce
this false positive possibility you can add the test 'and when Username equals AccountName'.
False negative note: This event might not detect all cases of
account modifications for a user.
Support rules
- BB:UBA : Common Event Filters
- BB:UBA : Authentication User or Group or Policy Changed
Log source types
Microsoft Windows Security Event Log (EventID: 626, 642, 644, 1300, 1317, 625, 629, 4672, 4722, 4725, 4738, 4765, 4767, 4781, 4737, 4755)