UBA : Account or Group or Privileges Modified

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Account or Group or Privileges Modified (formerly called UBA : User Account Change)

Enabled by default

False

Default senseValue

10

Description

Indicates when a user account was affected by an action which changes the user’s effective privileges, either up or down.
False positive note: This event might misattribute modifications to an account name to the user making the changes. If you want to reduce this false positive possibility you can add the test 'and when Username equals AccountName'.
False negative note: This event might not detect all cases of account modifications for a user.

Support rules

  • BB:UBA : Common Event Filters
  • BB:UBA : Authentication User or Group or Policy Changed

Log source types

Microsoft Windows Security Event Log (EventID: 626, 642, 644, 1300, 1317, 625, 629, 4672, 4722, 4725, 4738, 4765, 4767, 4781, 4737, 4755)