UBA : Expired Account Used

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Expired Account Used. (formerly called UBA : Orphaned or Revoked or Suspended Account Used)

Enabled by default

False

Default senseValue

10

Description

Indicates that a user attempted to log in to a disabled or an expired account on a local system. This rule might also suggest that an account was compromised.

Although not required, you can enable Search assets for username, when username is not available for event or flow data in Admin Settings > UBA Settings.

Support rules

  • BB:UBA : Common Event Filters
  • BB:CategoryDefinition: Authentication to Expired Account
  • BB:UBA : Expired Accounts (Kerberos)

Log source types

Extreme Dragon Network IPS (EventID: HOST:WIN:532-ACCOUNT-EXPIRED, HOST:WIN:535-PWD-EXPIRED)

Microsoft Windows Security Event Log (EventID: 532, 535, 4768, 4771, 4772, 4625, 4776)

IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Failed_login-account_expired, Failed_login-password_expired, NovellEdirectoryExpiredAccounts, SolarisUseraddExpiredAccounts)

Cisco CatOS for Catalyst Switches (EventID: HA_POLICY_TIMER_EXPIRED)

Juniper Junos OS Platform (EventID: LOGIN_PASSWORD_EXPIRED)

Microsoft IAS Server (EventID: IAS_ACCOUNT_EXPIRED)