The
QRadar® User Behavior Analytics (UBA) app supports use cases based
on rules for certain behavioral anomalies.
UBA : First Privilege Escalation
Description
Indicates that a user executed privileged access for the first time. This reporting rule can be
disabled to allow the tracking of user behaviors for baselining purposes.
Support rule
BB:UBA : Privileged User, First Time Privilege Use (logic)
Log source types
APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail,
Application Security DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN
Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway,
Barracuda Web Application Firewall, Bit9 Security Platform, Bluemix Platform, Box, Bridgewater
Systems AAA Service Controller, Brocade FabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black
Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security
Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches,
Cisco FireSIGHT Management Center, Cisco Firewall Services Module (FWSM), Cisco IOS,Cisco Identity
Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco
Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco
Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,
Cloudera Navigator, CorreLog Agent for IBM zOS, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS
Series, DG Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch,
Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,
Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC, Extreme NetsightASM, F5 Networks BIG-IP
APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Flow Classification Engine, ForeScout
CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HBGary
Active Defense, HP Network Automation, Honeycomb Lexicon File Integrity Monitor, Huawei AR Series
Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM
DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia
Network Intrusion Prevention System (IPS), IBM
Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On,
IBM Security Directory Server, IBM Security Identity Governance, IBM Security Identity Manager, IBM
Security Trusteer Apex Advanced Malware Protection, IBM SmartCloud Orchestrator, IBM Tivoli Access
Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC
BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform,Juniper MX Series Ethernet
Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and
Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Juniper vGW,
Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee
Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS
Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Endpoint
Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft
Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows
Security Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel
Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Secure
Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS
Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault,
Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record,
Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto
PA SeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/Enterprise
Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware
DefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbits
StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS, Sentrigo
Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris
Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS,
Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,Sybase ASE, Symantec
Critical System Protection, Symantec Endpoint Protection, Symantec System Center, System
Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion Prevention
System (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend
Micro Deep Discovery Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep
Security, Tripwire Enterprise, Universal DSM, VMware vCloud Director, VMware vShield, Venustech
Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware
OS, genua genugate, iT-CUBE agileSI