Suspicious account modification

IBM® QRadar® supports the monitoring of hundreds of user-based activities to help detect anomalous or malicious behaviors. For example, suspicious account modifications might indicate an attempt to gain illegitimate access for malicious purposes, such as altering and exfiltrating company propriety data.

By adding user context to network, log, vulnerability, and threat data, QRadar helps you to quickly determine the risk profile of users inside your network and to investigate any deviation from typical user behavior that might be deemed threatening.

To monitor user-based activities in your QRadar environment, you can download the IBM QRadar User Behavior Analytics app from the IBM Security App Exchange (https://exchange.force.ibmcloud.com/hub/extension/IBMQRadar:UserBehaviorAnalytics).

Simulating the threat

In this simulation, the incoming events indicate that an account was created, used, and then deleted. The Custom Rule Engine (CRE) processes the events, and determines that this activity might potentially be malicious.

To see how QRadar detects the threat, run the simulation.
  1. On the Log Activity tab, click Show Experience Center.
  2. Click Threat simulator.
  3. Locate the Suspicious account modification simulation and click Run.

On the Log Activity tab, you can see events start to come into QRadar, indicating that accounts were added or deleted.

Detecting the threat: QRadar in action

This threat simulation uses the following reference sets:
  • The EC UserAccountCreated reference set is populated by the EC: User Account - Add Account Name to EC UserAccountCreated rule.

    When an event falls into the low-level User Account Added category, the rule adds the EC Target Account Name to the reference set.

  • The EC UserAccountUsed reference set is populated by the EC: User Account - Add Account Name to EC UserAccountUsed rule.

    When an event falls into the low-level User Login Success category, the rule adds the Username to the reference set.

The reference sets are configured to keep the data fresh by removing data elements that were not collected within the last hour.

To determine when an account is being removed, the EC: User Account Created and Used and Removed rule uses the ECBB:CategoryDefinition: User Account Removed building block.

Account activity that includes creating, using, and deleting an account all within a short time is considered potentially malicious behavior. When an account that is being removed also exists in both reference sets, QRadar creates an offense that is named User Account Created and Deleted within a short time frame (Exp Center) to warn you about the potential threat. The offense is indexed based on Username, which ensures that all events that contribute to the same threat are associated with the same offense.

The rules that contribute to the reference sets when user accounts are created or used do not generate offenses.

Investigating the threat

The following IBM QRadar content is created by the Suspicious account modification threat simulation. After you run the simulation, you can use this content to trace and investigate the threat.

Table 1. QRadar content for the Suspicious account modification simulation
Content Name
Saved Search EC: Suspicious Account Modification
Incoming events
  • Success Audit: A user account was created
  • Success Audit: A user account was deleted
  • Success Audit: A user account was successfully logged on

The log source for the incoming event is Experience Center: WindowsAuthServer.

Reference sets EC UserAccountCreated

EC UserAccountUsed

Rules
  • EC: Add Account Name to EC UserAccountCreated
  • EC: Add Account Name to EC UserAccountUsed
  • EC: User Account Created and Used and Removed

Only the EC: User Account Created and Used and Removed rule creates an offense. The other rules contribute to the reference sets.

Generated event User Account Created and Deleted within a short time frame (Exp Center)

The log source for events that are generated by QRadar is the Custom Rule Engine (CRE).

Offense User Account Created and Used and Deleted within a short time frame (Exp Center)

The offense is indexed based on the Username, meaning that all events that trigger this rule and that have the same username are part of the same offense.

Depending on the events and rules that exist in your environment before you run the use case, the name of the offense might include preceded by <offense name> or containing <offense name>.