Suspicious account modification
IBM® QRadar® supports the monitoring of hundreds of user-based activities to help detect anomalous or malicious behaviors. For example, suspicious account modifications might indicate an attempt to gain illegitimate access for malicious purposes, such as altering and exfiltrating company propriety data.
By adding user context to network, log, vulnerability, and threat data, QRadar helps you to quickly determine the risk profile of users inside your network and to investigate any deviation from typical user behavior that might be deemed threatening.
To monitor user-based activities in your QRadar environment, you can download the IBM QRadar User Behavior Analytics app from the IBM Security App Exchange (https://exchange.force.ibmcloud.com/hub/extension/IBMQRadar:UserBehaviorAnalytics).
Simulating the threat
In this simulation, the incoming events indicate that an account was created, used, and then deleted. The Custom Rule Engine (CRE) processes the events, and determines that this activity might potentially be malicious.
- On the Log Activity tab, click Show Experience Center.
- Click Threat simulator.
- Locate the Suspicious account modification simulation and click Run.
On the Log Activity tab, you can see events start to come into QRadar, indicating that accounts were added or deleted.
Detecting the threat: QRadar in action
- The EC UserAccountCreated reference set is populated by the
EC: User Account - Add Account Name to EC UserAccountCreated rule.
When an event falls into the low-level User Account Added category, the rule adds the EC Target Account Name to the reference set.
- The EC UserAccountUsed reference set is populated by the EC:
User Account - Add Account Name to EC UserAccountUsed rule.
When an event falls into the low-level User Login Success category, the rule adds the Username to the reference set.
The reference sets are configured to keep the data fresh by removing data elements that were not collected within the last hour.
To determine when an account is being removed, the EC: User Account Created and Used and Removed rule uses the ECBB:CategoryDefinition: User Account Removed building block.
Account activity that includes creating, using, and deleting an account all within a short time is considered potentially malicious behavior. When an account that is being removed also exists in both reference sets, QRadar creates an offense that is named User Account Created and Deleted within a short time frame (Exp Center) to warn you about the potential threat. The offense is indexed based on Username, which ensures that all events that contribute to the same threat are associated with the same offense.
The rules that contribute to the reference sets when user accounts are created or used do not generate offenses.
Investigating the threat
The following IBM QRadar content is created by the Suspicious account modification threat simulation. After you run the simulation, you can use this content to trace and investigate the threat.
Content | Name |
---|---|
Saved Search | EC: Suspicious Account Modification |
Incoming events |
The log source for the incoming event is Experience Center: WindowsAuthServer. |
Reference sets | EC UserAccountCreated EC UserAccountUsed |
Rules |
Only the EC: User Account Created and Used and Removed rule creates an offense. The other rules contribute to the reference sets. |
Generated event | User Account Created and Deleted within a short time frame (Exp
Center) The log source for events that are generated by QRadar is the Custom Rule Engine (CRE). |
Offense | User Account Created and Used and Deleted within a short time frame (Exp
Center) The offense is indexed based on the Username, meaning that all events that trigger this rule and that have the same username are part of the same offense. Depending on the events and rules that exist in your environment before you run the use case, the name of the offense might include preceded by <offense name> or containing <offense name>. |