Changed implementation for rules

The QRadar® User Behavior Analytics (UBA) app no longer supports some rules. The functions that the rules provided are now integrated into the app, available in separate content packs, or implemented with machine learning models.

With UBA 3.5.0 and later, during the upgrade, a one-time task runs to disable all unsupported UBA rules found on the system. If any of the rules are enabled at a later time, they will not be disabled again by the application.

Although the following lists of UBA rules and building blocks are no longer supported by the UBA app, the rules or the functions that the rules provided are still available.

The following rules, and the functionality they provided, are now managed by Machine Learning:
  • UBA : Abnormal Outbound Transfer Attempts
    UBA : Abnormal Outbound Transfer Attempts Found
  • UBA : Abnormal data volume to external domain
    UBA : Abnormal data volume to external domain Found
  • UBA : Abnormal visits to Risky Resources
    UBA : Abnormal visits to Risky Resources Found
    UBA : User Accessing Risky Resources
    UBA : Risky Resources
  • UBA : User Behavior, Session Anomaly by Destination
    UBA : User Behavior, Session Anomaly by Destination Found
  • UBA : User Event Frequency Anomaly - Categories
    UBA : User Event Frequency Anomaly - Categories Found
  • UBA : User Running New Process (replaced with Process Usage ML user model in UBA 3.8.0)
  • UBA : User Volume Activity Anomaly - Traffic to External Domains
    UBA : User Volume Activity Anomaly - Traffic to External Domains Found
  • UBA : User Volume Activity Anomaly - Traffic to Internal Domains
    UBA : User Volume Activity Anomaly - Traffic to Internal Domains Found
  • UBA : User Volume of Activity Anomaly - Traffic
    UBA : User Volume of Activity Anomaly - Traffic Found
The following rules and building blocks, and the functionality they provided, are now managed within the UBA application:
  • UBA : User Has Gone Dormant (no activity anomaly rule)
    BB:UBA : Dormant User First Login (logic)
    BB:UBA : Dormant User Subsequent Login (logic)
    UBA : Username to User Accounts, Successful, Dormant
  • New Account
    UBA : Username to User Accounts, Successful, Observed
    UBA : Username to User Accounts, Successful, Recent
    UBA : Username to User Accounts, Successful, Recent Update
    BB:UBA : User First Time Access (logic)
The following rules and building blocks, and the functionality they provided, are now handled by allowing non-UBA rules to work with UBA:
  • QNI
    UBA : QNI - Access to Improperly Secured Service - Certificate Expired
    UBA : QNI - Access to Improperly Secured Service - Certificate Invalid
    UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate
    UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length
    UBA : QNI - Observed File Hash Associated with Malware Threat
    UBA : QNI - Observed File Hash Seen Across Multiple Hosts
    UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient
    UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers
    UBA : QNI - Confidential Content Being Transferred to Foreign Geography
  • SYSMON
    UBA : Suspicious PowerShell Activity
    UBA : Suspicious PowerShell Activity (Asset)
    UBA : Suspicious Command Prompt Activity
    UBA : User Access Control Bypass Detected (Asset)
    UBA : Suspicious Scheduled Task Activities
    UBA : Suspicious Service Activities
    UBA : Suspicious Service Activities (Asset)
    UBA : Suspicious Entries in System Registry (Asset)
    UBA : Suspicious Image Load Detected (Asset)
    UBA : Suspicious Pipe Activities (Asset)
    UBA : Suspicious Activities on Compromised Hosts
    UBA : Suspicious Activities on Compromised Hosts (Asset)
    UBA : Suspicious Administrative Activities Detected
    UBA : Process Creating Suspicious Remote Threads Detected (Asset)
    UBA : Common Exploit Tools Detected
    UBA : Common Exploit Tools Detected (Asset)
    UBA : Malicious Process Detected
    UBA : Network Share Accessed
  • Recon
    UBA : Unusual Scanning of DHCP Servers Detected
    UBA : Unusual Scanning of DNS Servers Detected
    UBA : Unusual Scanning of Database Servers Detected
    UBA : Unusual Scanning of FTP Servers Detected
    UBA : Unusual Scanning of Game Servers Detected
    UBA : Unusual Scanning of Generic ICMP Detected
    UBA : Unusual Scanning of Generic TCP Detected
    UBA : Unusual Scanning of Generic UDP Detected
    UBA : Unusual Scanning of IRC Servers Detected
    UBA : Unusual Scanning of LDAP Servers Detected
    UBA : Unusual Scanning of Mail Servers Detected
    UBA : Unusual Scanning of Messaging Servers Detected
    UBA : Unusual Scanning of P2P Servers Detected
    UBA : Unusual Scanning of Proxy Servers Detected
    UBA : Unusual Scanning of RPC Servers Detected
    UBA : Unusual Scanning of SNMP Servers Detected
    UBA : Unusual Scanning of SSH Servers Detected
    UBA : Unusual Scanning of Web Servers Detected
    UBA : Unusual Scanning of Windows Servers Detected