IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 4. User Guide IBM

Transcription

1 IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 4 User Guide IBM

2 Note Before you use this information and the product that it supports, read the information in Notices on page 107. Product information This document applies to IBM Security QRadar Security Intelligence Platform V7.2.8 and subsequent releases unless superseded by an updated version of this document. Copyright IBM Corporation 2016, US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

3 Contents 1 User Behavior Analytics app What's new in the User Behavior Analytics app Known issues Process overview Video demonstrations and tutorials UBA dashboard and user details Prerequisites for installing the User Behavior Analytics app Supported browsers for the UBA app Log source types relevant to the UBA app Installing and uninstalling Installing the User Behavior Analytics app Uninstalling the UBA app Upgrading Upgrading the User Behavior Analytics app Configuring Configuring the User Behavior Analytics app Creating authorized service tokens Configuring the Reference Data Import LDAP app Configuring UBA settings Administering Managing permissions for the QRadar UBA app Viewing the whitelist for trusted users Managing network monitoring tools Managing restricted programs Adding log sources to the trusted log source group Tuning Enabling indexes to improve performance Integrating new or existing QRadar content with the UBA app Reference Use cases for the UBA app UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal data volume to external domain Found UBA : Abnormal Outbound Attempts (ADE rule) UBA : Abnormal Outbound Attempts Found UBA : Abnormal visits to Risky Resources (ADE rule) UBA : Abnormal visits to Risky Resources Found UBA : Account, Group or Privileges Added or Modified UBA : Critical Systems Users Seen Update UBA : Detect Persistent SSH session UBA : Dormant Account Found (privileged) UBA : Dormant Account Used UBA : D/DoS Attack Detected UBA : First Privilege Escalation UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Pass the Hash UBA : Possible TGT Forgery Copyright IBM Corp. 2016, 2017 iii

4 UBA : User Geography, Access from Unusual Locations UBA : User Geography Change UBA : User Has Gone Dormant (no activity anomaly rule) UBA : User Time, Access at Unusual Times UBA : Windows access with Service or Machine Account UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : Recent User Activity Update (privileged) UBA : Repeat Unauthorized Access UBA : Restricted Program Usage UBA : Risky URL Filter Category - Gambling UBA : Risky URL Filter Category - Malicious Outbound Data or Botnets UBA : Risky URL Filter Category - Malicious Sources or Malnets UBA : Risky URL Filter Category - Mixed Content/Potentially Adult UBA : Risky URL Filter Category - Phishing UBA : Risky URL Filter Category - Pornography UBA : Risky URL Filter Category - Potentially Unwanted Software UBA : Risky URL Filter Category - Scam/Questionable/Illegal UBA : Risky URL Filter Category - Suspicious UBA : Risky URL Filter Category - Web Ads/Analytics UBA : Subject_CN and Username Mapping UBA : Subject_CN and Username Map Update UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : Unauthorized Access UBA : User Access - Failed Access to Critical Assets UBA : User Access - First Access to Critical Assets UBA : User Access Login Anomaly UBA : User Accessing Account from Anonymous Source UBA : User Accessing Risky Resources UBA : User Account Change UBA : User Anomalous Geography UBA : User Attempt to Use a Suspended Account UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Behavior, Session Anomaly by Destination Found UBA : User Event Frequency Anomaly - Categories Found UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Geography Change UBA : User Geography, Access from Unusual Locations UBA : User Time, Access at Unusual Times UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : User Volume of Activity Anomaly - Traffic Found UBA : Username to User Accounts, Privileged, Observed UBA : Username to User Accounts, Successful, Dormant UBA : Username to User Accounts, Successful, Observed UBA : Username to User Accounts, Successful, Recent UBA : Username to User Accounts, Successful, Recent Update UBA : VPN Access By Service or Machine Account UBA : VPN Certificate Sharing X-Force Risky IP, Anonymization X-Force Risky IP, Botnet X-Force Risky IP, Dynamic X-Force Risky IP, Malware X-Force Risky IP, Spam X-Force Risky URL iv UBA app User Guide

5 8 Reference Data Import - LDAP app What's new in the Reference Data Import LDAP app Supported browsers for the LDAP app Creating an authorized service token Adding a private root certificate authority Adding an LDAP configuration Adding LDAP attribute mappings Adding a reference data configuration Configuring polling Checking that data is added to the reference data collection Creating a rule that responds to LDAP data updates Machine Learning Analytics app Known issues Supported browsers Prerequisites for installing the Machine Learning Analytics app Installing the Machine Learning Analytics app Upgrading the Machine Learning Analytics app Configuring Machine Learning Analytics settings UBA dashboard with Machine Learning Analytics Uninstalling the Machine Learning Analytics app Troubleshooting and support Service requests Machine Learning app status shows errors on dashboard ML app status is in an error state Extracting UBA and Machine Learning logs Notices Trademarks Terms and conditions for product documentation IBM Online Privacy Statement Contents v

6 vi UBA app User Guide

7 1 User Behavior Analytics app By using your organization's Microsoft Active Directory or the included Reference Data Import LDAP app, the IBM Security QRadar User Behavior Analytics (UBA) app helps you to quickly determine the risk profiles of users inside your network and to take action when the app alerts you to threatening behavior. The IBM Security QRadar User Behavior Analytics (UBA) app provides an efficient means for detecting anomalous or malicious behaviors that occur on your network. The QRadar UBA app provides a lens into user behavior deviation to detect and prioritize risky user activities and quickly show who is doing what on your networks. The QRadar UBA app comes with ready-to-go anomaly detection, behavioral rules and analytics, and leverages the curated log and activity data already in QRadar, thereby speeding time to insights. By streamlining monitoring, detection and investigation, the QRadar UBA app helps security analysts become more productive and manage insider threats more efficiently. For information about using the Reference Data Import LDAP app, see 8, Reference Data Import - LDAP app, on page 79. For information about using the Machine Learning Analytics app, see 9, Machine Learning Analytics app, on page 89. Attention: You must install IBM Security QRadar V7.2.8 or later before you install the QRadar UBA app. Related concepts: Use cases for the UBA app on page 33 The IBM Security QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral Configuring the User Behavior Analytics app on page 17 Before you can use the IBM Security QRadar User Behavior Analytics (UBA) app, you must configure additional settings. 8, Reference Data Import - LDAP app, on page 79 Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAP sources into your QRadar Console. 9, Machine Learning Analytics app, on page 89 The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine Learning Analytics use cases, you can gain additional insight into user behavior with predictive modeling. The ML app helps your system to learn the expected behavior of the users in your network. Related tasks: Installing the User Behavior Analytics app on page 13 Use the IBM Security QRadar Extension Management tool to upload and install your app archive directly to your QRadar Console. Upgrading the User Behavior Analytics app on page 15 Use the IBM Security QRadar Extension Management tool to upgrade your app. What's new in the User Behavior Analytics app Learn about the new features in each User Behavior Analytics (UBA) app release. Copyright IBM Corp. 2016,

8 What's new in V2.4.0 Attention: If you are upgrading to V2.4.0, you must complete the instructions in the following technote: V2.4.0 of the User Behavior Analytics app includes the following improvements: v Display LDAP retrieval status in LDAP app. v Import up to 400,000 users by the LDAP app. Before you change the configuration, see Known issues. v Ability to map an unlimited number of aliases to a primary user ID. v Added memory configuration settings in Machine Learning Settings to support more users when you run Machine Learning on an App Node. v Added use case UBA: Windows access with Service or Machine Account. For more information, see UBA : Windows access with Service or Machine Account on page 47 v Added use case UBA: D/DoS Attack Detected. For more information, see UBA : D/DoS Attack Detected on page 39 v Added use case UBA: Detect Persistent SSH session. For more information, see UBA : Detect Persistent SSH session on page 37 v Added use case UBA: Abnormal data volume to external domain. For more information, see UBA : Abnormal data volume to external domain (ADE rule) on page 33 v Added use case UBA: Abnormal Outbound Attempts. For more information, see UBA : Abnormal Outbound Attempts (ADE rule) on page 34 Known issues The User Behavior Analytics app V2.4.0 has required information for upgrading and known issues. Attention: If you are upgrading to V2.4.0 on a QRadar V7.2.8 console, you must complete the instructions in the following technote: Known issues for V2.4.0 The User Behavior Analytics app has the following known issues: v If you use LDAP to import more than 100,000 users, the issue in APAR IV98655 might be triggered. Proceed with caution when configuring LDAP for UBA. Importing more than 200,000 users is not recommended unless you use QRadar or later with 128 GB of memory. v In rare instances of QRadar V7.2.8 and V7.3.0, you might encounter an issue with a newly created SEC token where the SEC token appears to work and then later becomes invalid. To fix this issue, complete one of the following actions: Restart the Apache Tomcat service from a command line on your QRadar Console. Deploy any action from the Admin tab in QRadar. v English strings or corrupted text is displayed in some parts of the user interface when using QRadar V7.2.8 and in some locales. Process overview The User Behavior Analytics app works with your QRadar system to collect data about the users inside your network. 2 UBA app User Guide

9 How UBA works 1. Logs send data to QRadar. 2. UBA specific rules look for certain events (depending on which UBA rules are enabled) and trigger a new sense event that is read by the UBA app. 3. The UBA rules require the events to have a username and other tests (review the rules to see what they are looking for). 4. UBA pulls the sensevalue and username from the sense event and then increases that user's risk score by the sensevalue amount. 5. When a user's risk score exceeds the threshold that you set in the UBA Settings page, UBA sends an event which triggers the "UBA : Create Offense" rule and an offense is created for that user. How sensevalues are used to create user risk scores Each rule and analytic has a value assigned to it that indicates the severity of the issue found. Each time a user's actions causes a rule to trigger, the user gets this value added to the score. The more the user "violates" a rule, the higher the score will be. Rules and sense events Rules, when triggered, generate sense events that are used to determine the user's risk score. You can update existing rules in QRadar to produce sense events. For more information, see Integrating new or existing QRadar content with the UBA app on page 31. Machine Learning Analytics and sense events You can install the Machine Learning Analytics app and enable machine learning analytics to identify anomalous user behavior. The analytics, when triggered, will generate sense events that also raise a user's risk score. 1 User Behavior Analytics app 3

10 Video demonstrations and tutorials Learn more about the IBM Security QRadar User Behavior Analytics (UBA) app, the Reference Data Import - LDAP app, and the Machine Learning Analytics (ML) app. IBM Security Learning Academy Enroll in the User Behavior Analytics (UBA) courses on the IBM Security Learning Academy website. Tip: You must have an IBM ID account to enroll and watch the videos. Video tutorials on YouTube Demonstration of the User Behavior Analytics app with Machine Learning V2.0.0: Demonstration for configuring the Reference Data Import - LDAP app: watch?v=er-wyxs6wfk. General overview of the User Behavior Analytics app: v v UBA dashboard and user details The IBM Security QRadar User Behavior Analytics (UBA) app shows you the overall risk data for users in your network. Dashboard After you install the UBA app, click the User Analytics tab to open the Dashboard. In the Search for User field, you can search for users by name or by user ID. As you enter a name, the app shows you the top five results. The Dashboard is automatically refreshed every minute and shows you the following risk data: Users with highest risk score Users with recent risk activity Watchlist System Score Risk Category Breakdown Recent Offenses Status of Machine Learning Models (shown if the Machine Learning app is installed) Overall accumulation of all risky behaviors by users. Users that are currently engaging in risky behavior. Custom list of users to monitor. Tip: To add a user to the watchlist, click the Watchlist icon. Overall accumulated risk score for all users at a specified point in time. Click the Calendar icon to specify a date range for longer than one day. The maximum duration that you can select is 30 days any time during the last year. High-level risk categories over the last hour. Click the graph to see subcategories and then click to see a display of events. Most recent sense offenses by user. Status of the Machine Learning Analytics use cases. 4 UBA app User Guide

11 Note: If you installed the Machine Learning app, the Status of Machine Learning Models widget appears. User details page You can click a user name from anywhere in the app to see details for the selected user. Tip: You can right-click a user name to dynamically calculate the risk score. The User Details page includes the following actions and dashboard views: Add to Whitelist Add to Watchlist Add Custom Alert Risk Score Risky Activity Timeline Risk Category Breakdown Add Notes Total Activity (shown if the Machine Learning app is installed and the analytic is enabled) User Activity by Category (shown if the Machine Learning app is installed and the analytic is enabled) Risk Posture (shown if the Machine Learning app is installed and the analytic is enabled) Activity Distribution (shown if the Machine Learning app is installed and the analytic is enabled in V2.2.0 or later) Peer Group (shown if the Machine Learning app is installed and the analytic is enabled in V2.2.0 or later) You can add the selected user to the whitelist so that the user does not generate risk scores and offenses. To remove the selected user from the whitelist, click Whitelisted. To review the complete list of users who were added to the whitelist, see Viewing the whitelist for trusted users on page 25. You can add the selected user to the watchlist. To remove the selected user from the watchlist, click Watchlisted. You can set a custom alert that displays by the user name. Click Add Custom Alert, enter an alert message, and then click Set. To remove the custom alert for the selected user, click Remove Custom Alert. The risk score graph shows the risk trends for the selected user during the selected date range. Click the Calendar icon to specify a date range. You can click Group by Activity or Group by Hour to see a list of the user's activities. You can filter and search by any column in the timeline. Shows the risk categories of the selected user during the last hour. Click the Add icon to add notes for the selected user. Tip: To save the note indefinitely, mark the note as important by clicking the Flag icon. If you do not mark the note as important, it is automatically removed at the end of the retention period that you set in Application Settings. Shows the actual and expected (learned) amount of activity of users throughout the day. Shows actual and expected user activity behavior patterns by high-level category. Shows if a user's risk score deviates from their expected risk score pattern. Shows dynamic behavior clusters for all users that are monitored by machine learning. Shows how much the user deviated from the inferred peer group they were expected to be in. To return to the main Dashboard, click Dashboard. Related concepts: 1 User Behavior Analytics app 5

12 UBA dashboard with Machine Learning Analytics on page 96 The IBM Security QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the Machine Learning Analytics status and additional details for the selected user. Related tasks: Viewing the whitelist for trusted users on page 25 You can view the list of trusted users that are whitelisted in the reference set management list. Adding log sources to the trusted log source group on page 26 If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA : Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them. Prerequisites for installing the User Behavior Analytics app Before you install the IBM Security QRadar User Behavior Analytics (UBA) app, ensure that you meet the requirements. v Verify that you have IBM Security QRadar V7.2.8 or later installed. v Add the IBM Sense DSM for the User Behavior Analytics (UBA) app. Installing the IBM Sense DSM manually The IBM Security QRadar User Behavior Analytics (UBA) app uses the IBM Sense DSM to add user risk scores and offenses into QRadar. You can install the DSM through auto-updates or you can upload to QRadar and install it manually. Note: If your system is disconnected from the internet, you might need to install the DSM RPM manually. Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar. 1. Download the DSM RPM file from the IBM support website: v v For QRadar V7.2.8: DSM-IBMSense noarch.rpm For QRadar V7.3.0 and later: DSM-IBMSense noarch.rpm 2. Copy the RPM file to your QRadar Console. 3. Use SSH to log in to the QRadar host as the root user. 4. Go to the directory that includes the downloaded file. 5. Type the following command: rpm -Uvh <rpm_filename> 6. From the Admin settings, click Deploy Changes. 7. From the Admin settings, select Advanced > Restart Web Services. Supported browsers for the UBA app For the features in IBM Security QRadar products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. Web browser Mozilla Firefox Google Chrome Supported versions 45.2 Extended Support Release Latest Note: To maximize your experience with UBA, you should do one of the following: 6 UBA app User Guide

13 v Disable the pop-up blocker for your browser v Configure your browser to allow exceptions for pop-ups coming from the QRadar Console IP address Log source types relevant to the UBA app The User Behavior Analytics (UBA) app can accept and analyze events from certain log sources. For more details about specific use cases and the corresponding log source types, see Use cases for the UBA app on page 33. The UBA app can accept and analyze events from the following log sources: APC UPS AhnLab Policy Center APC Amazon AWS CloudTrail Apache HTTP Server Application Security DbProtect Arbor Networks Pravail Arpeggio SIFT-IT Array Networks SSL VPN Access Gateways Aruba ClearPass Policy Manager Aruba Mobility Controller Avaya VPN Gateway Barracuda Spam & Virus Firewall Barracuda Web Application Firewall Barracuda Web Filter Bit9 Security Platform Bluemix Platform Bridgewater Systems AAA Service Controller Brocade FabricOS CA ACF2 CA SiteMinder CA Top Secret CRE System CRYPTOCard CRYPTOShield Check Point Cilasoft QJRN/400 Cisco ACS Cisco Adaptive Security Appliance (ASA) Cisco Aironet Cisco CSA Cisco Call Manager Cisco CatOS for Catalyst Switches Cisco FireSIGHT Management Center Cisco Firewall Services Module (FWSM) Cisco IOS Cisco Identity Services Engine 1 User Behavior Analytics app 7

14 Cisco Intrusion Prevention System (IPS) Cisco IronPort Cisco NAC Appliance Cisco Nexus Cisco PIX Firewall Cisco VPN 3000 Series Concentrator Cisco Wireless LAN Controllers Cisco Wireless Services Module (WiSM) Citrix Access Gateway Citrix NetScaler CloudPassage Halo Cloudera Navigator Configurable Authentication message filter CorreLog Agent for IBM zos Custom Rule Engine Cyber-Ark Vault DCN DCS/DCRS Series DG Technology MEAS EMC VMWare Enterasys Matrix K/N/S Series Switch Enterasys XSR Security Routers Enterprise-IT-Security.com SF-Sherlock Epic SIEM Event CRE Injected Extreme 800-Series Switch Extreme Dragon Network IPS Extreme HiPath Extreme Matrix E1 Switch Extreme NAC Extreme NetsightASM Extreme Networks ExtremeWare Operating System (OS) Extreme Stackable and Standalone Switches F5 Networks BIG-IP APM F5 Networks BIG-IP ASM F5 Networks BIG-IP LTM F5 Networks FirePass Flow Classification Engine ForeScout CounterACT Fortinet FortiGate Security Gateway Foundry Fastiron FreeRADIUS genua genugate HBGary Active Defense HP Tandem Honeycomb Lexicon File Integrity Monitor Huawei AR Series Router Huawei S Series Switch 8 UBA app User Guide

15 HyTrust CloudControl IBM AIX Audit IBM AIX Server IBM AS/400 iseries IBM DB2 IBM Fiberlink MaaS360 IBM Guardium IBM IMS IBM Lotus Domino IBM Proventia Network Intrusion Prevention System (IPS) IBM QRadar Network Insights (QNI) IBM Resource Access Control Facility (RACF) IBM Security Access Manager for Enterprise Single Sign-On IBM Security Access Manager for Mobile IBM Security Directory Server IBM Security Identity Governance IBM Security Identity Manager IBM Security Trusteer Apex Advanced Malware Protection IBM SmartCloud Orchestrator IBM Tivoli Access Manager for e-business IBM Tivoli Endpoint Manager IBM WebSphere Application Server IBM WebSphere DataPower IBM z/os IBM zsecure Alert ISC BIND Imperva SecureSphere Itron Smart Meter it-cube agilesi Juniper DDoS Secure Juniper Junos OS Platform Juniper MX Series Ethernet Services Router Juniper Networks Firewall and VPN Juniper Networks Intrusion Detection and Prevention (IDP) Juniper Networks Network and Security Manager Juniper Networks Secure Access (SA) SSL VPN Juniper Steel-Belted Radius Juniper WirelessLAN Juniper vgw Kaspersky Security Center Lieberman Random Password Manager Linux OS Mac OS X McAfee Application/Change Control McAfee Firewall Enterprise McAfee IntruShield Network IPS Appliance McAfee epolicy Orchestrator Metainfo MetaIP 1 User Behavior Analytics app 9

16 Microsoft DHCP Server Microsoft Endpoint Protection Microsoft Exchange Server Microsoft Hyper-V Microsoft IAS Server Microsoft IIS Microsoft ISA Microsoft Office 365 Microsoft Operations Manager Microsoft SCOM Microsoft SQL Server Microsoft SharePoint Microsoft Windows Security Event Log Motorola SymbolAP Netskope Active Nortel Application Switch Nortel Contivity VPN Switch Nortel Contivity VPN Switch (obsolete) Nortel Ethernet Routing Switch 2500/4500/5500 Nortel Ethernet Routing Switch 8300/8600 Nortel Multiprotocol Router Nortel Secure Network Access Switch (SNAS) Nortel Secure Router Nortel VPN Gateway Novell edirectory OS Services Qidmap OSSEC ObserveIT Okta OpenBSD OS Oracle Acme Packet SBC Oracle Audit Vault Oracle BEA WebLogic Oracle Database Listener Oracle Enterprise Manager Oracle RDBMS Audit Record Oracle RDBMS OS Audit Record PGP Universal Server Palo Alto PA Series Pirean Access: One PostFix MailTransferAgent ProFTPD Server Proofpoint Enterprise Protection/Enterprise Privacy RSA Authentication Manager Radware AppWall 10 UBA app User Guide

17 Radware DefensePro Redback ASE Riverbed SteelCentral NetProfiler Audit SIM Audit SSH CryptoAuditor STEALTHbits StealthINTERCEPT SafeNet DataSecure/KeySecure Salesforce Security Auditing Salesforce Security Monitoring Samhain HIDS Sentrigo Hedgehog Snort Open Source IDS Solaris BSM Solaris Operating System Authentication Messages Solaris Operating System Sendmail Logs SonicWALL SonicOS Sophos Astaro Security Gateway Squid Web Proxy Starent Networks Home Agent (HA) Sybase ASE Symantec Critical System Protection Symantec Endpoint Protection Symantec System Center System Notification ThreatGRID Malware Threat Intelligence Platform TippingPoint Intrusion Prevention System (IPS) TippingPoint X Series Appliances Top Layer IPS Trend Micro Control Manager Trend Micro Deep Discovery Inspector Trend Micro Deep Discovery Inspector Trend Micro Deep Security Tripwire Enterprise Tropos Control Universal DSM VMware vcloud Director VMware vshield Venustech Venusense Security Platform Verdasys Digital Guardian Vormetric Data Security WatchGuard Fireware OS 1 User Behavior Analytics app 11

18 12 UBA app User Guide

19 2 Installing and uninstalling Installing the User Behavior Analytics app Use the IBM Security QRadar Extension Management tool to upload and install your app archive directly to your QRadar Console. Before you begin Complete the Prerequisites for installing the User Behavior Analytics app on page 6. About this task Note: The installation of apps does not void your IBM warranty for QRadar. Attention: After the app is installed, you must: v Enable indexes v Deploy the full configuration. v Clear your browser cache and refresh the browser window. v Set up permissions for users that require access to view the User Analytics tab. The following permissions must be assigned to each user role that requires access to the app: User Analytics Offenses Log Activity After you download your app from the IBM Security App Exchange, use the IBM Security QRadar Extension Management tool to install it on your QRadar Console. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. In the Extension Management window, click Add and select the UBA app archive that you want to upload to the console. 4. Select the Install immediately check box. Important: You might have to wait several minutes before your app becomes active. 5. From the Admin settings, click Index Management and then enable the following indexes: v v v v v High Level Category Low Level Category Username sensevalue usecaseuuid 6. From the Admin settings, click Advanced > Deploy Full Configuration. Copyright IBM Corp. 2016,

20 Note: The following content packages are installed after the UBA installation completes and UBA is configured. v v User Behavior Analytics QRadar Network Insights Support Content User Behavior Analytics Anomaly Detection Engine Content What to do next v When the installation is complete, clear your browser cache and refresh the browser window before you use the app. v Manage permissions for UBA app user roles. Related tasks: Enabling indexes to improve performance on page 29 To improve the performance of your IBM Security QRadar User Behavior Analytics (UBA) app, enable indexes in IBM Security QRadar. Managing permissions for the QRadar UBA app on page 25 Administrators use the User Role Management feature in IBM Security QRadar to configure and manage user accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity permissions for each user role that is permitted to use the QRadar UBA app. Uninstalling the UBA app Use the IBM Security QRadar Extension Management tool to uninstall your application from your QRadar Console. Before you begin If you have the Machine Learning Analytics (ML) app installed, you must uninstall the ML app from the Machine Learning Settings page before uninstalling the UBA app from the Extension Management window. If you do not remove the ML app before you uninstall UBA, you must remove it from the interactive API documentation interface. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. On the INSTALLED tab of the Extension Management window, select your app and click Uninstall. When you uninstall an app, it is removed from the system. If you want to reinstall it, you must add it again. 14 UBA app User Guide

21 3 Upgrading Upgrading the User Behavior Analytics app Use the IBM Security QRadar Extension Management tool to upgrade your app. About this task Attention: v If you are upgrading to V2.4.0 on a V7.2.8 console, you must complete the instructions in the following technote: v If you are upgrading to V2.4.0 on a QRadar V7.3.0 or later console, complete the following procedure. Important: After you have upgraded, you must complete the following steps: v Deploy the full configuration. v Clear your browser cache and refresh the browser window. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. In the Extension Management window, click Add and select the UBA app archive that you want to upload to the console. 4. At the prompt, select Overwrite. All of your existing UBA app data remains intact. Important: You might have to wait several minutes before your app becomes active. 5. On the Admin tab, click Advanced > Deploy Full Configuration. What to do next When the upgrade is complete, clear your browser cache and refresh the browser window before you use the app. Copyright IBM Corp. 2016,

22 16 UBA app User Guide

23 4 Configuring Configuring the User Behavior Analytics app Before you can use the IBM Security QRadar User Behavior Analytics (UBA) app, you must configure additional settings. When you install the UBA app, the IBM Security QRadar Reference Data Import LDAP app is also installed. If you choose to use the LDAP app, you must configure the Reference Data Import LDAP app before you set up the UBA app. The data that the UBA app uses comes from an LDAP query. The LDAP query retrieves the list of users that is used to populates the UBA app. Complete the following setup procedures: v Create authorized service tokens v Configure the Reference Data Import LDAP app if you are using LDAP v Configure user analytics settings for the UBA app Creating authorized service tokens You must create authorized service tokens for the IBM Security QRadar User Behavior Analytics (UBA) app to authenticate the background polling service that the UBA app uses to request data from IBM Security QRadar. If you are using the Reference Data Import LDAP app to import user data, you must also create an authorized service token for the Reference Data Import LDAP app. About this task IBM Security QRadar, the Reference Data Import LDAP app, and the UBA app require that you use authentication tokens to authenticate the API calls that the apps make. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. 2. In the User Management section, click the Authorized Services icon. 3. Click Add Authorized Services. ), and then click Admin to open v If you are using the Reference Data Import LDAP app, go to step 3 to create the LDAP service token. v If you are using Active Directory, go to step 7 to create the UBA service token. 4. Configure the following information to create the LDAP service: a. In the Service Name field, type LDAP. b. From the User Role list, select the Admin user role. c. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 5. Click Create Service. Copyright IBM Corp. 2016,

24 6. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar. 7. Click Add Authorized Services. 8. Configure the following information to create the UBA service: a. In the Service Name field, type UBA. b. From the User Role list, select the Admin user role. c. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 9. Click Create Service. 10. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar. Configuring the Reference Data Import LDAP app When you install the IBM Security QRadar User Behavior Analytics (UBA) app, the Reference Data Import LDAP app is also installed. You can use the LDAP app to import user data into a reference table or you can import data into a reference table by using your own tools. Before you begin v If you do not want to configure the LDAP app, continue to the Configuring UBA settings on page 21 topic and select the UBA_Default reference table that is delivered with the UBA app. v If you decide to use the LDAP app to import your user data, you must create and add an authentication token to the LDAP app before you can add an LDAP configuration. Attention: If you previously installed the stand-alone Reference Data Import LDAP app, it is replaced when you install the UBA app. Your configurations are added to the updated version of the Reference Data Import LDAP app. About this task Note: Make sure that you note the reference table name and if you give a custom alias to any of the attributes. When you set up the UBA app, select the reference table that you created in the Reference Data Import LDAP app. For more information about the Reference Data Import LDAP app, see the following section of the IBM Knowledge Center: com.ibm.apps.doc/c_qapps_ldap_intro.html Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. 2. Click the Reference Data Import LDAP icon. ), and then click Admin to open 3. On the Reference Data Import LDAP app main window, click Configure and paste the authorized service token string into the Token field. 4. Optional: If you need to add a private root certificate authority file, click Choose File and then click Upload. The following file type is supported:.pem. 5. Click OK 18 UBA app User Guide

25 6. On the Reference Data Import LDAP app main window, click Add Import. The Add a New LDAP Configuration dialog box opens. 7. On the LDAP Configuration tab, add connection information for the LDAP server. The Filter and Attribute List fields are automatically populated from your Active Directory attributes. a. Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field. b. Enter the point in the LDAP directory tree from where the server must search for users in the Base DN field. For example, if your LDAP server was on the domain example.com, you might use: dc=example,dc=com. c. Enter the attribute or attributes you want to use to sort the data that is imported into the reference table in the Filter field. For example: cn=*; uid=*; sn=*. The following default values will work with Active Directory: (&(samaccountname=*)(samaccounttype= )). d. Enter attributes that you want to import into the reference table in the Attribute List field. The following default values will work with Active Directory: userprincipalname,cn,sn,telephonenumber,l,co,department,displayname,mail,title. Tip: If you do not specify attributes, you can still click Test Connection. The top 10 records are returned to help you choose your attributes. e. Enter the user name that is used to authenticate the LDAP server in the Username field. f. Enter the password for the LDAP server in the Password field. 8. Click Test Connection to confirm that IBM Security QRadar can connect to the LDAP server. If your connection attempt is successful, information from your LDAP server is displayed on the LDAP Configuration tab. 9. Optional: On the LDAP Attribute Mapping tab, you can create custom aliases for the attributes. Aliases must be unique. Tip: You can create new LDAP fields by combining two attributes. For example, you can use the following syntax: "Last: {ln}, First: {fn}". 4 Configuring 19

26 Tip: If you want to merge LDAP data from multiple sources in the same reference table, you can use custom aliases to differentiate LDAP attributes with the same name in different sources. When you add aliases to the Attribute List field on the LDAP configuration tab, they are added automatically to the LDAP Attribute Mapping tab. 10. On the Reference Configuration tab, create a new reference map of maps or designate an existing reference map of maps to which you want to add LDAP data. a. In the Reference table field, enter the name for a new reference table. Alternatively, add the name of an existing reference table to which you want to append the LDAP data from the list. b. In the Outer key selection list, select Default or select the outer (unique) key selection based on your environment. c. The Generate map of sets check box is disabled by default. If you enable the check box, it sends data to a reference set format to improve QRadar searching, however, it might impact performance. d. In the Time to live section, define how long you want the data to persist in the reference map of maps. By default, the data you add never expires. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. Note: If you append data to an existing reference map of maps, the app uses the original time-to-live parameters. These parameters cannot be overridden on the Reference Configuration tab. 11. On the Polling tab, define how often you want the app to poll your LDAP server for data. a. In the Polling interval in minutes field, define in minutes how often you want the app to poll your LDAP server for data. Note: The minimum polling interval value is 120. You can also enter a polling interval of zero. If you enter a polling interval of zero, you must poll the app manually with the poll option that is displayed in the feed. 20 UBA app User Guide

27 b. In the Record retrieval limit field, enter a value for the number of records you want the poll to return. By default, 100,000 records are returned. The maximum number of records that can be returned is 200,000. c. Optional: The Paged results check box is selected by default to avoid limiting the number of records the LDAP server returns for each poll. Note: Paged results are not supported by all LDAP servers. 12. Click Save. Configuring UBA settings To view information in the IBM Security QRadar User Behavior Analytics (UBA) app, you must configure UBA application settings. Before you begin You must create an authentication token for the UBA app before you can configure UBA settings. About this task The steps for configuring your UBA settings have changed starting with V Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. ), and then click Admin to open 2. Click the UBA Settings icon in the Plug-ins section. The IBM UBA Settings dialog box opens. 3. In the QRadar Settings section, click Manage Authorized Services. 4. Click the row that contains the UBA service you created and then select and copy the token string from the Selected Token field in the menu bar. 5. In the UBA Settings window, paste the authorized service token string into the Token field. 6. In the Application Settings section, configure the following settings: 4 Configuring 21

28 Option Risk threshold to trigger offenses Indicates how high a user's risk score should get before an offense is triggered against that user. The default value is 100,000. The value is set to a high value by default to avoid triggering offenses before the environment is analyzed. Tip: Consider setting up UBA and leaving the default value. Allow the settings to run for at least a day to see the type of scores that are returned. After a few days, review the results on the dashboard to determine a pattern. You can then adjust the threshold. For example, if you see one or two people with scores in the 500s but most are in the 100s then consider setting the threshold to 200 or 300. So "normal" for your environment might be 100 or so, and any score above that might require your attention. Decay risk by this factor per hour Date range for user details graph Search assets for username, when username is not available for event or flow data Risk decay is the percentage that the risk score is reduced by every hour. The default value is 0.5. Note: The higher the number, the faster the risk score decays; the lower the number, the slower the risk score decays. The date range that is displayed for the user details graphs on the User Details page. The default value is 3. Select the check box to search for user names in the asset table. The UBA app uses assets to look up a user for an IP address when no user is listed in an event. Important: This feature might cause performance issues in the UBA app and your QRadar system. Tip: If the query timeout threshold is exceeded, the app does not return any data. If you receive an error message on the UBA Dashboard, clear the check box and click Refresh. 7. Optional: In the Import User Data section, select a Reference table. 8. Optional: Enter the number of hours to determine how often you want the reference table to ingest data. 9. Optional: In the User Coalescing section, select the attributes that are pulled from the selected reference table and that appear as "Username" by your QRadar system. The risk scores of these identifiers are added to, and are also associated with the primary identifier. 22 UBA app User Guide

29 10. Optional: In the Display Attributes section, select the attributes that you want to display on the User Details page. 11. Click Save Configuration. 4 Configuring 23

30 24 UBA app User Guide

31 5 Administering Managing permissions for the QRadar UBA app Administrators use the User Role Management feature in IBM Security QRadar to configure and manage user accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity permissions for each user role that is permitted to use the QRadar UBA app. About this task After you install the QRadar UBA app, the User Analytics, Offenses, and Log Activity permissions must be enabled for the user roles that are assigned to users intending to use the QRadar UBA app. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, under User Management, click the User Roles icon. 3. Select an existing user role or create a new role. 4. Select the following check boxes to add the permissions to the role. v v v User Analytics Offenses Log Activity 5. Click Save. Viewing the whitelist for trusted users You can view the list of trusted users that are whitelisted in the reference set management list. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Trusted Usernames reference set. 4. Click View Contents. Managing network monitoring tools You can manage network monitoring tools for the IBM Security QRadar User Behavior Analytics (UBA) app. About this task If you want to monitor the use of network capture, monitoring or analysis program usage, make sure the programs are listed in the UBA : Network Capture, Monitoring and Analysis Program Filenames Copyright IBM Corp. 2016,

32 reference set. You must then enable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Network Capture, Monitoring and Analysis Program Filenames reference set. 4. Click View Contents. 5. To add an application to manage, click Add and enter the values in the box. 6. To remove an application, select an application and click Delete. What to do next Enable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule. Managing restricted programs You can manage restricted programs for the IBM Security QRadar User Behavior Analytics (UBA) app. About this task If there are any applications that you want to monitor for usage, go to the UBA : Restricted Program Filenames reference set and enter the applications that you want to monitor. You must then enable the UBA : Restricted Program Filenames rule. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Restricted Program Filenames reference set. 4. Click View Contents. 5. To add an application to manage, click Add and enter the values in the box. 6. To remove an application, select an application and click Delete. What to do next Enable the UBA : Restricted Program Filenames rule. Adding log sources to the trusted log source group If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA : Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them. 26 UBA app User Guide

33 Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the common parameters for your log source. 5. Configure the protocol-specific parameters for your log source. 6. Select the UBA : Trusted Log Source Group check box. 7. Click Save. 8. On the Admin tab, click Deploy Changes. 5 Administering 27

34 28 UBA app User Guide

35 6 Tuning Enabling indexes to improve performance To improve the performance of your IBM Security QRadar User Behavior Analytics (UBA) app, enable indexes in IBM Security QRadar. About this task To improve the speed of searches in IBM Security QRadar and the UBA app, narrow the overall data by adding the following indexed fields to your search query: v High Level Category v Low Level Category v sensevalue v senseoverallscore v Username v usecaseuuid For more information about indexing, see the following section of the IBM Knowledge Center at c_qradar_adm_index_mgmt.html. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. 2. In the System Configuration section, click the Index Management icon. 3. On the Index Management page, in the search box, enter High Level Category. 4. Select High Level Category and then click Enable Index. ), and then click Admin to open 5. Click Save. 6. Select Low Level Category and then click Enable Index. Copyright IBM Corp. 2016,

36 7. Click Save. 8. On the Index Management page, in the search box, enter sense. 9. Select sensevalue and senseoverallscore and then click Enable Index. 10. Click Save. 11. On the Index Management page, in the search box, enter username. 12. Select Username and then click Enable Index. 13. Click Save. 14. On the Index Management page, in the search box, enter usecaseuuid. 15. Select usecaseuuid and then click Enable Index. 30 UBA app User Guide

37 16. Click Save. Integrating new or existing QRadar content with the UBA app Use the Rules Wizard in QRadar to integrate existing or custom QRadar rules with the UBA app. About this task To meet your specific needs, you can use the capabilities built into QRadar by integrating your existing QRadar rules with the UBA app. Procedure 1. Create a copy of the existing rule. This prevents updates to the base rule from affecting the edits made to the new rule. 2. Open the rule in the Rule Wizard and then navigate to the Rule Response section. 3. Enable or edit the Dispatch New Event option by making sure the Event text is formatted in the following way: sensevalue=#,sensedesc='sometext',usecase_id='rule UUID' 4. Set the High-Level-Category to Sense. 5. Click Finish to save the changes. Note: If the rule works on flow data, you must enable the Search assets for username, when username is not available for event or flow data option so that events with no usernames can attempt a lookup for user mapping. 6 Tuning 31

38 32 UBA app User Guide

39 7 Reference Use cases for the UBA app The IBM Security QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral The User Behavior Analytics (UBA) app includes use cases that are based on custom rules and anomaly detection rules. These rules are used to generate data for the UBA app dashboard. You can view and modify the rules in the User Behavior Analytics Group on the Rules List in QRadar. Note: By default not all of the UBA app rules are enabled. IBM plans to update the UBA app with additional use cases on a continuous delivery model. Check back frequently for the latest updates to the app. For more information about working with rules in QRadar, see knowledgecenter/en/ss42vs_7.2.8/com.ibm.qradar.doc/c_qradar_rul_mgt.html UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal data volume to external domain False 15 This rule uses the Anomaly Detection engine to monitor user's traffic usage and alert on abnormal data volumes of traffic to external domains. UBA : Abnormal data volume to external domain Found UBA : Abnormal data volume to external domain Found True 15 Copyright IBM Corp. 2016,

40 This is a CRE rule that supports the identical respective ADE rule : UBA: Abnormal data volume to external domain, which uses the Anomaly Detection engine to monitor user's traffic usage and alert on abnormal data volumes of traffic to external domains. UBA : Abnormal Outbound Attempts (ADE rule) UBA : Abnormal Outbound Attempts False 15 This rule uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts. UBA : Abnormal Outbound Attempts Found UBA : Abnormal Outbound Attempts Found True 15 This is a CRE rule that supports the identical respective ADE rule : UBA : Abnormal Outbound Attempts, which uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts. UBA : Abnormal visits to Risky Resources (ADE rule) UBA : Abnormal visits to Risky Resources False 34 UBA app User Guide

41 15 This rule uses the Anomaly Detection engine to monitor the number of times a user accesses a risky resource (such as suspicious URLs, anonymizers, and malware hosts) and alerts when the number of visits changes abnormally. UBA : Abnormal visits to Risky Resources Found UBA : Abnormal visits to Risky Resources Found True 15 This is a CRE rule that supports the identical respective ADE rule : UBA : Abnormal visits to Risky Resources, which uses the Anomaly Detection engine to monitor the number of times a user accesses risky resources (such as suspicious URLs, anonymizers, malware hosts) and alerts when the number of visits changes abnormally. UBA : Account, Group or Privileges Added or Modified UBA : Account, Group or Privileges Added or Modified True 5 Detects events that a user performs and that fit into one of the following categories. The rule dispatches an IBM Sense event to increment the originating user's risk score. v Authentication.Group Added v Authentication.Group Changed v Authentication.Group Member Added v Authentication.Computer Account Added v Authentication.Computer Account Changed 7 Reference 35

42 v Authentication.Policy Added v Authentication.Policy Change v Authentication.Trusted Domain Added v Authentication.User Account Added v Authentication.User Account Changed v Authentication.User Right Assigned Note: To tune the impact of this rule on users' overall risk scores, consider modifying the building block rule "CategoryDefinition: Authentication User or Group Added or Changed" by adding event categories of interest to your organization. Data sources CA ACF2, Cisco ACS, AhnLab Policy Center APC, Amazon AWS CloudTrail, AppSecDbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, ARSeriesRouter, Cisco Adaptive Security Appliance (ASA), Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, ChangeControl, CheckPoint, Cilasoft QJRN/400, Cisco Identity Services Engine, Cisco Identity Services Engine, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, CorreLogAgentforIBMzOS, CRE System, Cyber-Ark Vault, IBM DB2, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, EventCRE, EventCREInjected, Foundry Fastiron, Fortinet FortiGate Security Gateway, Cisco Firewall Services Module (FWSM), GenericDSM, HBGary Active Defense, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IMS, IOS, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, JuniperSA, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenNSM, Netskope Active, Cisco Nexus, NSeries, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, OSSEC, OSServices, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, IBM Proventia Network Intrusion Prevention System (IPS), RACF, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, Microsoft SCOM, Securesphere, Microsoft SharePoint, Sidewinder, SIM Audit, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, STEALTHbits StealthINTERCEPT, Sybase ASE, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, Trend Micro Deep Security, UnityOne, VMware, VormetricDataFirewall, Websphere, WindowsAuthServer, Wism UBA : Critical Systems Users Seen Update UBA : Critical Systems Users Seen Update True Updates the last seen value in the "Critical Systems Users Seen" reference collection for Destination IP/Username matches that already exist. 36 UBA app User Guide

43 UBA : Detect Persistent SSH session UBA : Detect Persistent SSH session True 10 Detects SSH sessions that are active for more than 10 hours. UBA : Dormant Account Found (privileged) UBA : Dormant Account Found (privileged) True 10 Ensure that "UBA : User Has Gone Dormant (no activity anomaly rule)" is enabled to activate this rule. This rule indicates that a username's activity count has changed by greater than 80%. "UBA : User Dormant Account Found (privileged)" and "UBA : User Has Gone Dormant (no activity anomaly rule)" are intended to point out when a user has stopped producing activity for an extended period. This condition might indicate that the user no longer requires access as indicated by a long absence of activity that is associated with their username. False alarms are possible if a Username's activity drops to zero during the short interval period (14 days by default) and before zero is the new baseline (28 days by default). These do not affect a user's risk score if the response frequency limit for "UBA : User Dormant Account Found (privileged)" is set to a time period equal to or greater than the long interval per user name. UBA : Dormant Account Used UBA : Dormant Account Used 7 Reference 37

44 False 10 Provides reporting functions to indicate that a user successfully logged in after a dormant period. How quickly the rule is triggered after the user goes dormant is governed by the time-to-live setting in "UBA : User Accounts, Successful, Recent". Note: For best results, wait 2-4 weeks before you enable both "UBA : Dormant Account Used" and "UBA : Username to User Accounts, Successful, Dormant". This allows the "UBA : User Accounts, Successful, Observed" and "UBA : User Accounts, Successful, Recent" reference sets to be populated and reduce the chances of prematurely triggering "UBA : Dormant Account Used". Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep 38 UBA app User Guide

45 Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : D/DoS Attack Detected UBA : D/DoS Attack Detected False 15 Detects network Denial of Service (DoS) attacks by a user. Note: Before you can use this rule, complete the following steps: 1. From the Admin tab, click UBA Settings. 2. Select the Search assets for username, when username is not available for event or flow data check box to search for user names in the asset table. The UBA app uses assets to look up a user for an IP address when no user is listed in an event. 3. The event rule needs "Snort Open Source IDS" Log Source to work. UBA : First Privilege Escalation UBA : First Privilege Escalation True 10 Indicates that a user executed privileged access for the first time. This reporting rule can be disabled to allow the tracking of user behaviors for baselining purposes. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Oracle Audit Vault, Avaya VPN Gateway, Barracuda Web Application Firewall, BigIP, 7 Reference 39

46 Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, F5 Networks BIG-IP APM, F5ASM, Foundry Fastiron, Fortinet FortiGate Security Gateway, Cisco Firewall Services Module (FWSM), GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, MicrosoftFEP, MicrosoftHyperV, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, Samhain, Microsoft SCOM, Securesphere, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage False 15 Indicates that a process is created and the process name matches one of the binary names that are listed in the reference set "UBA : Network Capture, Monitoring and Analysis Program Filenames". This 40 UBA app User Guide

47 reference set lists the binary names of network packet capturing software. The reference set is pre-populated with the names of some common network protocol analysis software filenames. For more information about adding or removing programs for monitoring, see Managing network monitoring tools. Data sources WindowsAuthServer UBA : New Account Use Detected UBA : New Account Use Detected True 5 Provides reporting functions that indicate a user successfully logged in for the first time. This reporting rule can be disabled temporarily for baselining purposes. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, 7 Reference 41

48 NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : Orphaned or Revoked or Suspended Account Used UBA : Orphaned or Revoked or Suspended Account Used True 10 Indicates that a user attempted to log in to a disabled or an expired account on a local system. This rule might also suggest that an account was compromised. Data sources Cisco CatOS for Catalyst Switches, Extreme Dragon Network IPS, IDS, JuniperRouter, Microsoft IAS Server, IBM Proventia Network Intrusion Prevention System (IPS), WindowsAuthServer UBA : Pass the Hash UBA : Pass the Hash False UBA app User Guide

49 Detects Windows logon events that are possibly generated during pass the hash exploits. UBA : Possible TGT Forgery UBA : Possible TGT Forgery False 15 Detects Kerberos TGTs that contain Domain Name These possibly indicate tickets that are generated by using pass the ticket exploits. UBA : User Geography, Access from Unusual Locations UBA : User Geography, Access from Unusual Locations True 15 Indicates that users were able to authenticate in countries that are unusual for your network, as defined by the building block rule "UBA : BB : Unusual Source Locations". Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, 7 Reference 43

50 Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Geography Change UBA : User Geography Change True 5 A match indicates that a user logged in remotely from a country that is different from the country of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security 44 UBA app User Guide

51 Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Has Gone Dormant (no activity anomaly rule) UBA : User Has Gone Dormant (no activity anomaly rule) False Indicates that a username's activity count changed by greater than 80%. This rule and its dependent rule "UBA : User Dormant Account Found (privileged)" are meant to indicate that a user suddenly stopped producing activity. Note: False alarms are possible for 'UBA : User Has Gone Dormant (no activity anomaly rule)' if a Username's activity decreases to zero during the short interval period (14 days by default) and before zero is the new baseline (28 days by default). The false alarms do not affect a user's risk score if the response frequency limit for "UBA : User Dormant Account Found (privileged)" is set to a period of time equal to or greater than the long interval per Username. 7 Reference 45

52 Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Time, Access at Unusual Times UBA : User Time, Access at Unusual Times True 5 46 UBA app User Guide

53 Indicates that users are successfully authenticating at times that are unusual for your network, as defined by "UBA: Unusual Times, %" building blocks. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : Windows access with Service or Machine Account UBA : Windows access with Service or Machine Account True 7 Reference 47

54 15 Detects any interactive session (RDP, local login) that is initiated by a service or machine account in Windows Server. Accounts are listed in the UBA : Service, Machine Account reference set. Edit the list to add or remove any accounts to flag from your environment. UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Expired False 5 QRadar Network Insights (QNI) detected an SSL/TLS session which uses an expired certificate. Servers and clients use certificates when establishing communication using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Certificates are issued with an expiration date that indicates how long the certificate remains valid. Data sources QRadar Network Insights (QNI) UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Certificate Invalid False 5 QRadar Network Insights (QNI) has detected an SSL/TLS session that uses an invalid certificate. Servers and clients use X.509 certificates when establishing communication using Secure Sockets Layer (SSL). Certificates are issued with a Not Before date that indicates the earliest date the certificate is valid. 48 UBA app User Guide

55 Data sources QRadar Network Insights (QNI) UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length False 5 QRadar Network Insights (QNI) detected an SSL/TLS session that uses a certificate with a low public key bit count of less than A server that provides a weak Public Key Certificate (less than 1024 bits) can represent a security risk. According to NIST publication , the recommended minimum RSA key beginning in 2011 is 2048 bits. Data sources QRadar Network Insights (QNI) UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate False 5 QRadar Network Insights (QNI) detected an SSL/TLS session that uses a self-signed certificate. A self-signed certificate in a public-facing or production server application might allow a remote attacker to start a man-in-the-middle attack. Data sources QRadar Network Insights (QNI) 7 Reference 49

56 UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Associated with Malware Threat False 15 This rule triggers when flow content includes a file hash that matches known bad file hashes included in a Threat Intelligence data feed. Indicates that someone has transferred malware over the network. Data sources QRadar Network Insights (QNI) UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Observed File Hash Seen Across Multiple Hosts False 15 This rule triggers when the same file hash associated with malware is seen being transferred to multiple destinations. Data sources QRadar Network Insights (QNI) UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient 50 UBA app User Guide

57 False 5 This rule triggers when rejected events sent to a non-existing recipient address are seen in the system. This can indicate a spam or phishing attempt. Configure the BB:CategoryDefinition: Rejected Recipient building block to include QIDs relevant to your organization. It is pre-populated with the following QIDs that are good for monitoring: Microsoft Exchange; Linux OS [running sendmail]; Solaris Operating System Sendmail Logs and Barracuda Spam and Virus Firewall. Data sources QRadar Network Insights (QNI) UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers False 5 This rule triggers when multiple sending servers send the same subject in a period of time which may indicate spam or phishing. Data sources QRadar Network Insights (QNI) UBA : Recent User Activity Update (privileged) UBA : Recent User Activity Update (privileged) True 7 Reference 51

58 Updates the last seen value for a user on the observations that are kept in "UBA : Recent Activities by Low Level Category and Username" map-of-sets. UBA : Repeat Unauthorized Access UBA : Repeat Unauthorized Access True 10 Indicates that repeat unauthorized access activities were found. UBA : Restricted Program Usage UBA : Restricted Program Usage False 5 Indicates that a process is created and the process name matches one of the binary names listed in the reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management. For more information about adding or removing programs for monitoring, see Managing restricted programs. Data sources WindowsAuthServer UBA : Risky URL Filter Category - Gambling 52 UBA app User Guide

59 UBA : Risky URL Filter Category - Gambling True 5 A user has accessed a URL which can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Malicious Outbound Data or Botnets UBA : Risky URL Filter Category - Malicious Outbound Data or Botnets True 10 A user has accessed a URL which can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Malicious Sources or Malnets UBA : Risky URL Filter Category - Malicious Sources or Malnets True 10 A user accessed a URL that can indicate elevated security or legal risk. References: 7 Reference 53

60 UBA : Risky URL Filter Category - Mixed Content/Potentially Adult UBA : Risky URL Filter Category - Mixed Content/Potentially Adult True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Phishing UBA : Risky URL Filter Category - Phishing True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Pornography UBA : Risky URL Filter Category - Pornography True UBA app User Guide

61 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Potentially Unwanted Software UBA : Risky URL Filter Category - Potentially Unwanted Software True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Scam/Questionable/Illegal UBA : Risky URL Filter Category - Scam/Questionable/Illegal True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Suspicious UBA : Risky URL Filter Category - Suspicious 7 Reference 55

62 True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Web Ads/Analytics UBA : Risky URL Filter Category - Web Ads/Analytics True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Subject_CN and Username Mapping UBA : Subject_CN and Username Mapping True This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who has done what. This can complicate taking next steps in the event of a compromise. UBA : Subject_CN and Username Map Update 56 UBA app User Guide

63 UBA : Subject_CN and Username Map Update True This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who has done what. This can complicate taking next steps in the event of a compromise. UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (First Observed Privilege Use) True 5 Indicates that a user executed a privileged action that the user never executed before. Observations are kept in "UBA : Observed Activities by Low Level Category and Username" map-of-sets. Data sources Acf2, AcmePacketSessionDirectorSBC, ACS, AhnLabPolicyCenter, Aironet, AmazonAWSCloudTrail, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ArborNetworksPravail, ArpeggioSIFTIT, ArrayVPN, ARSeriesRouter, ArubaClearPass, ASA, Auditvault, AvayaVPNGateway, BarracudaWAF, BigIP, Bind, Bit9Parity, BridgewaterAAA, BrocadeFabricOS, CatOS, ChangeControl, CheckPoint, CilasoftQJRN400, CiscoCallManager, CiscoISE, CiscoWLC, CitrixAccessGateway, CitrixNetScaler, Classify, ClouderaNavigator, CloudFoundry, CloudPassageHalo, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRESystem, CSA, CyberArkVault, Db2, DCRSSeries, DefensePro, DGTechnologyMEAS, Dragon, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, F5APM, F5ASM, FastIronDsm, FortiGate, FWSM, GenericDSM, GenuaGenugate, Guardium, HBGaryActiveDefense, Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrustCloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, IronPort, ISA, ITCubeAgileSI, ItronSmartMeter, JuniperAltorVGW, JuniperDDoSSecure, JuniperMXSeries, JuniperRouter, JuniperSA, JuniperWirelessLAN, KasperskySecurityCenter, LinuxServer, McAfeeEpo, MetaIP, MicrosoftDHCP, MicrosoftFEP, MicrosoftHyperV, MicrosoftSQL, Mobility, Nac, NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, NetskopeActive, Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, OktaIdentityManagement, OpenBSD, Operationsmanager, OracleDbAudit, OracleDBListener, OracleEnterpriseManager, OracleOSAudit, OracleWebLogic, OSSEC, OSServices, 7 Reference 57

64 PaSeries, PGPUniversalServer, PireanAccessOne, Pix, PostFixMailTransferAgent, ProofpointEnterpriseProtectionEnterprisePrivacy, Proventia, RACF, RandomPasswordManager, RiverbedSteelCentralNetProfilerAudit, RSAAuthenticationManager, SafeNetDataSecure, SalesforceSecurityAuditing, Samhain, Scom, Securesphere, Sendmail, SharePoint, Sidewinder, SIMAudit, SIMNotification, Snort, Solaris2, SolarisBSM, SonicWall, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, StealthINTERCEPT, SybaseAse, SymantecCriticalSystemProtection, SymantecSystemCenter, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPointx505, TivoliAccessManager, TopLayerIPS, TopSecret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, TrendMicroDeepSecurity, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, VerdasysDigitalGuardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : Suspicious Privileged Activity (Rarely Used Privilege) True 10 Indicates that a user executed a privileged action that the user has not executed recently. Observations are kept in "UBA : Recent Activities by Low Level Category and Username" map-of-sets. The sensitivity of this event can be modified by changing the TTL (time-to-live) of the Reference Map-of-Sets for "UBA : Recent Activities by Low Level Category and Username". Increasing the TTL reduces the sensitivity. Decreasing the TTL increases the sensitivity. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Oracle Audit Vault, Avaya VPN Gateway, Barracuda Web Application Firewall, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, F5 Networks BIG-IP APM, F5ASM, Foundry Fastiron, Fortinet FortiGate Security Gateway, Cisco Firewall Services Module (FWSM), GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, 58 UBA app User Guide

65 ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, MicrosoftFEP, MicrosoftHyperV, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, Samhain, Microsoft SCOM, Securesphere, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism UBA : Unauthorized Access UBA : Unauthorized Access True 10 Indicates that unauthorized access activities were found. UBA : User Access - Failed Access to Critical Assets UBA : User Access - Failed Access to Critical Assets True 5 7 Reference 59

66 This rule detects authentication failures for systems located in the Critical Assets reference set. UBA : User Access - First Access to Critical Assets UBA : User Access First Access to Critical Assets True 10 Indicates that this is the first time the user accessed a critical asset. The "Critical Systems Users Seen" reference collection governs the time-to-live of an observation. By default this rule detects the first access in three months. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, 60 UBA app User Guide

67 RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Access Login Anomaly UBA : User Access Login Anomaly True 5 Indicates a sequence of login failures on a local asset. The rule might also indicate an account compromise or lateral movement activity. Ensure that the Multiple Login Failures for Single Username rule is enabled. Adjust the match and time duration parameters for this rule to tune the responsiveness. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, LinuxServer, McAfee epolicy Orchestrator, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, Okta Identity Management, OpenBSD OS, OpenLDAP, OracleDbAudit, OracleDBListener, Oracle 7 Reference 61

68 Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Microsoft SharePoint, Sidewinder, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymbolAP, Tandem, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, TrendMicroDeepDiscovery, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Accessing Account from Anonymous Source UBA : User Accessing Account from Anonymous Source True 15 Indicates that a user is accessing internal resources from an anonymous source such as TOR or a VPN. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange 62 UBA app User Guide

69 Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Accessing Risky Resources UBA : User Accessing Risky Resources is disabled by default starting with V The rules are now listed by the following types and enabled by default: v UBA : User Accessing Risky IP, Anonymization v UBA : User Accessing Risky IP, Botnet v UBA : User Accessing Risky IP, Dynamic v UBA : User Accessing Risky IP, Malware v UBA : User Accessing Risky IP, Spam v UBA : User Accessing Risky URL False 15 Indicates that a user accessed an external resource that is deemed to be inappropriate or risky, or that shows signs of infection. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, AnomalyDetectionEngine, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, 7 Reference 63

70 Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5ASM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, MicrosoftFEP, MicrosoftHyperV, Microsoft IAS Server, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, OpenLDAP, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Samhain, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, SymbolAP, Tandem, ThreatGRIDMalwareThreatIntelligencePlatform, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Account Change UBA : User Account Change True 10 Indicates when a user account was affected by an action which changes the user s effective privileges, either up or down. 64 UBA app User Guide

71 False positive note: This event might misattribute modifications to an account name to the user making the changes. If you want to reduce this false positive possibility you can add the test 'and when Username equals AccountName'. False negative note: This event might not detect all cases of account modifications for a user. Data sources WindowsAuthServer UBA : User Anomalous Geography UBA : User Anomalous Geography True 5 Indicates that multiple locations or sources are using the same user account simultaneously. Adjust the match and duration parameters to tune responsiveness. Data sources Acf2, AcmePacketSessionDirectorSBC, ACS, AhnLabPolicyCenter, Aironet, AmazonAWSCloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, ArpeggioSIFTIT, ArrayVPN, ARSeriesRouter, ArubaClearPass, ASA, ASE, Astaro, Auditvault, AvayaVPNGateway, BarracudaFirewall, BarracudaWAF, BarracudaWebFilter, BigIP, Bit9Parity, BridgewaterAAA, BrocadeFabricOS, CatOS, ChangeControl, CheckPoint, CilasoftQJRN400, CiscoCallManager, CiscoISE, CiscoWLC, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassageHalo, Contivity, Contivityv2, ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRESystem, Cryptoshield, CSA, CyberArkVault, Db2, DCRSSeries, DefensePro, Dragon, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5APM, F5FirePass, FastIronDsm, FortiGate, FreeRADIUS, FWSM, GenericAuthServer, GenericDSM, GenuaGenugate, HBGaryActiveDefense, Hedgehog, HiPath, HyTrustCloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, IronPort, ISA, ITCubeAgileSI, ItronSmartMeter, JuniperDDoSSecure, JuniperMXSeries, JuniperRouter, JuniperSA, JuniperSBR, JuniperWirelessLAN, KasperskySecurityCenter, LinuxServer, McAfeeEpo, MetaIP, MicrosoftDHCP, MicrosoftExchange, MicrosoftIAS, MicrosoftSQL, Mobility, NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetskopeActive, Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, OktaIdentityManagement, OpenBSD, Operationsmanager, OracleDbAudit, OracleDBListener, OracleEnterpriseManager, OracleOSAudit, OracleWebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Pix, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, Proventia, RACF, RandomPasswordManager, RiverbedSteelCentralNetProfilerAudit, RSAAuthenticationManager, SafeNetDataSecure, 7 Reference 65

72 SalesforceSecurityAuditing, SalesforceSecurityMonitoring, Scom, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIMAudit, SiteMinder, Snort, Solaris2, SolarisBSM, SonicWall, SSeriesSwitch, SSHCryptoAuditor, StarentHA, StealthINTERCEPT, SybaseAse, SymbolAP, Tandem, TippingPointx505, TivoliAccessManager, TopSecret, TrendMicroDeepDiscovery Inspector, TrendMicroDeepSecurity, Tripwire, UnityOne, VenustechVenusense, VerdasysDigitalGuardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters, UBA : User Attempt to Use a Suspended Account UBA : User Attempt to Use a Suspended Account True 10 Detects that a user attempted to access a suspended or a disabled account. Data sources Extreme Dragon Network IPS, IDS, Microsoft IAS Server, IBM Proventia Network Intrusion Prevention System (IPS), WindowsAuthServer UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Behavior, Session Anomaly by Destination False 10 Indicates that a user is accessing significantly different destination IP addresses than the user accessed in the past. The event is not necessarily an indication of compromise. The change in behavior might indicate a significant change in the user s job responsibilities or work habits. 66 UBA app User Guide

73 Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, AnomalyDetectionEngine, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5ASM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, MicrosoftFEP, MicrosoftHyperV, Microsoft IAS Server, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, OpenLDAP, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Samhain, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, SymbolAP, Tandem, ThreatGRIDMalwareThreatIntelligencePlatform, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Behavior, Session Anomaly by Destination Found UBA : User Behavior, Session Anomaly by Destination Found 7 Reference 67

74 True 10 This is a CRE rule that supports the identical respective ADE rule : UBA : User Behavior, Session Anomaly by Destination which indicates that a user is accessing significantly different destination IP addresses than were accessed by the user in the past. The event is not necessarily an indication of compromise. The change in behavior might indicate a significant change in the user s job responsibilities or work habits. UBA : User Event Frequency Anomaly - Categories Found UBA : User Event Frequency Anomaly - Categories Found True 5 This is a CRE rule that supports the identical respective ADE rule : UBA : User Event Frequency Anomaly - Categories which uses the Anomaly Detection engine to monitor the category distribution of a user's events. It will alert on unusual frequency changes. UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Event Frequency Anomaly Categories False 5 Uses the Anomaly Detection engine to monitor the category distribution of a user's events. It alerts on unusual frequency changes. 68 UBA app User Guide

75 Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, AnomalyDetectionEngine, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5ASM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, MicrosoftFEP, MicrosoftHyperV, Microsoft IAS Server, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, OpenLDAP, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Samhain, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, SymbolAP, Tandem, ThreatGRIDMalwareThreatIntelligencePlatform, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Geography Change UBA : User Geography Change 7 Reference 69

76 True 5 A match indicates that a user logged in remotely from a country that is different from the country of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters 70 UBA app User Guide

77 UBA : User Geography, Access from Unusual Locations UBA : User Geography, Access from Unusual Locations True 15 Indicates that users were able to authenticate in countries that are unusual for your network, as defined by the building block rule "UBA : BB : Unusual Source Locations". Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, 7 Reference 71

78 TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Time, Access at Unusual Times UBA : User Time, Access at Unusual Times True 5 Indicates that users are successfully authenticating at times that are unusual for your network, as defined by "UBA: Unusual Times, %" building blocks. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, 72 UBA app User Guide

79 RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Volume of Activity Anomaly - Traffic (ADE rule) Starting with V2.3.0, UBA : User Volume of Activity Anomaly - Traffic should be disabled and the following updated versions of the rule should be used: v UBA : User Volume Activity Anomaly - Traffic to External Domains v UBA : User Volume Activity Anomaly - Traffic to External Domains Found v UBA : User Volume Activity Anomaly - Traffic to Internal Domains v UBA : User Volume Activity Anomaly - Traffic to Internal Domains Found False 10 Uses the Anomaly Detection engine to monitor user traffic usage and to send an alert on unusual volumes of traffic. righ Data sources JuniperSA UBA : User Volume of Activity Anomaly - Traffic Found UBA : User Volume of Activity Anomaly - Traffic Found True 10 7 Reference 73

80 This is a CRE rule that supports the identical respective ADE rule : UBA : User Volume of Activity Anomaly - Traffic which uses the Anomaly Detection engine to monitor user's traffic usage and alert on unusual volumes of traffic. UBA : Username to User Accounts, Privileged, Observed UBA : Username to User Accounts, Privileged, Observed True Records Username to "UBA : User Accounts, Privileged, Observed" when a user is observed in privileged activities for the first time. Data sources Not applicable. Notes This rule is a parallel rule to UBA : First Privilege Escalation. It is only used to record Privileged Usernames. UBA : Username to User Accounts, Successful, Dormant UBA : Username to User Accounts, Successful, Dormant False Records the Username to "UBA : User Accounts, Successful, Dormant" when a successful user login is detected after a dormant period. Note: For best results, wait 2-4 weeks before you enable both "UBA : Dormant Account Used" and "UBA : Username to User Accounts, Successful, Dormant". This allows the "UBA : User Accounts, Successful, Observed" and "UBA : User Accounts, Successful, Recent" reference sets to populate and reduces the chances of prematurely triggering "UBA : Dormant Account Used". Data sources Not applicable. 74 UBA app User Guide

81 Notes This rule is a parallel rule to UBA : New Account Use Detected and UBA : Dormant Account Used. It is only used to record Usernames. UBA : Username to User Accounts, Successful, Observed UBA : Username to User Accounts, Successful, Observed True Records the Username to "UBA : User Accounts, Successful, Observed" when a successful user login is detected for the first time or after a dormant period. Data sources Not applicable. Notes This rule is a parallel rule to UBA : New Account Use Detected and UBA : Dormant Account Used. It is only used to record Usernames. UBA : Username to User Accounts, Successful, Recent UBA : Username to User Accounts, Successful, Recent True Records that a successful user login is detected for the first time or after a dormant period. Data sources Not applicable. Notes This rule is a parallel rule to UBA : New Account Use Detected and UBA : Dormant Account Used. It is only used to record Usernames. 7 Reference 75

82 UBA : Username to User Accounts, Successful, Recent Update UBA : Username to user Accounts, Successful, Recent Update True This rule will update the users time to live in the UBA : Username to User Accounts, Successful, Recent reference set for each instance that user is seen while it still exists in the reference set. UBA : VPN Access By Service or Machine Account UBA : VPN Access By Service or Machine Account True 10 This rule detects when a Cisco VPN is accessed by a service or machine account. Accounts are listed in the UBA : Service, Machine Account reference set. Edit this list to add or remove any accounts to flag from your environment. UBA : VPN Certificate Sharing UBA : VPN Certificate Sharing True Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall DSM to the following: v For V7.2.8: DSM-CiscoFirewallDevices noarch.rpm v For V7.3.0 and later: DSM-CiscoFirewallDevices noarch.rpm UBA app User Guide

83 This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who's done what. This can complicate taking next steps in the event of a compromise. X-Force Risky IP, Anonymization X-Force Risky IP, Anonymization True This rule detect when a local user or host is connecting to an external anonymization service. X-Force Risky IP, Botnet X-Force Risky IP, Botnet True This rule detects when a local user or host is connecting to a botnet command and control server. X-Force Risky IP, Dynamic X-Force Risky IP, Dynamic True This rule detects when a local user or host is connecting to a dynamically assigned IP address. X-Force Risky IP, Malware X-Force Risky IP, Malware 7 Reference 77

84 True This rule detects when a local user or host is connecting to a malware host. X-Force Risky IP, Spam X-Force Risky IP, Spam True This rule detects when a local user or host is connecting to a spam-sending host. X-Force Risky URL X-Force Risky URL True This rule detects when a local user is accessing questionable online content. 78 UBA app User Guide

85 8 Reference Data Import - LDAP app Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAP sources into your QRadar Console. Note: The Reference Data Import - LDAP app requires QRadar V7.2.8 or later. The app polls one or more LDAP servers for data and adds the data to new or existing reference data tables in QRadar. You can use the data to focus your investigations on specific groups, identify users by department, or any other information that is available. Using the LDAP data in QRadar Every time the reference table is updated, a ReferenceDataUpdated event is triggered. You can set a time-to-live value for the LDAP data in the reference table. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to these events, or create searches to query the payloads of these events on the QRadar Log Activity tab. Accessing the Reference Data Import - LDAP app Access the QRadar Reference Data Import - LDAP app by clicking the Reference Data Import LDAP icon from the Admin settings. For more information on reference data collections in QRadar, see IBM Security QRadar SIEM Administration Guide. What's new in the Reference Data Import LDAP app Learn about the new features in the latest Reference Data Import - LDAP app release. Version v Display LDAP retrieval status in LDAP app Copyright IBM Corp. 2016,

86 Supported browsers for the LDAP app For the features in IBM Security QRadar products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. Table 1. Supported web browsers for the QRadar Reference Data Import LDAP app Web browser Mozilla Firefox Google Chrome Supported versions 45.2 Extended Support Release Latest Creating an authorized service token Before you can configure LDAP server to add data to a reference table, you must create an authorized service token. About this task IBM Security QRadar requires that you use an authentication token to authenticate the API calls that the Reference Data Import - LDAP app makes. You use the Manage Authorized Services window in the Admin settings to create authorized service token. Procedure 1. On the Reference Data Import - LDAP app window, click Configure. 2. In the Configure Authorized Service Token dialog box, click Manage Authorized Services. 3. In the Manage Authorized Services window, click Add Authorized Service. 4. Add the relevant information in the following fields and click Create Service: a. In the Service Name field, type a name for this authorized service. The name can be up to 255 characters in length. b. From the User Role list, select Admin. c. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 5. Click the row that contains the service you created, select and copy the token string in the Selected Token field on the menu bar, and close the Manage Authorized Services window. 6. In the Configure Authorized Service Token dialog box, paste the token string into the Token field, and click OK. What to do next Adding an LDAP configuration on page 81 Adding a private root certificate authority You can upload a private root certificate authority (CA) bundle to IBM Security QRadar for use with the LDAP app. 80 UBA app User Guide

87 Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Reference Data Import LDAP icon. 3. On the Reference Data Import LDAP app main window, click Configure. 4. Click Choose File and then click Upload. Only the.pem file type is supported. 5. Click OK. Adding an LDAP configuration Add LDAP server information that you use to insert user data into a reference map of maps. Before you begin You must create and add an authentication token to the Reference Data Import - LDAP app before you can add an LDAP configuration. Procedure 1. On the Reference Data Import - LDAP app window, click Add Import. 2. Enter the following information on the LDAP Configuration tab: a. Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field. b. Enter the point in the LDAP directory tree from where the server must search for users in the Base DN field. For example, if your LDAP server was on the domain example.com, you might use: dc=example,dc=com c. Enter the attribute or attributes you want to use to sort the data that is imported into the reference table in the Filter field. For example: cn=*; uid=*; sn=* The following default values will work with Active Directory: (&(samaccountname=*)(samaccounttype= )). d. Enter attributes you want to import into the reference table in the Attribute List field. The following default values will work with Active Directory: userprincipalname,cn,sn,telephonenumber,l,co,department,displayname,mail,title. e. Enter the user name that is used to authenticate the LDAP server in the Username field. f. Enter the password for the LDAP server in the Password field. 3. Click Test Connection to confirm that IBM Security QRadar can connect to the LDAP server before you proceed. If your connection attempt is successful, information from your LDAP server is displayed on the LDAP Configuration tab. 4. Click Next. What to do next Add LDAP attribute mappings. Related tasks: Adding a private root certificate authority on page 80 You can upload a private root certificate authority (CA) bundle to IBM Security QRadar for use with the 8 Reference Data Import - LDAP app 81

88 LDAP app. Creating an authorized service token on page 80 Before you can configure LDAP server to add data to a reference table, you must create an authorized service token. Adding LDAP attribute mappings You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. Adding LDAP attribute mappings You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. About this task If you want to merge LDAP data from multiple sources into the same reference table, you can use custom aliases to differentiate LDAP attributes with the same name in different sources. When you add attributes to the Attributes field on the LDAP Configuration tab, they are added automatically to the LDAP Attribute Mapping tab. Procedure 1. On the LDAP Attribute Mapping tab, enter a new name in the Alias field for any of the LDAP attributes you added and then click Add. 2. Click Next. Note: Aliases must be unique. Tip: You can create new LDAP fields by combining two attributes. For example, you can use the following syntax: "Last: {ln}, First: {fn}". What to do next Configure a reference data table to store LDAP data.. Related tasks: Adding a reference data configuration Use the Reference Configuration tab to set up a reference data table to store LDAP data. Creating a rule that responds to LDAP data updates on page 85 After you have configured the IBM Security QRadar Reference Data Import - LDAP app to store data from your LDAP server in a reference table in QRadar, you can use the data to create event rules. Adding a reference data configuration Use the Reference Configuration tab to set up a reference data table to store LDAP data. Before you begin After you configure your LDAP server information, you must set up a reference table to store the LDAP data that is passed to the app. You can then use the stored data to construct rules in QRadar or create searches and reports. Procedure 1. Use the Reference Configuration tab to enter a new reference table or designate an existing reference table to which you want to add LDAP data. a. Enter a name for the reference data collection in the Reference Data field or select an existing reference data collection from the list. 82 UBA app User Guide

89 b. In the Outer key selection list, select Default or select the outer (unique) key selection based on your environment. c. The Generate map of sets check box is disabled by default. If you enable the check box, it sends data to a reference set format to improve QRadar searching and might impact performance. d. Use the Time to live fields to define how long you want the data to persist in the reference table. By default, the data you add never expires. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. Note: If you append data to an existing reference map of maps, the app uses the original time-to-live parameters. These parameters cannot be overridden on the Reference Configuration tab. 2. Click Next. What to do next Set the polling interval. Related tasks: Configuring polling Use the Polling Interval tab to configure how often the app polls your LDAP server for new information. Configuring polling Use the Polling Interval tab to configure how often the app polls your LDAP server for new information. Before you begin After you configure your LDAP server information and reference data collection, you configure how often you want the app to draw down data from the LDAP server. 8 Reference Data Import - LDAP app 83

90 Procedure 1. Use the Polling Interval in minutes field to define in minutes how often you want the app to poll your LDAP server for data. The minimum permissible polling interval value is Enter a value for the number of records you want the poll to return in the Record retrieval limit field. By default, 100,000 records are returned. The maximum number of records that can be returned is 200, The Paged results check box is selected by default to avoid limiting the number of records the LDAP server returns for each poll. Note: Paged results are not supported by all LDAP servers. 4. Click Save. Results Data from your LDAP server is added to the reference data collection you selected at the interval you configured. You can use the API page on your IBM Security QRadar console to check that data was added to the reference data collection. Related tasks: Checking that data is added to the reference data collection You can use the IBM Security QRadar API documentation page to test if data was added to the reference data collection you created. Checking that data is added to the reference data collection You can use the IBM Security QRadar API documentation page to test if data was added to the reference data collection you created. About this task The API Documentation page on your QRadar Console can show the data that is stored in the reference table that you created in the Reference Data Import - LDAP app. You can use the API Documentation page to check that LDAP information was updated by the app. 84 UBA app User Guide

91 Procedure 1. Log in to the QRadar API Documentation page In the navigation tree, open the most recent API. 3. Go to /reference_data > /table > /name > GET 4. In the Value field of the Name parameter, enter the name of the reference data collection you created to store LDAP information, and click Try it out!. The data added by the app is returned in the Response Body field. Creating a rule that responds to LDAP data updates After you have configured the IBM Security QRadar Reference Data Import - LDAP app to store data from your LDAP server in a reference table in QRadar, you can use the data to create event rules. About this task When you poll your LDAP server and data are added to the reference table, ReferenceDataUpdated events are triggered. When the time-to-live period you configured on the Reference Configuration tab is exceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to content within a ReferenceDataUpdated or ReferenceDataExpiry event payloads. LDAP data stored by the app in a reference data collection is available to rules you can configure by using the QRadar Rules Wizard. The Rules Wizard can be accessed from the Offenses, Log Activity, or Network Activity tabs. Procedure 1. Click Log Activity > Rules > Actions > New Event Rule. 2. On the Rule Wizard introduction page, click Next. 3. Ensure that the Events radio button is selected, and click Next. 4. Enter a name for the rule in the field provided. 5. Select a test from the Test Group list, and click the + icon beside the test you want to use: The rule test you select depends on the information you want to retrieve from the reference data collection that holds your LDAP data. The following reference maps of maps event property test is designed to test events that triggered when the Reference Data Import - LDAP app reference table is updated: when any of these event properties is the key of the first map and any of these event properties is the key of the second map and any of these event properties is the value in any of these reference map of maps. A rule is configured to test the ReferenceDataExpiry event payload if the LDAP attribute PasswordIsExpired is updated to true for any UID in a the LDAPtest1 reference data collection. 8 Reference Data Import - LDAP app 85

92 To use this event property test, you must create custom event properties for the outer key (the key of the first map), inner key (the key of the second map) and value fields. In the following example, the Reference Data Import - LDAP app was configured to import information on users whose password is expired from an LDAP server at example.com. 86 UBA app User Guide

93 The outer key This property contains the data entered in the LDAP fields specified in the Base DN and Filter fields in the app LDAP configuration tab. The regex for the custom event property might look like this: (uid=(.*?),dc=example,dc=com) The inner key This property contains the data entered in the LDAP fields specified in the Attribute field in the app LDAP configuration tab. You can use attribute aliases in this field. The regex for the custom event property might look like this: (passwordisexpired) The value field This property contains the data retrieved for passwordisexpired LDAP attribute for each user. The regex for the custom event property might look like this: (\['true'\]) For more information about custom event properties, see the IBM Security QRadar SIEM Users Guide. 6. Click Next. 7. Select the rule action, rule response and rule limiter you want to apply to the rule and click Finish. For more information on custom event rules, see the IBM Security QRadar SIEM Users Guide. Results The next time you poll your LDAP server and the reference data collection you created is updated, your rule is triggered. Related tasks: 8 Reference Data Import - LDAP app 87

94 Adding LDAP attribute mappings on page 82 You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. Adding a reference data configuration on page 82 Use the Reference Configuration tab to set up a reference data table to store LDAP data. 88 UBA app User Guide

95 9 Machine Learning Analytics app The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine Learning Analytics use cases, you can gain additional insight into user behavior with predictive modeling. The ML app helps your system to learn the expected behavior of the users in your network. Attention: You must install IBM Security QRadar V7.2.8 or later before you install the UBA app and the ML app. Important: v It is best to enable Machine Learning Analytics Settings one day after you initially configure the UBA app. This waiting period ensures that the UBA app has sufficient time to create risk profiles for users. v The QRadar Console limits the amount of memory that can be used by apps. To maximize results, the ML app requires: 64 GB console to allow the top 2000 risky users provided by the UBA app to be monitored. 128 GB console to allow the top 5000 risky users provided by the UBA app to be monitored. v To install the Machine Learning Analytics app on a QRadar App node, the QRadar App node must have a minimum of 5 GB of available memory. v The installation might fail due to a lack of available memory. This situation can occur if the amount of memory available for applications is decreased because other applications are installed. Known issues The Machine Learning Analytics app has known issues for V2.4.0 The Machine Learning Analytics app has the following known issues: v The Machine Learning app might show errors on the Machine Learning Status section. For more information, see Machine Learning app status shows errors on dashboard on page 103. v The installation might fail due to a lack of available memory. This situation can occur on 128 GB consoles if several other apps are already installed and less than 10 GB remains for the ML app to use. If the installation fails, the error message "FAILED" is displayed. To remedy this situation, uninstall some of the other apps and then try again. v An analytic listed on the Status of Machine Learning Models section of the UBA dashboard might be incorrectly flagged as failed. This can happen temporarily when that analytic is waiting to score data. Supported browsers For the features in the UBA app with Machine Learning Analytics app to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. Table 2. Supported web browsers for the UBA app with Machine Learning Analytics app Web browser Mozilla Firefox Google Chrome Supported versions 45.2 Extended Support Release Latest Copyright IBM Corp. 2016,

96 Prerequisites for installing the Machine Learning Analytics app Before you install the Machine Learning Analytics app, ensure that you meet the requirements. You must meet the following system requirements and fully install and configure the User Behavior Analytics (UBA) app before you can install the Machine Learning Analytics app. Component Minimum requirements System memory v Console: 64 GB IBM QRadar version Sense DSM v App node: 5 GB V7.2.8 or later Install the DSM RPM file. User Behavior Analytics (UBA) app v Install the UBA V2.4.0 app. v v Configure the UBA User Analytics Settings. Click the User Analytics tab and confirm that the UBA Dashboard contains user data. Installing the IBM Sense DSM manually The UBA app and the Machine Learning Analytics app use the following IBM Sense DSM files to add user risk scores and offenses into QRadar. v For V7.2.8: DSM-IBMSense noarch.rpm v For QRadar V7.3.0 and later: DSM-IBMSense noarch.rpm Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar. 1. Copy the DSM RPM file to your QRadar Console. 2. Use SSH to log in to the QRadar host as the root user. 3. Go to the directory that includes the downloaded file. 4. Type the following command: rpm -Uvh <rpm_filename> 5. From the Admin settings, click Advanced > Deploy Full Configuration. Note: Instructions for installing and configuring the UBA app are on the IBM Knowledge Center. Installing the Machine Learning Analytics app Install the Machine Learning Analytics app after you have installed the UBA app from the Extension Manager. Before you begin Make sure you have completed all of the Prerequisites for installing the Machine Learning Analytics app. About this task After you install your User Behavior Analytics (UBA) app V2.1.0 or later, you can install the Machine Learning Analytics app from the Machine Learning Settings page. 90 UBA app User Guide

97 Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Settings icon in the Plug-ins section. 3. On the Machine Learning Settings screen, click Install ML App. 4. At the prompt, click Yes to install the app. The ML app takes several minutes to install. What to do next When the installation is complete, you can enable ML use cases and then click Save Configuration. Upgrading the Machine Learning Analytics app Upgrade the Machine Learning Analytics app from the Machine Learning Settings page. Before you begin Starting with UBA with ML V2.2.0 there are no upgrade procedures. The Machine Learning app is automatically upgraded with the UBA app. After you install or upgrade your User Behavior Analytics (UBA) app, you can upgrade your existing Machine Learning Analytics app from the Machine Learning Settings page. Attention: If you have the Machine Learning Analytics (ML) app V2.0.0 installed and you upgrade to the latest version of the UBA app, do not uninstall the Machine Learning Analytics app from the QRadar 9 Machine Learning Analytics app 91

98 Extension Manager. If you attempt to uninstall the Machine Learning Analytics app from the Extension Manager, you might encounter issues with your ML app installation. About this task Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Settings icon in the Plug-ins section. 3. On the Machine Learning Settings screen, click Upgrade ML App. 4. At the prompt, click Yes. The ML app takes several minutes to upgrade. What to do next Verify your Machine Learning Settings are configured correctly. If you change any settings, make sure to Save Configuration. Configuring Machine Learning Analytics settings To view information in the Machine Learning Analytics app, you must configure Machine Learning Analytics application settings. 92 UBA app User Guide

99 About this task Attention: After you configure your settings, it takes a minimum of 1 hour to ingest data, build an initial model, and see initial results for users. Important: Starting with V2.2.0, the default values for Risk value of sense event have been changed. Because the new default values are significantly less than the previous default values, the new default values will overwrite the existing default values or any value you previously modified. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Analytics icon in the Plug-ins section. 3. On the Machine Learning Analytics configuration page, click the following user analytics to configure settings. Option Total Activity Click Enabled to turn on the Total Activity analytic and display the Total Activity graph on the User Details page. Important: You must have 7 days of data available for the analytic to generate a model. v v v v In the Risk value of sense event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. 9 Machine Learning Analytics app 93

100 Option User Activity by Category Risk Posture Click Enabled to turn on the User Activity by Category analytic and display the User Activity by Category graph on the User Details page. Important: You must have 7 days of data available for the analytic to generate an initial model. If you have less than 7 days of user data for this QRadar system then the initial model will be generated after 7 days of user data has been accumulated. v v v v v In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 1. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. In the Categories to track section, the high-level event categories are enabled by default. Click any category to disable it from being monitored. For more information about categories, see the high-level categories topic in the IBM Knowledge Center. Click Enabled to turn on the Risk Posture analytic and display the Risk Posture graph on the User Details page. Important: You must have 7 days of sense event data available for the analytic to generate a model. v v v v In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. 94 UBA app User Guide

101 Option Activity Distribution (V2.2.0 or later) Peer Group (V2.2.0 or later) Click Enabled to turn on the Activity Distribution analytic and display the Activity Distribution graph on the User Details page. Depending on the data, the model can take a few hours to build. Important: You must have 7 days of event data available for the analytic to generate a model. v v v v In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. Click Enabled to turn on the Peer Group use case and display the Peer Group graph on the User Details page. Depending on the data, the model can take an hour or more to build. Important: v v v v v v You must install an App Node to enable the analytic. For more information, see com.ibm.qradar.doc/c_adm_appnode_intro.html You must have 7 days of event data available for the analytic to generate a model. In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. 4. Click Save Configuration. Results It can take a minimum of one hour for the app to ingest data and build an initial model. What to do next Click the User Analytics tab to go to the Dashboard. 9 Machine Learning Analytics app 95

102 UBA dashboard with Machine Learning Analytics The IBM Security QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the Machine Learning Analytics status and additional details for the selected user. Dashboard After you enable the Machine Learning Analytics, click the User Analytics tab to open the dashboard. The Status of Machine Learning Models shows you the build progress for each analytic you have enabled. Note: The progress bar shows the progress only for the initial model. After the first model is complete, the status will always show complete. Click the ML Settings icon to open the Machine Learning Analytics page and edit the configuration for the Machine Learning Analytics use cases. Note: If you edit the configuration after it has been saved, a new model will be built and the time to wait for the ingestion and modeling is reset. User details page You can click a user name from anywhere in the app to see details for the selected user. The following table describes the Machine Learning Analytics graphs available on the User Details page. 96 UBA app User Guide

103 Total Activity Shows the actual and expected (learned) amount of activity of users throughout the day. The actual values are the number of events for that user during the selected time period. The expected values are the number of events predicted for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the Total Activity graph, you can: v Click a data node and get a query listing of the events that make up the anomaly. v Click the Calendar icon to specify a custom date range. User Activity by Category Shows actual and expected user activity behavior patterns by high-level category. The actual values are the number of events per high-level category for that user during the selected time period. The expected values are the predicted number of events per high-level category for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the User Activity by Category graph, you can: v Click the Calendar icon to specify a time and date. v Click a category to open the timeline graph for the selected category. On the timeline graph for the selected category, you can: v Click a data node and get a query listing of the events that represent that node. v Click the Calendar icon to specify a custom date range. 9 Machine Learning Analytics app 97

104 Risk Posture Shows if a user's risk score deviates from their expected risk score pattern. The actual values are the sum of the sense values for the sense events for that user during the selected time period. The expected values are the predicted sum of the sense values for the sense events for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the Risk Posture graph, you can: v Click a node and get a query listing of the events. v Click the Calendar icon to specify a custom date range. Activity Distribution (V2.2.0 or later) Shows dynamic behavior clusters for all users that are monitored by machine learning. The clusters are inferred by the low-level activity categories for all users that are monitored by machine learning. The actual values are the percent match to that cluster. The expected values are the predicted percent match to that cluster. Each color in the graph represents a unique dynamic behavior cluster for all users monitored by machine learning. A color used to denote a particular group is the same for all users. A red vertical line indicates that an anomaly was detected and a sense event was generated by machine learning. On the Activity Distribution graph, you can: v Hover over each cluster to view the actual and predicted activity percentiles and the top 3 contributing low-level categories. v Click the Calendar icon to specify a date range. 98 UBA app User Guide