IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 5. User Guide IBM

Transcription

1 IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 5 User Guide IBM

2 Note Before you use this information and the product that it supports, read the information in Notices on page 111. Product information This document applies to IBM Security QRadar Security Intelligence Platform V7.2.8 and subsequent releases unless superseded by an updated version of this document. Copyright IBM Corporation 2016, US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

3 Contents 1 User Behavior Analytics app What's new in the User Behavior Analytics app Known issues Process overview Video demonstrations and tutorials UBA dashboard and user details Prerequisites for installing the User Behavior Analytics app Supported browsers for the UBA app Log source types relevant to the UBA app Installing and uninstalling Installing the User Behavior Analytics app Uninstalling the UBA app Upgrading Upgrading the User Behavior Analytics app Configuring Configuring the User Behavior Analytics app Creating authorized service tokens Configuring the Reference Data Import LDAP app Configuring UBA settings Administering Managing permissions for the QRadar UBA app Viewing the whitelist for trusted users Managing network monitoring tools Managing restricted programs Adding log sources to the trusted log source group Tuning Enabling indexes to improve performance Integrating new or existing QRadar content with the UBA app Reference Use cases for the UBA app UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal data volume to external domain Found UBA : Abnormal Outbound Attempts (ADE rule) UBA : Abnormal Outbound Attempts Found UBA : Abnormal visits to Risky Resources (ADE rule) UBA : Abnormal visits to Risky Resources Found UBA : Account, Group or Privileges Added or Modified UBA : Critical Systems Users Seen Update UBA : Detect Persistent SSH session UBA : Dormant Account Found (privileged) UBA : Dormant Account Used UBA : D/DoS Attack Detected UBA : Executive Only Asset Accessed by Non-Executive User UBA : First Privilege Escalation UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Pass the Hash Copyright IBM Corp. 2016, 2018 iii

4 UBA : Possible TGT Forgery UBA : Unix/Linux System Accessed With Service or Machine Account UBA : User Access to Internal Server From Jump Server UBA : User Geography, Access from Unusual Locations UBA : User Geography Change UBA : User Installing Suspicious Application UBA : User Running New Process UBA : User Has Gone Dormant (no activity anomaly rule) UBA : User Time, Access at Unusual Times UBA : Windows access with Service or Machine Account UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : Recent User Activity Update (privileged) UBA : Repeat Unauthorized Access UBA : Restricted Program Usage UBA : Risky URL Filter Category - Gambling UBA : Risky URL Filter Category - Malicious Outbound Data or Botnets UBA : Risky URL Filter Category - Malicious Sources or Malnets UBA : Risky URL Filter Category - Mixed Content/Potentially Adult UBA : Risky URL Filter Category - Phishing UBA : Risky URL Filter Category - Pornography UBA : Risky URL Filter Category - Potentially Unwanted Software UBA : Risky URL Filter Category - Scam/Questionable/Illegal UBA : Risky URL Filter Category - Suspicious UBA : Risky URL Filter Category - Web Ads/Analytics UBA : Subject_CN and Username Mapping UBA : Subject_CN and Username Map Update UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : Unauthorized Access UBA : User Access - Failed Access to Critical Assets UBA : User Access - First Access to Critical Assets UBA : User Access Login Anomaly UBA : User Accessing Account from Anonymous Source UBA : User Accessing Risky Resources UBA : User Account Change UBA : User Anomalous Geography UBA : User Attempt to Use a Suspended Account UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Behavior, Session Anomaly by Destination Found UBA : User Event Frequency Anomaly - Categories Found UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Geography Change UBA : User Geography, Access from Unusual Locations UBA : User Time, Access at Unusual Times UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : User Volume of Activity Anomaly - Traffic Found UBA : Username to User Accounts, Privileged, Observed UBA : Username to User Accounts, Successful, Dormant UBA : Username to User Accounts, Successful, Observed UBA : Username to User Accounts, Successful, Recent UBA : Username to User Accounts, Successful, Recent Update UBA : VPN Access By Service or Machine Account UBA : VPN Certificate Sharing X-Force Risky IP, Anonymization iv UBA app User Guide

5 X-Force Risky IP, Botnet X-Force Risky IP, Dynamic X-Force Risky IP, Malware X-Force Risky IP, Spam X-Force Risky URL Reference Data Import - LDAP app Supported browsers for the LDAP app Creating an authorized service token Adding a private root certificate authority Adding an LDAP configuration Adding LDAP attribute mappings Adding a reference data configuration Configuring polling Checking that data is added to the reference data collection Creating a rule that responds to LDAP data updates Machine Learning Analytics app Known issues for Machine Learning Analytics Prerequisites for installing the Machine Learning Analytics app Installing the Machine Learning Analytics app Upgrading the Machine Learning Analytics app Configuring Machine Learning Analytics settings UBA dashboard with Machine Learning Analytics Uninstalling the Machine Learning Analytics app Troubleshooting and support Help and support page for UBA Service requests Machine Learning app status shows warning on dashboard Machine Learning app status shows no progress for data ingestion ML app status is in an error state Extracting UBA and Machine Learning logs Notices Trademarks Terms and conditions for product documentation IBM Online Privacy Statement Contents v

6 vi UBA app User Guide

7 1 User Behavior Analytics app By using your organization's Microsoft Active Directory or the included Reference Data Import LDAP app, the IBM Security QRadar User Behavior Analytics (UBA) app helps you to quickly determine the risk profiles of users inside your network and to take action when the app alerts you to threatening behavior. The IBM Security QRadar User Behavior Analytics (UBA) app provides an efficient means for detecting anomalous or malicious behaviors that occur on your network. The QRadar UBA app provides a lens into user behavior deviation to detect and prioritize risky user activities and quickly show who is doing what on your networks. The QRadar UBA app comes with ready-to-go anomaly detection, behavioral rules and analytics, and leverages the curated log and activity data already in QRadar, thereby speeding time to insights. By streamlining monitoring, detection and investigation, the QRadar UBA app helps security analysts become more productive and manage insider threats more efficiently. For information about using the Reference Data Import LDAP app, see 8, Reference Data Import - LDAP app, on page 81. For information about using the Machine Learning Analytics app, see 9, Machine Learning Analytics app, on page 91. Attention: You must install IBM Security QRadar V7.2.8 or later before you install the QRadar UBA app. Related concepts: Use cases for the UBA app on page 29 The IBM Security QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral Configuring the User Behavior Analytics app on page 13 Before you can use the IBM Security QRadar User Behavior Analytics (UBA) app, you must configure additional settings. 8, Reference Data Import - LDAP app, on page 81 Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAP sources into your QRadar Console. 9, Machine Learning Analytics app, on page 91 The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine Learning Analytics use cases, you can gain additional insight into user behavior with predictive modeling. The ML app helps your system to learn the expected behavior of the users in your network. Related tasks: Installing the User Behavior Analytics app on page 9 Use the IBM Security QRadar Extension Management tool to upload and install your app archive directly to your QRadar Console. Upgrading the User Behavior Analytics app on page 11 Use the IBM Security QRadar Extension Management tool to upgrade your app. What's new in the User Behavior Analytics app Learn about the new features in each User Behavior Analytics (UBA) app release. Copyright IBM Corp. 2016,

8 What's new in V2.5.0 Attention: If you are upgrading to V2.5.0, you must complete the instructions in the following technote: V2.5.0 of the User Behavior Analytics app includes the following improvements: v Added the ability to quickly investigate a user's risky behavior with the inline contextual event viewer. For more information, see UBA dashboard and user details on page 5. v Added a help and support page that provides links to documentation, tutorials, and support information and also provides administrative functions. For more information, see Help and support page for UBA on page 105. v Increased the accuracy and scalability for Machine Learning and improved the messaging on the Status of Machine Learning Models section of the dashboard. For more information, see UBA dashboard with Machine Learning Analytics on page 97. v Added use case: UBA : User Running New Process. For more information, see UBA : User Running New Process on page 46. v Added use case: UBA : User Installing Suspicious Application. For more information, see UBA : User Installing Suspicious Application on page 45. v Added use case: UBA : Unix/Linux System Accessed With Service or Machine Account. For more information, see UBA : Unix/Linux System Accessed With Service or Machine Account on page 41. v Added use case: UBA : User Access to Internal Server From Jump Server. For more information, see UBA : User Access to Internal Server From Jump Server on page 42. v Added use case: UBA : Executive Only Asset Accessed by Non-Executive User. For more information, see UBA : Executive Only Asset Accessed by Non-Executive User on page 36. What's new in V2.4.0 Attention: If you are upgrading to V2.4.0, you must complete the instructions in the following technote: V2.4.0 of the User Behavior Analytics app includes the following improvements: v Display LDAP retrieval status in LDAP app. v Import up to 400,000 users by the LDAP app. Before you change the configuration, see Known issues. v Streamlined and simplified integration and mapping of LDAP/AD data. v Ability to map an unlimited number of aliases to a primary user ID. v Added memory configuration settings in Machine Learning Settings to support more users when you run Machine Learning on an App Node. v Added feedback survey. v Added use case UBA: Windows access with Service or Machine Account. For more information, see UBA : Windows access with Service or Machine Account on page 49 v Added use case UBA: D/DoS Attack Detected. For more information, see UBA : D/DoS Attack Detected on page 35 v Added use case UBA: Detect Persistent SSH session. For more information, see UBA : Detect Persistent SSH session on page 33 v Added use case UBA: Abnormal data volume to external domain. For more information, see UBA : Abnormal data volume to external domain (ADE rule) on page 29 v Added use case UBA: Abnormal Outbound Attempts. For more information, see UBA : Abnormal Outbound Attempts (ADE rule) on page 30 2 UBA app User Guide

9 Known issues The User Behavior Analytics app V2.5.0 has required information for upgrading and known issues. Attention: If you are upgrading to V2.5.0 on a QRadar V7.2.8 console, you must complete the instructions in the following technote: Known issues for V2.5.0 The User Behavior Analytics app has the following known issues: v On the UBA Settings page, the loading of the reference table settings can fail with the error message "Can not load reference table data" because it is taking too long to retrieve the reference table data. v When viewing a user profile page, the Add to Whitelist button might fail to display. If this occurs, you can refresh the page to resolve the issue. v Importing more than 100,000 users into LDAP for UBA can severely affect your QRadar system and your UBA app installation. The issue is caused due to a known issue in APAR IV Importing more than 200,000 users is not recommended unless you use QRadar or later on a 128 GB console. v In rare instances of QRadar V7.2.8 and V7.3.0, you might encounter an issue with a newly created SEC token where the SEC token appears to work and then later becomes invalid. To fix this issue, complete one of the following actions: Restart the Apache Tomcat service from a command line on your QRadar Console. Deploy any action from the Admin tab in QRadar. v English strings or corrupted text is displayed in some parts of the user interface when using QRadar V7.2.8 and in some locales. Process overview The User Behavior Analytics app works with your QRadar system to collect data about the users inside your network. 1 User Behavior Analytics app 3

10 How UBA works 1. Logs send data to QRadar. 2. UBA specific rules look for certain events (depending on which UBA rules are enabled) and trigger a new sense event that is read by the UBA app. 3. The UBA rules require the events to have a username and other tests (review the rules to see what they are looking for). 4. UBA pulls the sensevalue and username from the sense event and then increases that user's risk score by the sensevalue amount. 5. When a user's risk score exceeds the threshold that you set in the UBA Settings page, UBA sends an event which triggers the "UBA : Create Offense" rule and an offense is created for that user. How sensevalues are used to create user risk scores Each rule and analytic has a value assigned to it that indicates the severity of the issue found. Each time a user's actions causes a rule to trigger, the user gets this value added to the score. The more the user "violates" a rule, the higher the score will be. Rules and sense events Rules, when triggered, generate sense events that are used to determine the user's risk score. You can update existing rules in QRadar to produce sense events. For more information, see Integrating new or existing QRadar content with the UBA app on page 27. Machine Learning Analytics and sense events You can install the Machine Learning Analytics app and enable machine learning analytics to identify anomalous user behavior. The analytics, when triggered, will generate sense events that also raise a user's risk score. 4 UBA app User Guide

11 Video demonstrations and tutorials Learn more about the IBM Security QRadar User Behavior Analytics (UBA) app, the Reference Data Import - LDAP app, and the Machine Learning Analytics (ML) app. IBM Security Learning Academy Enroll in the User Behavior Analytics (UBA) courses on the IBM Security Learning Academy website. Tip: You must have an IBM ID account to enroll and watch the videos. Video tutorials on YouTube Demonstration of the User Behavior Analytics app with Machine Learning V2.0.0: Demonstration for configuring the Reference Data Import - LDAP app: watch?v=er-wyxs6wfk. General overview of the User Behavior Analytics app: v v UBA dashboard and user details The IBM Security QRadar User Behavior Analytics (UBA) app shows you the overall risk data for users in your network. Dashboard After you install the UBA app, click the User Analytics tab to open the Dashboard. In the Search for User field, you can search for users by name or by user ID. As you enter a name, the app shows you the top five results. The Dashboard is automatically refreshed every minute and shows you the following risk data: Users with highest risk score Users with recent risk activity Watchlist System Score Risk Category Breakdown Recent Offenses Status of Machine Learning Models (shown if the Machine Learning app is installed) Overall accumulation of all risky behaviors by users. Users that are currently engaging in risky behavior. Custom list of users to monitor. Tip: To add a user to the watchlist, click the Watchlist icon. Overall accumulated risk score for all users at a specified point in time. Click the Calendar icon to specify a date range for longer than one day. The maximum duration that you can select is 30 days any time during the last year. High-level risk categories over the last hour. Click the graph to see subcategories and then click to see a display of events. Most recent sense offenses by user. Status of the Machine Learning Analytics use cases. For more information, see UBA dashboard with Machine Learning Analytics on page User Behavior Analytics app 5

12 Note: If you installed the Machine Learning app, the Status of Machine Learning Models widget appears. User details page You can click a user name from anywhere in the app to see details for the selected user. Starting with V2.5.0, you can learn more about the user's activities with the event viewer pane. The event viewer pane shows information about a selected activity or point in time. Clicking an event in the event viewer pane reveals more details such as syslog events and payload information. The event viewer pane is available for all donut and line graphs and activities in the Risky Activity Timeline on the User details page. Tip: You can right-click a user name to dynamically calculate the risk score. The User Details page includes the following actions and dashboard views: Add to Whitelist Add to Watchlist Add Custom Alert Risk Score Risky Activity Timeline Risk Category Breakdown Add Notes Total Activity (shown if the Machine Learning app is installed and the analytic is enabled) User Activity by Category (shown if the Machine Learning app is installed and the analytic is enabled) Risk Posture (shown if the Machine Learning app is installed and the analytic is enabled) Activity Distribution (shown if the Machine Learning app is installed and the analytic is enabled in V2.2.0 or later) You can add the selected user to the whitelist so that the user does not generate risk scores and offenses. To remove the selected user from the whitelist, click Whitelisted. To review the complete list of users who were added to the whitelist, see Viewing the whitelist for trusted users on page 21. You can add the selected user to the watchlist. To remove the selected user from the watchlist, click Watchlisted. You can set a custom alert that displays by the user name. Click Add Custom Alert, enter an alert message, and then click Set. To remove the custom alert for the selected user, click Remove Custom Alert. The risk score graph shows the risk trends for the selected user during the selected date range. Click the Calendar icon to specify a date range. You can click Group by Activity or Group by Hour to see a list of the user's activities and then filter and search by any column in the timeline. In V2.5.0 and later, you can click any activity in the timeline to open the event viewer pane that lists supporting log events that are associated with the user's activity. Click an event to view more details such as syslog events and payload information. Shows the risk categories of the selected user during the last hour. Click the Add icon to add notes for the selected user. Tip: To save the note indefinitely, mark the note as important by clicking the Flag icon. If you do not mark the note as important, it is automatically removed at the end of the retention period that you set in Application Settings. Shows the actual and expected (learned) amount of activity of users throughout the day. Shows actual and expected user activity behavior patterns by high-level category. Shows if a user's risk score deviates from their expected risk score pattern. Shows dynamic behavior clusters for all users that are monitored by machine learning. 6 UBA app User Guide

13 Peer Group (shown if the Machine Learning app is installed and the analytic is enabled in V2.2.0 or later) Shows how much the user deviated from the inferred peer group they were expected to be in. To return to the main Dashboard, click Dashboard. Related concepts: UBA dashboard with Machine Learning Analytics on page 97 The IBM Security QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the Machine Learning Analytics status and additional details for the selected user. Related tasks: Viewing the whitelist for trusted users on page 21 You can view the list of trusted users that are whitelisted in the reference set management list. Adding log sources to the trusted log source group on page 22 If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA : Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them. Prerequisites for installing the User Behavior Analytics app Before you install the IBM Security QRadar User Behavior Analytics (UBA) app, ensure that you meet the requirements. v Verify that you have IBM Security QRadar V7.2.8 or later installed. For the best experience, upgrade your QRadar system to the following versions: QRadar Patch 11 ( ) or later QRadar Patch 7 ( ) or later QRadar v Add the IBM Sense DSM for the User Behavior Analytics (UBA) app. Installing the IBM Sense DSM manually The IBM Security QRadar User Behavior Analytics (UBA) app uses the IBM Sense DSM to add user risk scores and offenses into QRadar. You can install the DSM through auto-updates or you can upload to QRadar and install it manually. Note: If your system is disconnected from the internet, you might need to install the DSM RPM manually. Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar. 1. Download the DSM RPM file from the IBM support website: v v For QRadar V7.2.8: DSM-IBMSense noarch.rpm For QRadar V7.3.0 and later: DSM-IBMSense noarch.rpm 2. Copy the RPM file to your QRadar Console. 3. Use SSH to log in to the QRadar host as the root user. 4. Go to the directory that includes the downloaded file. 5. Type the following command: rpm -Uvh <rpm_filename> 6. From the Admin settings, click Deploy Changes. 7. From the Admin settings, select Advanced > Restart Web Services. 1 User Behavior Analytics app 7

14 Supported browsers for the UBA app For the features in IBM Security QRadar products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. Web browser Mozilla Firefox Google Chrome Supported versions 45.2 Extended Support Release Latest Note: To maximize your experience with UBA, you should do one of the following: v Disable the pop-up blocker for your browser v Configure your browser to allow exceptions for pop-ups coming from the QRadar Console IP address Log source types relevant to the UBA app The User Behavior Analytics (UBA) app and the ML app can accept and analyze events from certain log sources. In general, the UBA app and the ML app require log sources that supply a username. For UBA, if there is no username, enable the Search assets for username, when username is not available for event or flow data check box in UBA Settings so that UBA can attempt to look up the user from the asset table. If no user can be determined, UBA does not process the event. For more details about specific use cases and the corresponding log source types, see Use cases for the UBA app on page 29. Related tasks: Configuring UBA settings on page 17 To view information in the IBM Security QRadar User Behavior Analytics (UBA) app, you must configure UBA application settings. 8 UBA app User Guide

15 2 Installing and uninstalling Installing the User Behavior Analytics app Use the IBM Security QRadar Extension Management tool to upload and install your app archive directly to your QRadar Console. Before you begin Complete the Prerequisites for installing the User Behavior Analytics app on page 7. About this task Note: The installation of apps does not void your IBM warranty for QRadar. Attention: After the app is installed, you must: v Enable indexes v Deploy the full configuration. v Clear your browser cache and refresh the browser window. v Set up permissions for users that require access to view the User Analytics tab. The following permissions must be assigned to each user role that requires access to the app: User Analytics Offenses Log Activity After you download your app from the IBM Security App Exchange, use the IBM Security QRadar Extension Management tool to install it on your QRadar Console. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. In the Extension Management window, click Add and select the UBA app archive that you want to upload to the console. 4. Select the Install immediately check box. Important: You might have to wait several minutes before your app becomes active. 5. From the Admin settings, click Index Management and then enable the following indexes: v v v v v High Level Category Low Level Category Username sensevalue usecaseuuid 6. From the Admin settings, click Advanced > Deploy Full Configuration. Copyright IBM Corp. 2016,

16 Note: The following content packages are installed after the UBA installation completes and UBA is configured. v v User Behavior Analytics QRadar Network Insights Support Content User Behavior Analytics Anomaly Detection Engine Content What to do next v When the installation is complete, clear your browser cache and refresh the browser window before you use the app. v Manage permissions for UBA app user roles. Related tasks: Enabling indexes to improve performance on page 25 To improve the performance of your IBM Security QRadar User Behavior Analytics (UBA) app, enable indexes in IBM Security QRadar. Managing permissions for the QRadar UBA app on page 21 Administrators use the User Role Management feature in IBM Security QRadar to configure and manage user accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity permissions for each user role that is permitted to use the QRadar UBA app. Uninstalling the UBA app Use the IBM Security QRadar Extension Management tool to uninstall your application from your QRadar Console. Before you begin If you have the Machine Learning Analytics (ML) app installed, you must uninstall the ML app from the Machine Learning Settings page before uninstalling the UBA app from the Extension Management window. If you do not remove the ML app before you uninstall UBA, you must remove it from the interactive API documentation interface. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. On the INSTALLED tab of the Extension Management window, select your app and click Uninstall. When you uninstall an app, it is removed from the system. If you want to reinstall it, you must add it again. 10 UBA app User Guide

17 3 Upgrading Upgrading the User Behavior Analytics app Use the IBM Security QRadar Extension Management tool to upgrade your app. Before you begin For the best experience, upgrade your QRadar system to the following versions: v QRadar Patch 11 ( ) or later v QRadar Patch 7 ( ) or later v QRadar About this task Attention: v If you are upgrading to V2.5.0 on a V7.2.8 console, you must complete the instructions in the following technote: v If you are upgrading to V2.5.0 on a QRadar V7.3.0 or later console, complete the following procedure. Important: After you have upgraded, you must complete the following steps: v Deploy the full configuration. v Clear your browser cache and refresh the browser window. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. In the Extension Management window, click Add and select the UBA app archive that you want to upload to the console. 4. At the prompt, select Overwrite. All of your existing UBA app data remains intact. Important: You might have to wait several minutes before your app becomes active. 5. On the Admin tab, click Advanced > Deploy Full Configuration. What to do next When the upgrade is complete, clear your browser cache and refresh the browser window before you use the app. Copyright IBM Corp. 2016,

18 12 UBA app User Guide

19 4 Configuring Configuring the User Behavior Analytics app Before you can use the IBM Security QRadar User Behavior Analytics (UBA) app, you must configure additional settings. When you install the UBA app, the IBM Security QRadar Reference Data Import LDAP app is also installed. If you choose to use the LDAP app, you must configure the Reference Data Import LDAP app before you set up the UBA app. The data that the UBA app uses comes from an LDAP query. The LDAP query retrieves the list of users that is used to populates the UBA app. Complete the following setup procedures: v Create authorized service tokens v Configure the Reference Data Import LDAP app if you are using LDAP v Configure user analytics settings for the UBA app Creating authorized service tokens You must create authorized service tokens for the IBM Security QRadar User Behavior Analytics (UBA) app to authenticate the background polling service that the UBA app uses to request data from IBM Security QRadar. If you are using the Reference Data Import LDAP app to import user data, you must also create an authorized service token for the Reference Data Import LDAP app. About this task IBM Security QRadar, the Reference Data Import LDAP app, and the UBA app require that you use authentication tokens to authenticate the API calls that the apps make. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. 2. In the User Management section, click the Authorized Services icon. 3. Click Add Authorized Services. ), and then click Admin to open v If you are using the Reference Data Import LDAP app, go to step 3 to create the LDAP service token. v If you are using Active Directory, go to step 7 to create the UBA service token. 4. Configure the following information to create the LDAP service: a. In the Service Name field, type LDAP. b. From the User Role list, select the Admin user role. c. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 5. Click Create Service. Copyright IBM Corp. 2016,

20 6. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar. 7. Click Add Authorized Services. 8. Configure the following information to create the UBA service: a. In the Service Name field, type UBA. b. From the User Role list, select the Admin user role. c. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 9. Click Create Service. 10. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar. Configuring the Reference Data Import LDAP app When you install the IBM Security QRadar User Behavior Analytics (UBA) app, the Reference Data Import LDAP app is also installed. You can use the LDAP app to import user data into a reference table or you can import data into a reference table by using your own tools. Before you begin v If you do not want to configure the LDAP app, continue to the Configuring UBA settings on page 17 topic and select the UBA_Default reference table that is delivered with the UBA app. v If you decide to use the LDAP app to import your user data, you must create and add an authentication token to the LDAP app before you can add an LDAP configuration. Attention: If you previously installed the stand-alone Reference Data Import LDAP app, it is replaced when you install the UBA app. Your configurations are added to the updated version of the Reference Data Import LDAP app. About this task Note: Make sure that you note the reference table name and if you give a custom alias to any of the attributes. When you set up the UBA app, select the reference table that you created in the Reference Data Import LDAP app. For more information about the Reference Data Import LDAP app, see the following section of the IBM Knowledge Center: com.ibm.apps.doc/c_qapps_ldap_intro.html Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. 2. Click the Reference Data Import LDAP icon. ), and then click Admin to open 3. On the Reference Data Import LDAP app main window, click Configure and paste the authorized service token string into the Token field. 4. Optional: If you need to add a private root certificate authority file, click Choose File and then click Upload. The following file type is supported:.pem. 5. Click OK 14 UBA app User Guide

21 6. On the Reference Data Import LDAP app main window, click Add Import. The Add a New LDAP Configuration dialog box opens. 7. On the LDAP Configuration tab, add connection information for the LDAP server. The Filter and Attribute List fields are automatically populated from your Active Directory attributes. a. Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field. b. Enter the point in the LDAP directory tree from where the server must search for users in the Base DN field. For example, if your LDAP server was on the domain example.com, you might use: dc=example,dc=com. c. Enter the attribute or attributes you want to use to sort the data that is imported into the reference table in the Filter field. For example: cn=*; uid=*; sn=*. The following default values will work with Active Directory: (&(samaccountname=*)(samaccounttype= )). d. Enter attributes that you want to import into the reference table in the Attribute List field. The following default values will work with Active Directory: userprincipalname,cn,sn,telephonenumber,l,co,department,displayname,mail,title. Tip: If you do not specify attributes, you can still click Test Connection. The top 10 records are returned to help you choose your attributes. e. Enter the user name that is used to authenticate the LDAP server in the Username field. f. Enter the password for the LDAP server in the Password field. 8. Click Test Connection to confirm that IBM Security QRadar can connect to the LDAP server. If your connection attempt is successful, information from your LDAP server is displayed on the LDAP Configuration tab. 9. Optional: On the LDAP Attribute Mapping tab, you can create custom aliases for the attributes. Aliases must be unique. Tip: You can create new LDAP fields by combining two attributes. For example, you can use the following syntax: "Last: {ln}, First: {fn}". 4 Configuring 15

22 Tip: If you want to merge LDAP data from multiple sources in the same reference table, you can use custom aliases to differentiate LDAP attributes with the same name in different sources. When you add aliases to the Attribute List field on the LDAP configuration tab, they are added automatically to the LDAP Attribute Mapping tab. 10. On the Reference Configuration tab, create a new reference map of maps or designate an existing reference map of maps to which you want to add LDAP data. a. In the Reference table field, enter the name for a new reference table. Alternatively, add the name of an existing reference table to which you want to append the LDAP data from the list. b. In the Outer key selection list, select Default or select the outer (unique) key selection based on your environment. c. The Generate map of sets check box is disabled by default. If you enable the check box, it sends data to a reference set format to improve QRadar searching, however, it might impact performance. d. In the Time to live section, define how long you want the data to persist in the reference map of maps. By default, the data you add never expires. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. Note: If you append data to an existing reference map of maps, the app uses the original time-to-live parameters. These parameters cannot be overridden on the Reference Configuration tab. 11. On the Polling tab, define how often you want the app to poll your LDAP server for data. a. In the Polling interval in minutes field, define in minutes how often you want the app to poll your LDAP server for data. Note: The minimum polling interval value is 120. You can also enter a polling interval of zero. If you enter a polling interval of zero, you must poll the app manually with the poll option that is displayed in the feed. 16 UBA app User Guide

23 b. In the Record retrieval limit field, enter a value for the number of records you want the poll to return. By default, 100,000 records are returned. The maximum number of records that can be returned is 200,000. c. Optional: The Paged results check box is selected by default to avoid limiting the number of records the LDAP server returns for each poll. Note: Paged results are not supported by all LDAP servers. 12. Click Save. Configuring UBA settings To view information in the IBM Security QRadar User Behavior Analytics (UBA) app, you must configure UBA application settings. Before you begin You must create an authentication token for the UBA app before you can configure UBA settings. About this task The steps for configuring your UBA settings have changed starting with V Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. ), and then click Admin to open 2. Click the UBA Settings icon in the Plug-ins section. The IBM UBA Settings dialog box opens. 3. In the QRadar Settings section, click Manage Authorized Services. 4. Click the row that contains the UBA service you created and then select and copy the token string from the Selected Token field in the menu bar. 5. In the UBA Settings window, paste the authorized service token string into the Token field. 6. In the Application Settings section, configure the following settings: 4 Configuring 17

24 Option Risk threshold to trigger offenses Indicates how high a user's risk score should get before an offense is triggered against that user. The default value is 100,000. The value is set to a high value by default to avoid triggering offenses before the environment is analyzed. Tip: Consider setting up UBA and leaving the default value. Allow the settings to run for at least a day to see the type of scores that are returned. After a few days, review the results on the dashboard to determine a pattern. You can then adjust the threshold. For example, if you see one or two people with scores in the 500s but most are in the 100s then consider setting the threshold to 200 or 300. So "normal" for your environment might be 100 or so, and any score above that might require your attention. Decay risk by this factor per hour Date range for user details graph Search assets for username, when username is not available for event or flow data Risk decay is the percentage that the risk score is reduced by every hour. The default value is 0.5. Note: The higher the number, the faster the risk score decays; the lower the number, the slower the risk score decays. The date range that is displayed for the user details graphs on the User Details page. The default value is 3. Select the check box to search for user names in the asset table. The UBA app uses assets to look up a user for an IP address when no user is listed in an event. Important: This feature might cause performance issues in the UBA app and your QRadar system. Tip: If the query timeout threshold is exceeded, the app does not return any data. If you receive an error message on the UBA Dashboard, clear the check box and click Refresh. 7. Optional: In the Import User Data section, select a Reference table. 8. Optional: Enter the number of hours to determine how often you want the reference table to ingest data. 9. Optional: In the User Coalescing section, select the attributes that are pulled from the selected reference table and that appear as "Username" by your QRadar system. The risk scores of these identifiers are added to, and are also associated with the primary identifier. Do not select attributes 18 UBA app User Guide

25 that have shared values across users. For example, if there are many people from the same department, do not select "Department" as a username. Selecting a shared attribute like "Department" or "Country" causes UBA to combine all users with the same department or country value. 10. Optional: In the Display Attributes section, select the attributes that you want to display on the User Details page. 4 Configuring 19

26 11. Click Save Configuration. 20 UBA app User Guide

27 5 Administering Managing permissions for the QRadar UBA app Administrators use the User Role Management feature in IBM Security QRadar to configure and manage user accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity permissions for each user role that is permitted to use the QRadar UBA app. About this task After you install the QRadar UBA app, the User Analytics, Offenses, and Log Activity permissions must be enabled for the user roles that are assigned to users intending to use the QRadar UBA app. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, under User Management, click the User Roles icon. 3. Select an existing user role or create a new role. 4. Select the following check boxes to add the permissions to the role. v v v User Analytics Offenses Log Activity 5. Click Save. Viewing the whitelist for trusted users You can view the list of trusted users that are whitelisted in the reference set management list. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Trusted Usernames reference set. 4. Click View Contents. Managing network monitoring tools You can manage network monitoring tools for the IBM Security QRadar User Behavior Analytics (UBA) app. About this task If you want to monitor the use of network capture, monitoring or analysis program usage, make sure the programs are listed in the UBA : Network Capture, Monitoring and Analysis Program Filenames Copyright IBM Corp. 2016,

28 reference set. You must then enable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Network Capture, Monitoring and Analysis Program Filenames reference set. 4. Click View Contents. 5. To add an application to manage, click Add and enter the values in the box. 6. To remove an application, select an application and click Delete. What to do next Enable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule. Managing restricted programs You can manage restricted programs for the IBM Security QRadar User Behavior Analytics (UBA) app. About this task If there are any applications that you want to monitor for usage, go to the UBA : Restricted Program Filenames reference set and enter the applications that you want to monitor. You must then enable the UBA : Restricted Program Filenames rule. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Restricted Program Filenames reference set. 4. Click View Contents. 5. To add an application to manage, click Add and enter the values in the box. 6. To remove an application, select an application and click Delete. What to do next Enable the UBA : Restricted Program Filenames rule. Adding log sources to the trusted log source group If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA : Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them. 22 UBA app User Guide

29 Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the common parameters for your log source. 5. Configure the protocol-specific parameters for your log source. 6. Select the UBA : Trusted Log Source Group check box. 7. Click Save. 8. On the Admin tab, click Deploy Changes. 5 Administering 23

30 24 UBA app User Guide

31 6 Tuning Enabling indexes to improve performance To improve the performance of your IBM Security QRadar User Behavior Analytics (UBA) app, enable indexes in IBM Security QRadar. About this task To improve the speed of searches in IBM Security QRadar and the UBA app, narrow the overall data by adding the following indexed fields to your search query: v High Level Category v Low Level Category v sensevalue v senseoverallscore v Username v usecaseuuid For more information about indexing, see the following section of the IBM Knowledge Center at c_qradar_adm_index_mgmt.html. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( the admin tab. 2. In the System Configuration section, click the Index Management icon. 3. On the Index Management page, in the search box, enter High Level Category. 4. Select High Level Category and then click Enable Index. ), and then click Admin to open 5. Click Save. 6. Select Low Level Category and then click Enable Index. Copyright IBM Corp. 2016,

32 7. Click Save. 8. On the Index Management page, in the search box, enter sense. 9. Select sensevalue and senseoverallscore and then click Enable Index. 10. Click Save. 11. On the Index Management page, in the search box, enter username. 12. Select Username and then click Enable Index. 13. Click Save. 14. On the Index Management page, in the search box, enter usecaseuuid. 15. Select usecaseuuid and then click Enable Index. 26 UBA app User Guide

33 16. Click Save. Integrating new or existing QRadar content with the UBA app Use the Rules Wizard in QRadar to integrate existing or custom QRadar rules with the UBA app. About this task To meet your specific needs, you can use the capabilities built into QRadar by integrating your existing QRadar rules with the UBA app. Procedure 1. Create a copy of the existing rule. This prevents updates to the base rule from affecting the edits made to the new rule. 2. Open the rule in the Rule Wizard and then navigate to the Rule Response section. 3. Enable or edit the Dispatch New Event option by making sure the Event text is formatted in the following way: sensevalue=#,sensedesc='sometext',usecase_id='rule UUID' 4. Set the High-Level-Category to Sense. 5. Click Finish to save the changes. Note: If the rule works on flow data, you must enable the Search assets for username, when username is not available for event or flow data option so that events with no usernames can attempt a lookup for user mapping. 6 Tuning 27

34 28 UBA app User Guide

35 7 Reference Use cases for the UBA app The IBM Security QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral The User Behavior Analytics (UBA) app includes use cases that are based on custom rules and anomaly detection rules. These rules are used to generate data for the UBA app dashboard. You can view and modify the rules in the User Behavior Analytics Group on the Rules List in QRadar. Note: By default not all of the UBA app rules are enabled. Note: One or more of the log sources should provide information for the specific UBA rule. The log sources are not prioritized in any particular order. IBM plans to update the UBA app with additional use cases on a continuous delivery model. Check back frequently for the latest updates to the app. For more information about working with rules in QRadar, see knowledgecenter/en/ss42vs_7.2.8/com.ibm.qradar.doc/c_qradar_rul_mgt.html UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal data volume to external domain False 15 This rule uses the Anomaly Detection engine to monitor user's traffic usage and alert on abnormal data volumes of traffic to external domains. Data sources Microsoft ISA, Pulse Secure Pulse Connect Secure, Juniper SRX Series Services Gateway UBA : Abnormal data volume to external domain Found UBA : Abnormal data volume to external domain Found Copyright IBM Corp. 2016,

36 True 15 This is a CRE rule that supports the identical respective ADE rule : UBA: Abnormal data volume to external domain, which uses the Anomaly Detection engine to monitor user's traffic usage and alert on abnormal data volumes of traffic to external domains. Data sources Microsoft ISA, Pulse Secure Pulse Connect Secure, Juniper SRX Series Services Gateway UBA : Abnormal Outbound Attempts (ADE rule) UBA : Abnormal Outbound Transfer Attempts (called UBA : Abnormal Outbound Attempts in V2.4.0) False 15 This rule uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts. Data sources All supported logs UBA : Abnormal Outbound Attempts Found UBA : Abnormal Outbound Attempts Found True UBA app User Guide

37 This is a CRE rule that supports the identical respective ADE rule : UBA : Abnormal Outbound Attempts, which uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts. Data sources All supported logs UBA : Abnormal visits to Risky Resources (ADE rule) UBA : Abnormal visits to Risky Resources False 15 This rule uses the Anomaly Detection engine to monitor the number of times a user accesses a risky resource (such as suspicious URLs, anonymizers, and malware hosts) and alerts when the number of visits changes abnormally. UBA : Abnormal visits to Risky Resources Found UBA : Abnormal visits to Risky Resources Found True 15 This is a CRE rule that supports the identical respective ADE rule : UBA : Abnormal visits to Risky Resources, which uses the Anomaly Detection engine to monitor the number of times a user accesses risky resources (such as suspicious URLs, anonymizers, malware hosts) and alerts when the number of visits changes abnormally. UBA : Account, Group or Privileges Added or Modified 7 Reference 31

38 UBA : Account, Group or Privileges Added or Modified True 5 Detects events that a user performs and that fit into one of the following categories. The rule dispatches an IBM Sense event to increment the originating user's risk score. v Authentication.Group Added v Authentication.Group Changed v Authentication.Group Member Added v Authentication.Computer Account Added v Authentication.Computer Account Changed v Authentication.Policy Added v Authentication.Policy Change v Authentication.Trusted Domain Added v Authentication.User Account Added v Authentication.User Account Changed v Authentication.User Right Assigned Note: To tune the impact of this rule on users' overall risk scores, consider modifying the building block rule "CategoryDefinition: Authentication User or Group Added or Changed" by adding event categories of interest to your organization. Data sources CA ACF2, Cisco ACS, AhnLab Policy Center APC, Amazon AWS CloudTrail, AppSecDbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, ARSeriesRouter, Cisco Adaptive Security Appliance (ASA), Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, ChangeControl, CheckPoint, Cilasoft QJRN/400, Cisco Identity Services Engine, Cisco Identity Services Engine, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, CorreLogAgentforIBMzOS, CRE System, Cyber-Ark Vault, IBM DB2, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, EventCRE, EventCREInjected, Foundry Fastiron, Fortinet FortiGate Security Gateway, Cisco Firewall Services Module (FWSM), GenericDSM, HBGary Active Defense, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IMS, IOS, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, JuniperSA, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenNSM, Netskope Active, Cisco Nexus, NSeries, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, OSSEC, OSServices, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, IBM Proventia Network Intrusion Prevention System (IPS), RACF, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, Microsoft SCOM, Securesphere, Microsoft SharePoint, Sidewinder, SIM Audit, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, STEALTHbits StealthINTERCEPT, Sybase ASE, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPoint X Series Appliances, TivoliAccessManager, 32 UBA app User Guide

39 CA Top Secret, Trend Micro Deep Security, UnityOne, VMware, VormetricDataFirewall, Websphere, WindowsAuthServer, Wism UBA : Critical Systems Users Seen Update UBA : Critical Systems Users Seen Update True Updates the last seen value in the "Critical Systems Users Seen" reference collection for Destination IP/Username matches that already exist. UBA : Detect Persistent SSH session UBA : Detect Persistent SSH session True 10 Detects SSH sessions that are active for more than 10 hours. Data sources Linux OS UBA : Dormant Account Found (privileged) UBA : Dormant Account Found (privileged) True 10 7 Reference 33

40 Ensure that "UBA : User Has Gone Dormant (no activity anomaly rule)" is enabled to activate this rule. This rule indicates that a username's activity count has changed by greater than 80%. "UBA : User Dormant Account Found (privileged)" and "UBA : User Has Gone Dormant (no activity anomaly rule)" are intended to point out when a user has stopped producing activity for an extended period. This condition might indicate that the user no longer requires access as indicated by a long absence of activity that is associated with their username. False alarms are possible if a Username's activity drops to zero during the short interval period (14 days by default) and before zero is the new baseline (28 days by default). These do not affect a user's risk score if the response frequency limit for "UBA : User Dormant Account Found (privileged)" is set to a time period equal to or greater than the long interval per user name. UBA : Dormant Account Used UBA : Dormant Account Used False 10 Provides reporting functions to indicate that a user successfully logged in after a dormant period. How quickly the rule is triggered after the user goes dormant is governed by the time-to-live setting in "UBA : User Accounts, Successful, Recent". Note: For best results, wait 2-4 weeks before you enable both "UBA : Dormant Account Used" and "UBA : Username to User Accounts, Successful, Dormant". This allows the "UBA : User Accounts, Successful, Observed" and "UBA : User Accounts, Successful, Recent" reference sets to be populated and reduce the chances of prematurely triggering "UBA : Dormant Account Used". Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall 34 UBA app User Guide

41 Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : D/DoS Attack Detected UBA : D/DoS Attack Detected False 15 Detects network Denial of Service (DoS) attacks by a user. Note: Before you can use this rule, complete the following steps: 1. From the Admin tab, click UBA Settings. 2. Select the Search assets for username, when username is not available for event or flow data check box to search for user names in the asset table. The UBA app uses assets to look up a user for an IP address when no user is listed in an event. 3. The event rule needs "Snort Open Source IDS" Log Source to work. Data sources Akamai KONA, Application Security DbProtect, Aruba Mobility Controller, Barracuda Web Application Firewall, Brocade FabricOS, CRE System, Check Point, Cisco Adaptive Security Appliance (ASA), Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Intrusion Prevention System (IPS), Cisco PIX 7 Reference 35

42 Firewall, Cisco Stealthwatch, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Custom Rule Engine, CyberGuard TSP Firewall/VPN, Enterprise-IT-Security.com SF-Sherlock, Event CRE Injected, Extreme Dragon Network IPS, Extreme HiPath, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Fair Warning, FireEye, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, Huawei AR Series Router, IBM Proventia Network Intrusion Prevention System (IPS), IBM Security Network IPS (GX), Imperva Incapsula, Juniper Junos OS Platform, Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Motorola SymbolAP, NCC Group DDos Secure, Niksun 2005 v3.5, Nortel Application Switch, OS Services Qidmap, OSSEC, Palo Alto PA Series, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, SonicWALL SonicOS, Squid Web Proxy, Stonesoft Management Center, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), Top Layer IPS, Trend Micro Deep Security, Universal DSM, Vectra Networks Vectra, Venustech Venusense Security Platform, WatchGuard Fireware OS UBA : Executive Only Asset Accessed by Non-Executive User UBA : Executive Only Asset Accessed by Non-Executive User False 15 Detects when a non-executive user logs on to an asset that is for executive use only. Two empty reference sets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit the reference sets to add or remove any accounts and IP addresses that are flagged from your environment. Enable this rule after you configure the reference sets. Data sources APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security 36 UBA app User Guide

43 Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z /OS, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series, Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSM, VMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi UBA : First Privilege Escalation UBA : First Privilege Escalation True 10 7 Reference 37

44 Indicates that a user executed privileged access for the first time. This reporting rule can be disabled to allow the tracking of user behaviors for baselining purposes. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Oracle Audit Vault, Avaya VPN Gateway, Barracuda Web Application Firewall, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, F5 Networks BIG-IP APM, F5ASM, Foundry Fastiron, Fortinet FortiGate Security Gateway, Cisco Firewall Services Module (FWSM), GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, MicrosoftFEP, MicrosoftHyperV, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, Samhain, Microsoft SCOM, Securesphere, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage 38 UBA app User Guide

45 False 15 Indicates that a process is created and the process name matches one of the binary names that are listed in the reference set "UBA : Network Capture, Monitoring and Analysis Program Filenames". This reference set lists the binary names of network packet capturing software. The reference set is pre-populated with the names of some common network protocol analysis software filenames. For more information about adding or removing programs for monitoring, see Managing network monitoring tools. Data sources WindowsAuthServer UBA : New Account Use Detected UBA : New Account Use Detected True 5 Provides reporting functions that indicate a user successfully logged in for the first time. This reporting rule can be disabled temporarily for baselining purposes. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, 7 Reference 39

46 ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : Orphaned or Revoked or Suspended Account Used UBA : Orphaned or Revoked or Suspended Account Used True 10 Indicates that a user attempted to log in to a disabled or an expired account on a local system. This rule might also suggest that an account was compromised. Data sources Cisco CatOS for Catalyst Switches, Extreme Dragon Network IPS, IDS, JuniperRouter, Microsoft IAS Server, IBM Proventia Network Intrusion Prevention System (IPS), WindowsAuthServer UBA : Pass the Hash 40 UBA app User Guide

47 UBA : Pass the Hash False 15 Detects Windows logon events that are possibly generated during pass the hash exploits. UBA : Possible TGT Forgery UBA : Possible TGT Forgery False 15 Detects Kerberos TGTs that contain Domain Name These possibly indicate tickets that are generated by using pass the ticket exploits. UBA : Unix/Linux System Accessed With Service or Machine Account UBA : Unix/Linux System Accessed With Service or Machine Account True 15 Detects any interactive session (through GUI and CLI, both local and remote login) that is initiated by a service or machine account in UNIX and Linux servers. Accounts and allowed interactive sessions are listed in the UBA : Service, Machine Account and the UBA : Allowed Interaction Session reference sets. Edit the reference sets to add or remove any interactive session that you want to flag from your environment. 7 Reference 41

48 Data sources Linux OS UBA : User Access to Internal Server From Jump Server UBA : User Access to Internal Server From Jump Server False 10 Detects when a user uses a jump server to access the VPN or internal servers. Data sources APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall 42 UBA app User Guide

49 Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series, Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSM, VMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi UBA : User Geography, Access from Unusual Locations UBA : User Geography, Access from Unusual Locations True 15 Indicates that users were able to authenticate in countries that are unusual for your network, as defined by the building block rule "UBA : BB : Unusual Source Locations". Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, 7 Reference 43

50 DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Geography Change UBA : User Geography Change True 5 A match indicates that a user logged in remotely from a country that is different from the country of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda 44 UBA app User Guide

51 Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Installing Suspicious Application Supports the following rules: v UBA : User Installing Suspicious Application v UBA : Populate Authorized Applications False 15 7 Reference 45

52 s Detects application installation events and then alerts when suspicious applications are seen. Note: Populate the reference set "UBA : Authorized Applications" with the application names that are authorized in the organization. Rule "UBA : Populate Authorized Applications" can be enabled for a short duration to populate this reference set. Rule "UBA : Populate Authorized Applications" populates the reference set "UBA : Authorized Applications" with the names of applications that are installed while this rule is enabled. Note: The rule is disabled by default. Enable for a shorter duration to populate the names while users are installing applications. Data sources Microsoft Windows Security Event Log UBA : User Running New Process Supports the following rules: v UBA : User Running New Process v UBA : Populate Process Filenames False 15 s Detects processes that are created by the user and then alerts when a user runs a new process. Rule "UBA: Populate Process Filenames" populates the reference set "UBA : Process Filenames" used as a utility rule for "UBA : User Running New Process." Note: The rule is disabled by default. Enable the rule for a shorter duration to populate the filenames. Data sources Microsoft Windows System Event Log UBA : User Has Gone Dormant (no activity anomaly rule) UBA : User Has Gone Dormant (no activity anomaly rule) False 46 UBA app User Guide

53 Indicates that a username's activity count changed by greater than 80%. This rule and its dependent rule "UBA : User Dormant Account Found (privileged)" are meant to indicate that a user suddenly stopped producing activity. Note: False alarms are possible for 'UBA : User Has Gone Dormant (no activity anomaly rule)' if a Username's activity decreases to zero during the short interval period (14 days by default) and before zero is the new baseline (28 days by default). The false alarms do not affect a user's risk score if the response frequency limit for "UBA : User Dormant Account Found (privileged)" is set to a period of time equal to or greater than the long interval per Username. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters 7 Reference 47

54 UBA : User Time, Access at Unusual Times UBA : User Time, Access at Unusual Times True 5 Indicates that users are successfully authenticating at times that are unusual for your network, as defined by "UBA: Unusual Times, %" building blocks. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, 48 UBA app User Guide

55 TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : Windows access with Service or Machine Account UBA : Windows access with Service or Machine Account True 15 Detects any interactive session (RDP, local login) that is initiated by a service or machine account in Windows Server. Accounts are listed in the UBA : Service, Machine Account reference set. Edit the list to add or remove any accounts to flag from your environment. Data sources Microsoft Windows Security Event Log UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Expired False 5 QRadar Network Insights (QNI) detected an SSL/TLS session which uses an expired certificate. Servers and clients use certificates when establishing communication using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Certificates are issued with an expiration date that indicates how long the certificate remains valid. Data sources QRadar Network Insights (QNI) 7 Reference 49

56 UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Certificate Invalid False 5 QRadar Network Insights (QNI) has detected an SSL/TLS session that uses an invalid certificate. Servers and clients use X.509 certificates when establishing communication using Secure Sockets Layer (SSL). Certificates are issued with a Not Before date that indicates the earliest date the certificate is valid. Data sources QRadar Network Insights (QNI) UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length False 5 QRadar Network Insights (QNI) detected an SSL/TLS session that uses a certificate with a low public key bit count of less than A server that provides a weak Public Key Certificate (less than 1024 bits) can represent a security risk. According to NIST publication , the recommended minimum RSA key beginning in 2011 is 2048 bits. Data sources QRadar Network Insights (QNI) UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate 50 UBA app User Guide

57 UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate False 5 QRadar Network Insights (QNI) detected an SSL/TLS session that uses a self-signed certificate. A self-signed certificate in a public-facing or production server application might allow a remote attacker to start a man-in-the-middle attack. Data sources QRadar Network Insights (QNI) UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Associated with Malware Threat False 15 This rule triggers when flow content includes a file hash that matches known bad file hashes included in a Threat Intelligence data feed. Indicates that someone has transferred malware over the network. Data sources QRadar Network Insights (QNI) UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Observed File Hash Seen Across Multiple Hosts False 7 Reference 51

58 15 This rule triggers when the same file hash associated with malware is seen being transferred to multiple destinations. Data sources QRadar Network Insights (QNI) UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient False 5 This rule triggers when rejected events sent to a non-existing recipient address are seen in the system. This can indicate a spam or phishing attempt. Configure the BB:CategoryDefinition: Rejected Recipient building block to include QIDs relevant to your organization. It is pre-populated with the following QIDs that are good for monitoring: Microsoft Exchange; Linux OS [running sendmail]; Solaris Operating System Sendmail Logs and Barracuda Spam and Virus Firewall. Data sources QRadar Network Insights (QNI) UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers False 5 52 UBA app User Guide

59 This rule triggers when multiple sending servers send the same subject in a period of time which may indicate spam or phishing. Data sources QRadar Network Insights (QNI) UBA : Recent User Activity Update (privileged) UBA : Recent User Activity Update (privileged) True Updates the last seen value for a user on the observations that are kept in "UBA : Recent Activities by Low Level Category and Username" map-of-sets. UBA : Repeat Unauthorized Access UBA : Repeat Unauthorized Access True 10 Indicates that repeat unauthorized access activities were found. UBA : Restricted Program Usage UBA : Restricted Program Usage False 7 Reference 53

60 5 Indicates that a process is created and the process name matches one of the binary names listed in the reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management. For more information about adding or removing programs for monitoring, see Managing restricted programs. Data sources WindowsAuthServer UBA : Risky URL Filter Category - Gambling UBA : Risky URL Filter Category - Gambling True 5 A user has accessed a URL which can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Malicious Outbound Data or Botnets UBA : Risky URL Filter Category - Malicious Outbound Data or Botnets True UBA app User Guide

61 A user has accessed a URL which can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Malicious Sources or Malnets UBA : Risky URL Filter Category - Malicious Sources or Malnets True 10 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Mixed Content/Potentially Adult UBA : Risky URL Filter Category - Mixed Content/Potentially Adult True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Phishing UBA : Risky URL Filter Category - Phishing 7 Reference 55

62 True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Pornography UBA : Risky URL Filter Category - Pornography True 10 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Potentially Unwanted Software UBA : Risky URL Filter Category - Potentially Unwanted Software True 5 A user accessed a URL that can indicate elevated security or legal risk. References: 56 UBA app User Guide

63 UBA : Risky URL Filter Category - Scam/Questionable/Illegal UBA : Risky URL Filter Category - Scam/Questionable/Illegal True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Suspicious UBA : Risky URL Filter Category - Suspicious True 5 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Risky URL Filter Category - Web Ads/Analytics UBA : Risky URL Filter Category - Web Ads/Analytics True 5 7 Reference 57

64 A user accessed a URL that can indicate elevated security or legal risk. References: UBA : Subject_CN and Username Mapping UBA : Subject_CN and Username Mapping True This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who has done what. This can complicate taking next steps in the event of a compromise. UBA : Subject_CN and Username Map Update UBA : Subject_CN and Username Map Update True This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who has done what. This can complicate taking next steps in the event of a compromise. UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (First Observed Privilege Use) True 5 58 UBA app User Guide

65 Indicates that a user executed a privileged action that the user never executed before. Observations are kept in "UBA : Observed Activities by Low Level Category and Username" map-of-sets. Data sources Acf2, AcmePacketSessionDirectorSBC, ACS, AhnLabPolicyCenter, Aironet, AmazonAWSCloudTrail, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ArborNetworksPravail, ArpeggioSIFTIT, ArrayVPN, ARSeriesRouter, ArubaClearPass, ASA, Auditvault, AvayaVPNGateway, BarracudaWAF, BigIP, Bind, Bit9Parity, BridgewaterAAA, BrocadeFabricOS, CatOS, ChangeControl, CheckPoint, CilasoftQJRN400, CiscoCallManager, CiscoISE, CiscoWLC, CitrixAccessGateway, CitrixNetScaler, Classify, ClouderaNavigator, CloudFoundry, CloudPassageHalo, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRESystem, CSA, CyberArkVault, Db2, DCRSSeries, DefensePro, DGTechnologyMEAS, Dragon, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, F5APM, F5ASM, FastIronDsm, FortiGate, FWSM, GenericDSM, GenuaGenugate, Guardium, HBGaryActiveDefense, Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrustCloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, IronPort, ISA, ITCubeAgileSI, ItronSmartMeter, JuniperAltorVGW, JuniperDDoSSecure, JuniperMXSeries, JuniperRouter, JuniperSA, JuniperWirelessLAN, KasperskySecurityCenter, LinuxServer, McAfeeEpo, MetaIP, MicrosoftDHCP, MicrosoftFEP, MicrosoftHyperV, MicrosoftSQL, Mobility, Nac, NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, NetskopeActive, Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, OktaIdentityManagement, OpenBSD, Operationsmanager, OracleDbAudit, OracleDBListener, OracleEnterpriseManager, OracleOSAudit, OracleWebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Pix, PostFixMailTransferAgent, ProofpointEnterpriseProtectionEnterprisePrivacy, Proventia, RACF, RandomPasswordManager, RiverbedSteelCentralNetProfilerAudit, RSAAuthenticationManager, SafeNetDataSecure, SalesforceSecurityAuditing, Samhain, Scom, Securesphere, Sendmail, SharePoint, Sidewinder, SIMAudit, SIMNotification, Snort, Solaris2, SolarisBSM, SonicWall, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, StealthINTERCEPT, SybaseAse, SymantecCriticalSystemProtection, SymantecSystemCenter, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPointx505, TivoliAccessManager, TopLayerIPS, TopSecret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, TrendMicroDeepSecurity, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, VerdasysDigitalGuardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : Suspicious Privileged Activity (Rarely Used Privilege) True 10 7 Reference 59

66 Indicates that a user executed a privileged action that the user has not executed recently. Observations are kept in "UBA : Recent Activities by Low Level Category and Username" map-of-sets. The sensitivity of this event can be modified by changing the TTL (time-to-live) of the Reference Map-of-Sets for "UBA : Recent Activities by Low Level Category and Username". Increasing the TTL reduces the sensitivity. Decreasing the TTL increases the sensitivity. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Oracle Audit Vault, Avaya VPN Gateway, Barracuda Web Application Firewall, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, F5 Networks BIG-IP APM, F5ASM, Foundry Fastiron, Fortinet FortiGate Security Gateway, Cisco Firewall Services Module (FWSM), GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, MicrosoftFEP, MicrosoftHyperV, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, Samhain, Microsoft SCOM, Securesphere, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, ThreatGRIDMalwareThreatIntelligencePlatform, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism UBA : Unauthorized Access UBA : Unauthorized Access 60 UBA app User Guide

67 True 10 Indicates that unauthorized access activities were found. UBA : User Access - Failed Access to Critical Assets UBA : User Access - Failed Access to Critical Assets True 5 This rule detects authentication failures for systems located in the Critical Assets reference set. UBA : User Access - First Access to Critical Assets UBA : User Access First Access to Critical Assets True 10 Indicates that this is the first time the user accessed a critical asset. The "Critical Systems Users Seen" reference collection governs the time-to-live of an observation. By default this rule detects the first access in three months. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), 7 Reference 61

68 Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Access Login Anomaly UBA : User Access Login Anomaly True 5 Indicates a sequence of login failures on a local asset. The rule might also indicate an account compromise or lateral movement activity. Ensure that the Multiple Login Failures for Single Username rule is enabled. Adjust the match and time duration parameters for this rule to tune the responsiveness. 62 UBA app User Guide

69 Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, LinuxServer, McAfee epolicy Orchestrator, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, Okta Identity Management, OpenBSD OS, OpenLDAP, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Microsoft SharePoint, Sidewinder, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymbolAP, Tandem, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, TrendMicroDeepDiscovery, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Accessing Account from Anonymous Source UBA : User Accessing Account from Anonymous Source True 15 Indicates that a user is accessing internal resources from an anonymous source such as TOR or a VPN. 7 Reference 63

70 Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Accessing Risky Resources UBA : User Accessing Risky Resources is disabled by default starting with V The rules are now listed by the following types and enabled by default: v UBA : User Accessing Risky IP, Anonymization v UBA : User Accessing Risky IP, Botnet v UBA : User Accessing Risky IP, Dynamic v UBA : User Accessing Risky IP, Malware v UBA : User Accessing Risky IP, Spam v UBA : User Accessing Risky URL 64 UBA app User Guide

71 False 15 Indicates that a user accessed an external resource that is deemed to be inappropriate or risky, or that shows signs of infection. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, AnomalyDetectionEngine, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5ASM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, MicrosoftFEP, MicrosoftHyperV, Microsoft IAS Server, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, OpenLDAP, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Samhain, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, SymbolAP, Tandem, ThreatGRIDMalwareThreatIntelligencePlatform, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, 7 Reference 65

72 TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Account Change UBA : User Account Change True 10 Indicates when a user account was affected by an action which changes the user s effective privileges, either up or down. False positive note: This event might misattribute modifications to an account name to the user making the changes. If you want to reduce this false positive possibility you can add the test 'and when Username equals AccountName'. False negative note: This event might not detect all cases of account modifications for a user. Data sources WindowsAuthServer UBA : User Anomalous Geography UBA : User Anomalous Geography True 5 Indicates that multiple locations or sources are using the same user account simultaneously. Adjust the match and duration parameters to tune responsiveness. 66 UBA app User Guide

73 Data sources Acf2, AcmePacketSessionDirectorSBC, ACS, AhnLabPolicyCenter, Aironet, AmazonAWSCloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, ArpeggioSIFTIT, ArrayVPN, ARSeriesRouter, ArubaClearPass, ASA, ASE, Astaro, Auditvault, AvayaVPNGateway, BarracudaFirewall, BarracudaWAF, BarracudaWebFilter, BigIP, Bit9Parity, BridgewaterAAA, BrocadeFabricOS, CatOS, ChangeControl, CheckPoint, CilasoftQJRN400, CiscoCallManager, CiscoISE, CiscoWLC, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassageHalo, Contivity, Contivityv2, ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRESystem, Cryptoshield, CSA, CyberArkVault, Db2, DCRSSeries, DefensePro, Dragon, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5APM, F5FirePass, FastIronDsm, FortiGate, FreeRADIUS, FWSM, GenericAuthServer, GenericDSM, GenuaGenugate, HBGaryActiveDefense, Hedgehog, HiPath, HyTrustCloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, IronPort, ISA, ITCubeAgileSI, ItronSmartMeter, JuniperDDoSSecure, JuniperMXSeries, JuniperRouter, JuniperSA, JuniperSBR, JuniperWirelessLAN, KasperskySecurityCenter, LinuxServer, McAfeeEpo, MetaIP, MicrosoftDHCP, MicrosoftExchange, MicrosoftIAS, MicrosoftSQL, Mobility, NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetskopeActive, Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, OktaIdentityManagement, OpenBSD, Operationsmanager, OracleDbAudit, OracleDBListener, OracleEnterpriseManager, OracleOSAudit, OracleWebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Pix, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, Proventia, RACF, RandomPasswordManager, RiverbedSteelCentralNetProfilerAudit, RSAAuthenticationManager, SafeNetDataSecure, SalesforceSecurityAuditing, SalesforceSecurityMonitoring, Scom, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIMAudit, SiteMinder, Snort, Solaris2, SolarisBSM, SonicWall, SSeriesSwitch, SSHCryptoAuditor, StarentHA, StealthINTERCEPT, SybaseAse, SymbolAP, Tandem, TippingPointx505, TivoliAccessManager, TopSecret, TrendMicroDeepDiscovery Inspector, TrendMicroDeepSecurity, Tripwire, UnityOne, VenustechVenusense, VerdasysDigitalGuardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters, UBA : User Attempt to Use a Suspended Account UBA : User Attempt to Use a Suspended Account True 10 Detects that a user attempted to access a suspended or a disabled account. 7 Reference 67

74 Data sources Extreme Dragon Network IPS, IDS, Microsoft IAS Server, IBM Proventia Network Intrusion Prevention System (IPS), WindowsAuthServer UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Behavior, Session Anomaly by Destination False 10 Indicates that a user is accessing significantly different destination IP addresses than the user accessed in the past. The event is not necessarily an indication of compromise. The change in behavior might indicate a significant change in the user s job responsibilities or work habits. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, AnomalyDetectionEngine, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5ASM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, MicrosoftFEP, MicrosoftHyperV, Microsoft IAS Server, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity 68 UBA app User Guide

75 Management, OpenBSD OS, OpenLDAP, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Samhain, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, SymbolAP, Tandem, ThreatGRIDMalwareThreatIntelligencePlatform, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Behavior, Session Anomaly by Destination Found UBA : User Behavior, Session Anomaly by Destination Found True 10 This is a CRE rule that supports the identical respective ADE rule : UBA : User Behavior, Session Anomaly by Destination which indicates that a user is accessing significantly different destination IP addresses than were accessed by the user in the past. The event is not necessarily an indication of compromise. The change in behavior might indicate a significant change in the user s job responsibilities or work habits. UBA : User Event Frequency Anomaly - Categories Found UBA : User Event Frequency Anomaly - Categories Found True 5 7 Reference 69

76 This is a CRE rule that supports the identical respective ADE rule : UBA : User Event Frequency Anomaly - Categories which uses the Anomaly Detection engine to monitor the category distribution of a user's events. It will alert on unusual frequency changes. UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Event Frequency Anomaly Categories False 5 Uses the Anomaly Detection engine to monitor the category distribution of a user's events. It alerts on unusual frequency changes. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, AnomalyDetectionEngine, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, Arbor Networks Pravail, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bind, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, Cloudera Navigator, CloudFoundry, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, ControlManager, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, Cyberguard, IBM DB2, DCRSSeries, Radware DefensePro, DG Technology MEAS, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5ASM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, Guardium, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HoneycombLexiconFileIntegrityMonitor, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityDirectoryServer, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, Infoblox, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, JuniperAltorVGW, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperMykonosWebSecurity, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, MicrosoftFEP, MicrosoftHyperV, Microsoft IAS Server, Microsoft SQL Server, Mobility, Cisco NAC Appliance, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, NetsightASM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity 70 UBA app User Guide

77 Management, OpenBSD OS, OpenLDAP, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, PostFixMailTransferAgent, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Samhain, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Microsoft SharePoint, Sidewinder, SIM Audit, SIMNotification, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SourcefireDefenseCenter, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, StoneGate, Sybase ASE, SymantecCriticalSystemProtection, SymantecSystemCenter, SymbolAP, Tandem, ThreatGRIDMalwareThreatIntelligencePlatform, Threecom8800SeriesSwitch, TippingPoint X Series Appliances, TivoliAccessManager, TopLayerIPS, CA Top Secret, TrendMicroDeepDiscovery, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, TrusteerEnterpriseProtection, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Geography Change UBA : User Geography Change True 5 A match indicates that a user logged in remotely from a country that is different from the country of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, 7 Reference 71

78 Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VmWare, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Geography, Access from Unusual Locations UBA : User Geography, Access from Unusual Locations True 15 Indicates that users were able to authenticate in countries that are unusual for your network, as defined by the building block rule "UBA : BB : Unusual Source Locations". Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, 72 UBA app User Guide

79 DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Time, Access at Unusual Times UBA : User Time, Access at Unusual Times True 5 Indicates that users are successfully authenticating at times that are unusual for your network, as defined by "UBA: Unusual Times, %" building blocks. Data sources CA ACF2, AcmePacketSessionDirectorSBC, Cisco ACS, AhnLab Policy Center APC, Aironet, Amazon AWS CloudTrail, Apache, APCUninterruptiblePowerSupply, AppleOSX, AppSecDbProtect, ARN, Arpeggio SIFT-IT, ArrayVPN, ARSeriesRouter, ArubaClearPass, Cisco Adaptive Security Appliance (ASA), Redback ASE, Sophos Astaro Security Gateway, Oracle Audit Vault, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, BigIP, Bit9 Security 7 Reference 73

80 Platform, Bridgewater Systems AAA Service Controller, Brocade FabricOS, Cisco CatOS for Catalyst Switches, ChangeControl, CheckPoint, Cilasoft QJRN/400, CiscoCallManager, Cisco Identity Services Engine, Cisco Wireless LAN Controllers, CitrixAccessGateway, CitrixNetScaler, Classify, CloudPassage Halo, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), ControlElement, CorreLogAgentforIBMzOS, CounterAct, CRE System, Cryptoshield, CSA, Cyber-Ark Vault, IBM DB2, DCRSSeries, Radware DefensePro, Extreme Dragon Network IPS, EDirectory, EMCvCloud, EMCVShield, Endpointprotection, Enterasys, Enterasys800SeriesSwitch, EnterpriseITSecuritySFSherlock, EpicSIEM, ERS25_45_5500, ERS83_8600, EventCRE, EventCREInjected, ExtremeWare, F5 Networks BIG-IP APM, F5 Networks FirePass, Foundry Fastiron, Fortinet FortiGate Security Gateway, FreeRADIUS, Cisco Firewall Services Module (FWSM), GenericAuthServer, GenericDSM, Genua Genugate, HBGary Active Defense, Sentrigo Hedgehog, HiPath, HyTrust CloudControl, IBMAIXAudit, IBMAIXServer, IBMDomino, IBMFiberlinkMaaS360, IBMi, IBMSecurityAccessManagerESSO, IBMSecurityIdentityGovernance, IBMSecurityIdentityManager, IBMSmartCloudOrchestrator, IBMTivoliEndpointManager, IBMWebSphereDataPower, IBMzOS, IBMzSecureAlert, IDS, IIS, IMS, IntruShield, IOS, Cisco IronPort, ISA, ITCubeAgileSI, Itron Smart Meter, Juniper DDoS Secure, Juniper MX Series Ethernet Services Router, JuniperRouter, JuniperSA, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, LinuxServer, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft SQL Server, Mobility, Extreme NAC, NetScreenFirewall, NetScreenIDP, NetScreenNSM, Netskope Active, Cisco Nexus, NortelNAS, NortelSNAS, NortelSR, NSeries, ObserveITObserveIT, Okta Identity Management, OpenBSD OS, Operationsmanager, OracleDbAudit, OracleDBListener, Oracle Enterprise Manager, Oracle RDBMS OS Audit Record, Oracle BEA WebLogic, OSSEC, OSServices, PaSeries, PGPUniversalServer, PireanAccessOne, Cisco PIX Firewall, ProFTPD, ProofpointEnterpriseProtectionEnterprisePrivacy, IBM Proventia Network Intrusion Prevention System (IPS), RACF, RandomPasswordManager, Riverbed SteelCentral NetProfiler Audit, RSAAuthenticationManager, SafeNet DataSecure, Salesforce Security Auditing, SalesforceSecurityMonitoring, Microsoft SCOM, Securesphere, Securestack, SecurityAccessManagerForMobile, Sendmail, Sidewinder, SIM Audit, SiteMinder, Snort Open Source IDS, Solaris2, Solaris BSM, SonicWALL SonicOS, SSeriesSwitch, SSHCryptoAuditor, StarentHA, STEALTHbits StealthINTERCEPT, Sybase ASE, SymbolAP, Tandem, TippingPoint X Series Appliances, TivoliAccessManager, CA Top Secret, TrendMicroDeepDiscovery Inspector, Trend Micro Deep Security, Tripwire, UnityOne, VenustechVenusense, Verdasys Digital Guardian, VMware, VormetricDataFirewall, VpnConcentrator, VPNGateway, WatchGuardFirewareOS, WebProxy, Websphere, WindowsAuthServer, Wism, XSRSecurityRouters UBA : User Volume of Activity Anomaly - Traffic (ADE rule) Starting with V2.3.0, UBA : User Volume of Activity Anomaly - Traffic should be disabled and the following updated versions of the rule should be used: v UBA : User Volume Activity Anomaly - Traffic to External Domains v UBA : User Volume Activity Anomaly - Traffic to External Domains Found v UBA : User Volume Activity Anomaly - Traffic to Internal Domains v UBA : User Volume Activity Anomaly - Traffic to Internal Domains Found False UBA app User Guide

81 Uses the Anomaly Detection engine to monitor user traffic usage and to send an alert on unusual volumes of traffic. Data sources JuniperSA UBA : User Volume of Activity Anomaly - Traffic Found UBA : User Volume of Activity Anomaly - Traffic Found True 10 This is a CRE rule that supports the identical respective ADE rule : UBA : User Volume of Activity Anomaly - Traffic which uses the Anomaly Detection engine to monitor user's traffic usage and alert on unusual volumes of traffic. UBA : Username to User Accounts, Privileged, Observed UBA : Username to User Accounts, Privileged, Observed True Records Username to "UBA : User Accounts, Privileged, Observed" when a user is observed in privileged activities for the first time. Data sources Not applicable. Notes This rule is a parallel rule to UBA : First Privilege Escalation. It is only used to record Privileged Usernames. 7 Reference 75

82 UBA : Username to User Accounts, Successful, Dormant UBA : Username to User Accounts, Successful, Dormant False Records the Username to "UBA : User Accounts, Successful, Dormant" when a successful user login is detected after a dormant period. Note: For best results, wait 2-4 weeks before you enable both "UBA : Dormant Account Used" and "UBA : Username to User Accounts, Successful, Dormant". This allows the "UBA : User Accounts, Successful, Observed" and "UBA : User Accounts, Successful, Recent" reference sets to populate and reduces the chances of prematurely triggering "UBA : Dormant Account Used". Data sources Not applicable. Notes This rule is a parallel rule to UBA : New Account Use Detected and UBA : Dormant Account Used. It is only used to record Usernames. UBA : Username to User Accounts, Successful, Observed UBA : Username to User Accounts, Successful, Observed True Records the Username to "UBA : User Accounts, Successful, Observed" when a successful user login is detected for the first time or after a dormant period. Data sources Not applicable. Notes This rule is a parallel rule to UBA : New Account Use Detected and UBA : Dormant Account Used. It is only used to record Usernames. 76 UBA app User Guide

83 UBA : Username to User Accounts, Successful, Recent UBA : Username to User Accounts, Successful, Recent True Records that a successful user login is detected for the first time or after a dormant period. Data sources Not applicable. Notes This rule is a parallel rule to UBA : New Account Use Detected and UBA : Dormant Account Used. It is only used to record Usernames. UBA : Username to User Accounts, Successful, Recent Update UBA : Username to user Accounts, Successful, Recent Update True This rule will update the users time to live in the UBA : Username to User Accounts, Successful, Recent reference set for each instance that user is seen while it still exists in the reference set. UBA : VPN Access By Service or Machine Account UBA : VPN Access By Service or Machine Account True 10 7 Reference 77

84 This rule detects when a Cisco VPN is accessed by a service or machine account. Accounts are listed in the UBA : Service, Machine Account reference set. Edit this list to add or remove any accounts to flag from your environment. UBA : VPN Certificate Sharing UBA : VPN Certificate Sharing True Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall DSM to the following: v For V7.2.8: DSM-CiscoFirewallDevices noarch.rpm v For V7.3.0 and later: DSM-CiscoFirewallDevices noarch.rpm 15 This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who's done what. This can complicate taking next steps in the event of a compromise. X-Force Risky IP, Anonymization X-Force Risky IP, Anonymization True This rule detect when a local user or host is connecting to an external anonymization service. X-Force Risky IP, Botnet X-Force Risky IP, Botnet 78 UBA app User Guide

85 True This rule detects when a local user or host is connecting to a botnet command and control server. X-Force Risky IP, Dynamic X-Force Risky IP, Dynamic True This rule detects when a local user or host is connecting to a dynamically assigned IP address. X-Force Risky IP, Malware X-Force Risky IP, Malware True This rule detects when a local user or host is connecting to a malware host. X-Force Risky IP, Spam X-Force Risky IP, Spam True This rule detects when a local user or host is connecting to a spam-sending host. X-Force Risky URL 7 Reference 79

86 X-Force Risky URL True This rule detects when a local user is accessing questionable online content. 80 UBA app User Guide

87 8 Reference Data Import - LDAP app Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAP sources into your QRadar Console. Note: The Reference Data Import - LDAP app requires QRadar V7.2.8 or later. The app polls one or more LDAP servers for data and adds the data to new or existing reference data tables in QRadar. You can use the data to focus your investigations on specific groups, identify users by department, or any other information that is available. Using the LDAP data in QRadar Every time the reference table is updated, a ReferenceDataUpdated event is triggered. You can set a time-to-live value for the LDAP data in the reference table. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to these events, or create searches to query the payloads of these events on the QRadar Log Activity tab. Accessing the Reference Data Import - LDAP app Access the QRadar Reference Data Import - LDAP app by clicking the Reference Data Import LDAP icon from the Admin settings. For more information on reference data collections in QRadar, see IBM Security QRadar SIEM Administration Guide. Supported browsers for the LDAP app For the features in IBM Security QRadar products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. Table 1. Supported web browsers for the QRadar Reference Data Import LDAP app Web browser Mozilla Firefox Google Chrome Supported versions 45.2 Extended Support Release Latest Copyright IBM Corp. 2016,

88 Creating an authorized service token Before you can configure LDAP server to add data to a reference table, you must create an authorized service token. About this task Note: After you submit the authorized service token, you must deploy changes for the new authorized service token to take effect. IBM Security QRadar requires that you use an authentication token to authenticate the API calls that the Reference Data Import - LDAP app makes. You use the Manage Authorized Services window in the Admin settings to create authorized service token. Procedure 1. On the Reference Data Import - LDAP app window, click Configure. 2. In the Configure Authorized Service Token dialog box, click Manage Authorized Services. 3. In the Manage Authorized Services window, click Add Authorized Service. 4. Add the relevant information in the following fields and click Create Service: a. In the Service Name field, type a name for this authorized service. The name can be up to 255 characters in length. b. From the User Role list, select Admin. c. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 5. Click the row that contains the service you created, select and copy the token string in the Selected Token field on the menu bar, and close the Manage Authorized Services window. 6. In the Configure Authorized Service Token dialog box, paste the token string into the Token field, and click OK. 7. Deploy changes for the new authorized service token to take effect. What to do next Adding an LDAP configuration on page 83 Adding a private root certificate authority You can upload a private root certificate authority (CA) bundle to IBM Security QRadar for use with the LDAP app. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Reference Data Import LDAP icon. 3. On the Reference Data Import LDAP app main window, click Configure. 4. Click Choose File and then click Upload. Only the.pem file type is supported. 5. Click OK. 82 UBA app User Guide

89 Adding an LDAP configuration Add LDAP server information that you use to insert user data into a reference map of maps. Before you begin You must create and add an authentication token to the Reference Data Import - LDAP app before you can add an LDAP configuration. Procedure 1. On the Reference Data Import - LDAP app window, click Add Import. 2. Enter the following information on the LDAP Configuration tab: a. Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field. b. Enter the point in the LDAP directory tree from where the server must search for users in the Base DN field. For example, if your LDAP server was on the domain example.com, you might use: dc=example,dc=com c. Enter the attribute or attributes you want to use to sort the data that is imported into the reference table in the Filter field. For example: cn=*; uid=*; sn=* The following default values will work with Active Directory: (&(samaccountname=*)(samaccounttype= )). d. Enter attributes you want to import into the reference table in the Attribute List field. The following default values will work with Active Directory: userprincipalname,cn,sn,telephonenumber,l,co,department,displayname,mail,title. e. Enter the user name that is used to authenticate the LDAP server in the Username field. f. Enter the password for the LDAP server in the Password field. 3. Click Test Connection to confirm that IBM Security QRadar can connect to the LDAP server before you proceed. If your connection attempt is successful, information from your LDAP server is displayed on the LDAP Configuration tab. 4. Click Next. What to do next Add LDAP attribute mappings. Related tasks: Adding a private root certificate authority on page 82 You can upload a private root certificate authority (CA) bundle to IBM Security QRadar for use with the LDAP app. Creating an authorized service token on page 82 Before you can configure LDAP server to add data to a reference table, you must create an authorized service token. Adding LDAP attribute mappings You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. Adding LDAP attribute mappings You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. 8 Reference Data Import - LDAP app 83

90 About this task If you want to merge LDAP data from multiple sources into the same reference table, you can use custom aliases to differentiate LDAP attributes with the same name in different sources. When you add attributes to the Attributes field on the LDAP Configuration tab, they are added automatically to the LDAP Attribute Mapping tab. Procedure 1. On the LDAP Attribute Mapping tab, enter a new name in the Alias field for any of the LDAP attributes you added and then click Add. 2. Click Next. Note: Aliases must be unique. Tip: You can create new LDAP fields by combining two attributes. For example, you can use the following syntax: "Last: {ln}, First: {fn}". What to do next Configure a reference data table to store LDAP data.. Related tasks: Adding a reference data configuration Use the Reference Configuration tab to set up a reference data table to store LDAP data. Creating a rule that responds to LDAP data updates on page 87 After you have configured the IBM Security QRadar Reference Data Import - LDAP app to store data from your LDAP server in a reference table in QRadar, you can use the data to create event rules. Adding a reference data configuration Use the Reference Configuration tab to set up a reference data table to store LDAP data. Before you begin After you configure your LDAP server information, you must set up a reference table to store the LDAP data that is passed to the app. You can then use the stored data to construct rules in QRadar or create searches and reports. Procedure 1. Use the Reference Configuration tab to enter a new reference table or designate an existing reference table to which you want to add LDAP data. a. Enter a name for the reference data collection in the Reference Data field or select an existing reference data collection from the list. b. In the Outer key selection list, select Default or select the outer (unique) key selection based on your environment. c. The Generate map of sets check box is disabled by default. If you enable the check box, it sends data to a reference set format to improve QRadar searching and might impact performance. d. Use the Time to live fields to define how long you want the data to persist in the reference table. By default, the data you add never expires. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. Note: If you append data to an existing reference map of maps, the app uses the original time-to-live parameters. These parameters cannot be overridden on the Reference Configuration 84 UBA app User Guide

91 tab. 2. Click Next. What to do next Set the polling interval. Related tasks: Configuring polling Use the Polling Interval tab to configure how often the app polls your LDAP server for new information. Configuring polling Use the Polling Interval tab to configure how often the app polls your LDAP server for new information. Before you begin After you configure your LDAP server information and reference data collection, you configure how often you want the app to draw down data from the LDAP server. Procedure 1. Use the Polling Interval in minutes field to define in minutes how often you want the app to poll your LDAP server for data. The minimum permissible polling interval value is Enter a value for the number of records you want the poll to return in the Record retrieval limit field. By default, 100,000 records are returned. The maximum number of records that can be returned is 200, Reference Data Import - LDAP app 85

92 3. The Paged results check box is selected by default to avoid limiting the number of records the LDAP server returns for each poll. Note: Paged results are not supported by all LDAP servers. 4. Click Save. Results Data from your LDAP server is added to the reference data collection you selected at the interval you configured. You can use the API page on your IBM Security QRadar console to check that data was added to the reference data collection. Related tasks: Checking that data is added to the reference data collection You can use the IBM Security QRadar API documentation page to test if data was added to the reference data collection you created. Checking that data is added to the reference data collection You can use the IBM Security QRadar API documentation page to test if data was added to the reference data collection you created. About this task The API Documentation page on your QRadar Console can show the data that is stored in the reference table that you created in the Reference Data Import - LDAP app. You can use the API Documentation page to check that LDAP information was updated by the app. Procedure 1. Log in to the QRadar API Documentation page In the navigation tree, open the most recent API. 3. Go to /reference_data > /table > /name > GET 4. In the Value field of the Name parameter, enter the name of the reference data collection you created to store LDAP information, and click Try it out!. The data added by the app is returned in the Response Body field. 86 UBA app User Guide

93 Creating a rule that responds to LDAP data updates After you have configured the IBM Security QRadar Reference Data Import - LDAP app to store data from your LDAP server in a reference table in QRadar, you can use the data to create event rules. About this task When you poll your LDAP server and data are added to the reference table, ReferenceDataUpdated events are triggered. When the time-to-live period you configured on the Reference Configuration tab is exceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to content within a ReferenceDataUpdated or ReferenceDataExpiry event payloads. LDAP data stored by the app in a reference data collection is available to rules you can configure by using the QRadar Rules Wizard. The Rules Wizard can be accessed from the Offenses, Log Activity, or Network Activity tabs. Procedure 1. Click Log Activity > Rules > Actions > New Event Rule. 2. On the Rule Wizard introduction page, click Next. 3. Ensure that the Events radio button is selected, and click Next. 4. Enter a name for the rule in the field provided. 5. Select a test from the Test Group list, and click the + icon beside the test you want to use: The rule test you select depends on the information you want to retrieve from the reference data collection that holds your LDAP data. The following reference maps of maps event property test is designed to test events that triggered when the Reference Data Import - LDAP app reference table is updated: when any of these event properties is the key of the first map and any of these event properties is the key of the second map and any of these event properties is the value in any of these reference map of maps. A rule is configured to test the ReferenceDataExpiry event payload if the LDAP attribute PasswordIsExpired is updated to true for any UID in a the LDAPtest1 reference data collection. 8 Reference Data Import - LDAP app 87

94 To use this event property test, you must create custom event properties for the outer key (the key of the first map), inner key (the key of the second map) and value fields. In the following example, the Reference Data Import - LDAP app was configured to import information on users whose password is expired from an LDAP server at example.com. 88 UBA app User Guide

95 The outer key This property contains the data entered in the LDAP fields specified in the Base DN and Filter fields in the app LDAP configuration tab. The regex for the custom event property might look like this: (uid=(.*?),dc=example,dc=com) The inner key This property contains the data entered in the LDAP fields specified in the Attribute field in the app LDAP configuration tab. You can use attribute aliases in this field. The regex for the custom event property might look like this: (passwordisexpired) The value field This property contains the data retrieved for passwordisexpired LDAP attribute for each user. The regex for the custom event property might look like this: (\['true'\]) For more information about custom event properties, see the IBM Security QRadar SIEM Users Guide. 6. Click Next. 7. Select the rule action, rule response and rule limiter you want to apply to the rule and click Finish. For more information on custom event rules, see the IBM Security QRadar SIEM Users Guide. Results The next time you poll your LDAP server and the reference data collection you created is updated, your rule is triggered. Related tasks: 8 Reference Data Import - LDAP app 89

96 Adding LDAP attribute mappings on page 83 You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. Adding a reference data configuration on page 84 Use the Reference Configuration tab to set up a reference data table to store LDAP data. 90 UBA app User Guide

97 9 Machine Learning Analytics app The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine Learning Analytics use cases, you can gain additional insight into user behavior with predictive modeling. The ML app helps your system to learn the expected behavior of the users in your network. Attention: You must install IBM Security QRadar V7.2.8 or later before you install the UBA app and the ML app. Important: v It is best to enable Machine Learning Analytics Settings one day after you initially configure the UBA app. This waiting period ensures that the UBA app has sufficient time to create risk profiles for users. v The model updates every 7 days. This is to ensure the Machine Learning Analytics app has the latest risky users to monitor. v The QRadar Console limits the amount of memory that can be used by apps. To maximize results, the ML app requires: 64 GB console to allow the top 2000 risky users provided by the UBA app to be monitored. 128 GB console to allow the top 5000 risky users provided by the UBA app to be monitored. v To install the Machine Learning Analytics app on a QRadar App node, the QRadar App node must have a minimum of 5 GB of available memory. v The installation might fail due to a lack of available memory. This situation can occur if the amount of memory available for applications is decreased because other applications are installed. Known issues for Machine Learning Analytics The Machine Learning Analytics app has known issues for V2.5.0 The Machine Learning Analytics app has the following known issues: v If you are upgrading from Machine Learning Analytics app V2.1.0 or lower, the Risk Value of Sense Event value for each User Analytic will be updated to the current Machine Learning default value. v The Machine Learning app might show warning messages in the Status of Machine Learning section. For more information, see Machine Learning app status shows warning on dashboard on page 106. v The installation might fail due to a lack of available memory. This situation can occur on 128 GB consoles if several other apps are already installed and less than 10 GB remains for the ML app to use. If the installation fails, the error message "FAILED" is displayed. To remedy this situation, uninstall some of the other apps and then try again. Prerequisites for installing the Machine Learning Analytics app Before you install the Machine Learning Analytics app, ensure that you meet the requirements. You must meet the following system requirements and fully install and configure the User Behavior Analytics (UBA) app before you can install the Machine Learning Analytics app. Component Minimum requirements System memory v Console: 64 GB IBM QRadar version v App node: 5 GB V7.2.8 or later Copyright IBM Corp. 2016,

98 Component Sense DSM Minimum requirements Install the DSM RPM file. User Behavior Analytics (UBA) app v Install the UBA V2.5.0 app. v v Configure the UBA User Analytics Settings. Click the User Analytics tab and confirm that the UBA Dashboard contains user data. Installing the IBM Sense DSM manually The UBA app and the Machine Learning Analytics app use the following IBM Sense DSM files to add user risk scores and offenses into QRadar. v For V7.2.8: DSM-IBMSense noarch.rpm v For QRadar V7.3.0 and later: DSM-IBMSense noarch.rpm Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar. 1. Copy the DSM RPM file to your QRadar Console. 2. Use SSH to log in to the QRadar host as the root user. 3. Go to the directory that includes the downloaded file. 4. Type the following command: rpm -Uvh <rpm_filename> 5. From the Admin settings, click Advanced > Deploy Full Configuration. Note: Instructions for installing and configuring the UBA app are on the IBM Knowledge Center. Installing the Machine Learning Analytics app Install the Machine Learning Analytics app after you have installed the UBA app from the Extension Manager. Before you begin Make sure you have completed all of the Prerequisites for installing the Machine Learning Analytics app. About this task After you install your User Behavior Analytics (UBA) app V2.1.0 or later, you can install the Machine Learning Analytics app from the Machine Learning Settings page. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Settings icon in the Plug-ins section. 92 UBA app User Guide

99 3. On the Machine Learning Settings screen, click Install ML App. 4. At the prompt, click Yes to install the app. The ML app takes several minutes to install. What to do next When the installation is complete, you can enable ML use cases and then click Save Configuration. Upgrading the Machine Learning Analytics app Upgrade the Machine Learning Analytics app from the Machine Learning Settings page. Before you begin Starting with UBA with ML V2.2.0 there are no upgrade procedures. The Machine Learning app is automatically upgraded with the UBA app. After you install or upgrade your User Behavior Analytics (UBA) app, you can upgrade your existing Machine Learning Analytics app from the Machine Learning Settings page. Attention: If you have the Machine Learning Analytics (ML) app V2.0.0 installed and you upgrade to the latest version of the UBA app, do not uninstall the Machine Learning Analytics app from the QRadar Extension Manager. If you attempt to uninstall the Machine Learning Analytics app from the Extension Manager, you might encounter issues with your ML app installation. Note: If you are upgrading from Machine Learning Analytics app V2.1.0 or lower, the Risk Value of Sense Event value for each User Analytic will be updated to the current Machine Learning default value. 9 Machine Learning Analytics app 93

100 Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Settings icon in the Plug-ins section. 3. On the Machine Learning Settings screen, click Upgrade ML App. 4. At the prompt, click Yes. The ML app takes several minutes to upgrade. 5. After the upgrade is complete, the model building restarts. What to do next Verify your Machine Learning Settings are configured correctly. If you change any settings, make sure to Save Configuration. Configuring Machine Learning Analytics settings To view information in the Machine Learning Analytics app, you must configure Machine Learning Analytics application settings. About this task Attention: After you configure your settings, it takes a minimum of 1 hour to ingest data, build an initial model, and see initial results for users. 94 UBA app User Guide

101 Important: Starting with V2.2.0, the default values for Risk value of sense event have been changed. Because the new default values are significantly less than the previous default values, the new default values will overwrite the existing default values or any value you previously modified. Procedure 1. Open the Admin settings: v In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. v In IBM Security QRadar V7.3.1, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Analytics icon in the Plug-ins section. 3. On the Machine Learning Analytics configuration page, click the following user analytics to configure settings. Option Total Activity User Activity by Category Click Enabled to turn on the Total Activity analytic and display the Total Activity graph on the User Details page. Important: You must have 7 days of data available for the analytic to generate a model. v v v v In the Risk value of sense event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. Click Enabled to turn on the User Activity by Category analytic and display the User Activity by Category graph on the User Details page. Important: You must have 7 days of data available for the analytic to generate an initial model. If you have less than 7 days of user data for this QRadar system then the initial model will be generated after 7 days of user data has been accumulated. v v v v v In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 1. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. In the Categories to track section, the high-level event categories are enabled by default. Click any category to disable it from being monitored. For more information about categories, see the high-level categories topic in the IBM Knowledge Center. 9 Machine Learning Analytics app 95

102 Option Risk Posture Activity Distribution (V2.2.0 or later) Click Enabled to turn on the Risk Posture analytic and display the Risk Posture graph on the User Details page. Important: You must have 7 days of sense event data available for the analytic to generate a model. v v v v In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. Click Enabled to turn on the Activity Distribution analytic and display the Activity Distribution graph on the User Details page. Depending on the data, the model can take a few hours to build. Important: You must have 7 days of event data available for the analytic to generate a model. v v v v In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. 96 UBA app User Guide

103 Option Peer Group (V2.2.0 or later) Click Enabled to turn on the Peer Group use case and display the Peer Group graph on the User Details page. Depending on the data, the model can take an hour or more to build. Important: v v v v v v You must install an App Node to enable the analytic. For more information, see com.ibm.qradar.doc/c_adm_appnode_intro.html You must have 7 days of event data available for the analytic to generate a model. In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. 4. Click Save Configuration. Results It can take a minimum of one hour for the app to ingest data and build an initial model. What to do next Click the User Analytics tab to go to the Dashboard. UBA dashboard with Machine Learning Analytics The IBM Security QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the Machine Learning Analytics status and additional details for the selected user. Dashboard After you enable the Machine Learning Analytics, click the User Analytics tab to open the dashboard. The Status of Machine Learning Models section shows you the model ingestion and model building progress for each analytic you have enabled. Note that the models are updated every seven days. v The blue progress bar indicates that the analytic is ingesting data. v The green progress bar indicates that the analytic is building the model. v The green check mark indicates that the analytic is enabled. v The yellow warning icon indicates a problem was encountered during the model building phase. See Machine Learning app status shows warning on dashboard on page 106 Click the ML Settings icon to open the Machine Learning Analytics page and edit the configuration for the Machine Learning Analytics use cases. 9 Machine Learning Analytics app 97

104 Note: If you edit the configuration after it has been saved, a new model will be built and the time to wait for the ingestion and model building is reset. User details page You can click a user name from anywhere in the app to see details for the selected user. Starting with V2.5.0, you can learn more about the user's activities with the event viewer pane. The event viewer pane shows information about a selected activity or point in time. Clicking an event in the event viewer pane reveals more details such as syslog events and payload information. The event viewer pane is available for all donut and line graphs on the User details page. The following table describes the Machine Learning Analytics graphs available on the User Details page. 98 UBA app User Guide

105 Total Activity Shows the actual and expected (learned) amount of activity of users throughout the day. The actual values are the number of events for that user during the selected time period. The expected values are the number of events predicted for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the Total Activity graph, you can: v Click a data node and get a query listing of the events that make up the anomaly. v Click the Calendar icon to specify a custom date range. User Activity by Category Shows actual and expected user activity behavior patterns by high-level category. The actual values are the number of events per high-level category for that user during the selected time period. The expected values are the predicted number of events per high-level category for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the User Activity by Category graph, you can: v Click the Calendar icon to specify a time and date. v Click a category to open the timeline graph for the selected category. On the timeline graph for the selected category, you can: v Click a data node and get a query listing of the events that represent that node. v Click the Calendar icon to specify a custom date range. 9 Machine Learning Analytics app 99

106 Risk Posture Shows if a user's risk score deviates from their expected risk score pattern. The actual values are the sum of the sense values for the sense events for that user during the selected time period. The expected values are the predicted sum of the sense values for the sense events for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the Risk Posture graph, you can: v Click a node and get a query listing of the events. v Click the Calendar icon to specify a custom date range. Activity Distribution (V2.2.0 or later) Shows dynamic behavior clusters for all users that are monitored by machine learning. The clusters are inferred by the low-level activity categories for all users that are monitored by machine learning. The actual values are the percent match to that cluster. The expected values are the predicted percent match to that cluster. Each color in the graph represents a unique dynamic behavior cluster for all users monitored by machine learning. A color used to denote a particular group is the same for all users. A red vertical line indicates that an anomaly was detected and a sense event was generated by machine learning. On the Activity Distribution graph, you can: v Hover over each cluster to view the actual and predicted activity percentiles and the top 3 contributing low-level categories. v Click the Calendar icon to specify a date range. 100 UBA app User Guide