IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 7. User Guide IBM

Transcription

1 IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 7 User Guide IBM

2 Note Before you use this information and the product that it supports, read the information in Notices on page 149. Product information This document applies to IBM QRadar Security Intelligence Platform V7.2.8 and subsequent releases unless superseded by an updated version of this document. Copyright International Business Machines Corporation 2016, US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

3 Contents Chapter 1. User Behavior Analytics app...1 What's new in the User Behavior Analytics app...1 Known issues... 3 Process overview... 4 Video demonstrations and tutorials... 5 UBA dashboard and user details... 6 Investigating users in QRadar Advisor with Watson... 8 Prerequisites for installing the User Behavior Analytics app...9 Supported browsers for the UBA app...9 Log source types relevant to the UBA app Chapter 2. Installing and uninstalling...11 Installing the User Behavior Analytics app Uninstalling the UBA app...12 Chapter 3. Upgrading...13 Upgrading the User Behavior Analytics app...13 Chapter 4. Configuring Configuring the User Behavior Analytics app...15 Creating authorized service tokens Configuring the Reference Data Import LDAP app...16 Configuring UBA settings Chapter 5. Administering Managing permissions for the QRadar UBA app...23 Viewing the whitelist for trusted users...23 Managing network monitoring tools...24 Managing restricted programs...24 Adding log sources to the trusted log source group Chapter 6. Tuning Enabling indexes to improve performance Integrating new or existing QRadar content with the UBA app...29 Chapter 7. Reference Use cases for the UBA app Accounts and privileges DNS Analysis...46 Network attacks Network traffic...50 QRadar Network Insights (QNI)...58 Risky resources Suspicious application System monitoring (Sysmon)...86 Time and geography...92 User access...98 Unusual scanning VPN access iii

4 X-Force Chapter 8. Reference Data Import - LDAP app Supported browsers for the LDAP app Creating an authorized service token Adding a private root certificate authority Adding an LDAP configuration Adding LDAP attribute mappings Adding a reference data configuration Configuring polling Checking that data is added to the reference data collection Creating a rule that responds to LDAP data updates Chapter 9. Machine Learning Analytics app Known issues for Machine Learning Analytics Prerequisites for installing the Machine Learning Analytics app Installing the Machine Learning Analytics app Upgrading the Machine Learning Analytics app Configuring Machine Learning Analytics settings UBA dashboard with Machine Learning Analytics User groups for the defined peer group analytic Uninstalling the Machine Learning Analytics app Chapter 10. Troubleshooting and support Help and support page for UBA Service requests Machine Learning app status shows warning on dashboard Machine Learning app status shows no progress for data ingestion ML app status is in an error state Extracting UBA and Machine Learning logs Notices Trademarks Terms and conditions for product documentation IBM Online Privacy Statement General Data Protection Regulation iv

5 Chapter 1. User Behavior Analytics app By using your organization's Microsoft Active Directory or the included Reference Data Import LDAP app, the IBM QRadar User Behavior Analytics (UBA) app helps you to quickly determine the risk profiles of users inside your network and to take action when the app alerts you to threatening behavior. The IBM QRadar User Behavior Analytics (UBA) app provides an efficient means for detecting anomalous or malicious behaviors that occur on your network. The QRadar UBA app provides a lens into user behavior deviation to detect and prioritize risky user activities and quickly show who is doing what on your networks. The QRadar UBA app comes with ready-to-go anomaly detection, behavioral rules and analytics, and leverages the curated log and activity data already in QRadar, thereby speeding time to insights. By streamlining monitoring, detection and investigation, the QRadar UBA app helps security analysts become more productive and manage insider threats more efficiently. For information about using the Reference Data Import LDAP app, see Chapter 8, Reference Data Import - LDAP app, on page 119. For information about using the Machine Learning Analytics app, see Chapter 9, Machine Learning Analytics app, on page 129. Attention: You must install IBM QRadar V7.2.8 or later before you install the QRadar UBA app. Related concepts Use cases for the UBA app on page 31 The IBM QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral Configuring the User Behavior Analytics app on page 15 Before you can use the IBM QRadar User Behavior Analytics (UBA) app, you must configure additional settings. Reference Data Import - LDAP app on page 119 Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAP sources into your QRadar Console. Machine Learning Analytics app on page 129 The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine Learning Analytics use cases, you can gain additional insight into user behavior with predictive modeling. The ML app helps your system to learn the expected behavior of the users in your network. Related tasks Installing the User Behavior Analytics app on page 11 Use the IBM QRadar Extension Management tool to upload and install your app archive directly to your QRadar Console. Upgrading the User Behavior Analytics app on page 13 Use the IBM QRadar Extension Management tool to upgrade your app. What's new in the User Behavior Analytics app Learn about the new features in each User Behavior Analytics (UBA) app release. What's new in V2.7.0 Attention: If you are upgrading to V2.7.0, you must complete the instructions in the following technote: V2.7.0 of the User Behavior Analytics app includes the following new features: Copyright IBM Corp. 2016,

6 You can now investigate users in the QRadar Advisor with Watson app. Note: You must have QRadar Advisor with Watson V installed. For more information, see Investigating users in QRadar Advisor with Watson on page 8. You can now generate a General Data Protection Regulation (GDPR) compliance report for a user and stop a user from being tracked. You can now mark a user's investigation status and view all users that are under investigation from the User Analytics dashboard. You can now configure whether you want to display country and region flags for IP addresses. Added support for domain access events that are generated by the IBM QRadar DNS Analyzer app. For more information, see DNS Analysis on page 46. Added 19 new unusual scanning use cases. For more information, see Unusual scanning on page 107. Added 3 new suspicious application use cases. For more information, see Suspicious application on page 71. Added 10 new risky browsing use cases. For more information, see Risky browsing on page 66. Added 13 new system monitoring (Sysmon) use cases. For more information, see System monitoring (Sysmon) on page 86. What's new in V2.6.0 Attention: If you are upgrading to V2.6.0, you must complete the instructions in the following technote: V2.6.0 of the User Behavior Analytics app includes the following new features: Extended the Machine Learning Analytics (ML) app to analyze anomalies based on defined peer groups in LDAP and Active Directory. The Peer Group analytic for the ML app was renamed to Learned Peer Group. Added use case: UBA : Process Executed Outside Gold Disk Whitelist (Windows / Linux) Added use case: UBA : Ransomware Behavior Detected Added use case: UBA : Netcat Process Detection (Windows / Linux) Added use case: UBA : Multiple VPN Accounts Failed Login from Single IP Added use case: UBA : Volume Shadow Copy Created Added use case: UBA : Detect Insecure Or Non-Standard Protocol Added use case: UBA : Malware Activity - Registry Modified In Bulk Added use case: UBA : Internet Settings Modified Added use case: UBA : Multiple VPN Accounts Logged In from Single IP Added use case: UBA : Suspicious PowerShell Activity (Asset) Added use case: UBA : Suspicious PowerShell Activity Added use case: UBA : Suspicious Command shell Activity Added use case: UBA : Malicious Process Detected What's new in V2.5.0 Attention: If you are upgrading to V2.5.0, you must complete the instructions in the following technote: V2.5.0 of the User Behavior Analytics app includes the following improvements: Added the ability to quickly investigate a user's risky behavior with the inline contextual event viewer. For more information, see UBA dashboard and user details on page 6. 2 IBM QRadar User Behavior Analytics (UBA) app: User Guide

7 Added a help and support page that provides links to documentation, tutorials, and support information and also provides administrative functions. For more information, see Help and support page for UBA on page 143. Increased the accuracy and scalability for Machine Learning and improved the messaging on the Status of Machine Learning Models section of the dashboard. For more information, see UBA dashboard with Machine Learning Analytics on page 136. Added use case: UBA : User Running New Process. For more information, see UBA : User Running New Process on page 83. Added use case: UBA : User Installing Suspicious Application. For more information, see UBA : User Installing Suspicious Application on page 82. Added use case: UBA : Unix/Linux System Accessed With Service or Machine Account. For more information, see UBA : Unix/Linux System Accessed With Service or Machine Account on page 103. Added use case: UBA : User Access to Internal Server From Jump Server. For more information, see UBA : User Access to Internal Server From Jump Server on page 102. Added use case: UBA : Executive Only Asset Accessed by Non-Executive User. For more information, see UBA : Executive Only Asset Accessed by Non-Executive User on page 104. What's new in V2.4.0 Attention: If you are upgrading to V2.4.0, you must complete the instructions in the following technote: V2.4.0 of the User Behavior Analytics app includes the following improvements: Display LDAP retrieval status in LDAP app. Import up to 400,000 users by the LDAP app. Before you change the configuration, see Known issues. Streamlined and simplified integration and mapping of LDAP/AD data. Ability to map an unlimited number of aliases to a primary user ID. Added memory configuration settings in Machine Learning Settings to support more users when you run Machine Learning on an App Node. Added feedback survey. Added use case UBA: Windows access with Service or Machine Account. For more information, see UBA : Windows Access with Service or Machine Account on page 103 Added use case UBA: D/DoS Attack Detected. For more information, see UBA : D/DoS Attack Detected on page 48 Added use case UBA: Detect Persistent SSH session. For more information, see UBA : Detect Persistent SSH session on page 73 Added use case UBA: Abnormal data volume to external domain. For more information, see UBA : Abnormal data volume to external domain (ADE rule) on page 50 Added use case UBA: Abnormal Outbound Attempts. For more information, see UBA : Abnormal Outbound Transfer Attempts (ADE rule) on page 51 Known issues The User Behavior Analytics app has required information for upgrading and known issues. Attention: If you are upgrading to V2.7.0 on a QRadar V7.2.8 console, you must complete the instructions in the following technote: uid=swg Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system. User Behavior Analytics app 3

8 Known issues for V2.7.0 The User Behavior Analytics app has the following known issues: After you upgrade to V2.7.0, you must deploy the full configuration and restart the web server. Upgrade during a scheduled maintenance window because data collection is interrupted when you deploy the full configuration. Because of known issues with QRadar V7.2.8 Patch 12 and QRadar V7.3.1 Patch 3, you should upgrade to QRadar V7.2.8 Patch 13 and QRadar V7.3.1 Patch 4. After you upgrade UBA to V2.7.0, the Machine Learning Activity Distribution graph on the User Details page can take up to one day to display. When viewing a user profile page, the Add to Whitelist button might fail to display. If this occurs, you can refresh the page to resolve the issue. Importing more than 100,000 users into LDAP for UBA can severely affect your QRadar system and your UBA app installation. The issue is caused due to a known issue in APAR IV Importing more than 200,000 users is not recommended unless you use QRadar or later on a 128 GB console. In rare instances of QRadar V7.2.8 and V7.3.0, you might encounter an issue with a newly created SEC token where the SEC token appears to work and then later becomes invalid. To fix this issue, complete one of the following actions: Restart the Apache Tomcat service from a command line on your QRadar Console. Deploy any action from the Admin tab in QRadar. English strings or corrupted text is displayed in some parts of the user interface when using QRadar V7.2.8 and in some locales. Process overview The User Behavior Analytics app works with your QRadar system to collect data about the users inside your network. 4 IBM QRadar User Behavior Analytics (UBA) app: User Guide

9 How UBA works 1. Logs send data to QRadar. 2. UBA specific rules look for certain events (depending on which UBA rules are enabled) and trigger a new sense event that is read by the UBA app. 3. The UBA rules require the events to have a username and other tests (review the rules to see what they are looking for). 4. UBA pulls the sensevalue and username from the sense event and then increases that user's risk score by the sensevalue amount. 5. When a user's risk score exceeds the threshold that you set in the UBA Settings page, UBA sends an event which triggers the "UBA : Create Offense" rule and an offense is created for that user. How sensevalues are used to create user risk scores Each rule and analytic has a value assigned to it that indicates the severity of the issue found. Each time a user's actions causes a rule to trigger, the user gets this value added to the score. The more the user "violates" a rule, the higher the score will be. Rules and sense events Rules, when triggered, generate sense events that are used to determine the user's risk score. You can update existing rules in QRadar to produce sense events. For more information, see Integrating new or existing QRadar content with the UBA app on page 29. Machine Learning Analytics and sense events You can install the Machine Learning Analytics app and enable machine learning analytics to identify anomalous user behavior. The analytics, when triggered, will generate sense events that also raise a user's risk score. Video demonstrations and tutorials Learn more about the IBM QRadar User Behavior Analytics (UBA) app, the Reference Data Import - LDAP app, and the Machine Learning Analytics (ML) app. IBM Security Learning Academy Enroll in the User Behavior Analytics (UBA) courses on the IBM Security Learning Academy website. Tip: You must have an IBM ID account to enroll and watch the videos. Video tutorials on YouTube Demonstration of the User Behavior Analytics app with Machine Learning V2.0.0: Demonstration for configuring the Reference Data Import - LDAP app: v=er-wyxs6wfk. General overview of the User Behavior Analytics app: User Behavior Analytics app 5

10 UBA dashboard and user details The IBM QRadar User Behavior Analytics (UBA) app shows you the overall risk data for users in your network. Dashboard After you install the UBA app, click the User Analytics tab to open the Dashboard. In the Search for User field, you can search for users by name or by user ID. As you enter a name, the app shows you the top five results. The Dashboard is automatically refreshed every minute and shows you the following risk data: Users with highest risk score Users with recent risk activity Watchlist Overall accumulation of all risky behaviors by users. Users that are currently engaging in risky behavior. Custom list of users to monitor. Tip: To add a user to the watchlist, click the Watchlist icon. System Score Risk Category Breakdown Recent Offenses Active Investigations (Available in V2.7.0 or later.) Status of Machine Learning Models (shown if the Machine Learning app is installed) Overall accumulated risk score for all users at a specified point in time. Click the Calendar icon to specify a date range for longer than one day. The maximum duration that you can select is 30 days any time during the last year. High-level risk categories over the last hour. Click the graph to see subcategories and then click to see a display of events. Most recent sense offenses by user. Users that are currently under investigation. Select the My investigations check box to show only those investigations that you started. Status of the Machine Learning Analytics use cases. For more information, see UBA dashboard with Machine Learning Analytics on page 136. Note: If you installed the Machine Learning app, the Status of Machine Learning Models widget appears. User details page You can click a user name from anywhere in the app to see details for the selected user. Starting with V2.5.0, you can learn more about the user's activities with the event viewer pane. The event viewer pane shows information about a selected activity or point in time. Clicking an event in the event viewer pane reveals more details such as syslog events and payload information. The event viewer pane is available for all donut and line graphs and activities in the Risky Activity Timeline on the User details page. Tip: You can right-click a user name to dynamically calculate the risk score. The User Details page includes the following user information: Shows the name and aliases of the selected user. If you have QRadar Advisor with Watson V or later installed, you can search for information related to the user. Click the Search Watson icon. (Available in V2.7.0 or later.) 6 IBM QRadar User Behavior Analytics (UBA) app: User Guide

11 To initiate an investigation on the user, click the Start Investigation icon. When your investigation is complete, click the End Investigation icon. (Available in V2.7.0 or later.) The Advanced Actions list includes the following actions: Add Custom Alert Add to Whitelist Add to Watchlist Generate GDPR compliant report for user Delete and stop tracking user You can set a custom alert that displays by the user name. Click Add Custom Alert, enter an alert message, and then click Set. To remove the custom alert for the selected user, click Remove Custom Alert. You can add the selected user to the whitelist so that the user does not generate risk scores and offenses. To remove the selected user from the whitelist, click Whitelisted. To review the complete list of users who were added to the whitelist, see Viewing the whitelist for trusted users on page 23. You can add the selected user to the watchlist. To remove the selected user from the watchlist, click Watchlisted. You can generate a General Data Protection Regulation (GDPR) compliance report for the user. Important: Generate the report before you click Delete and stop tracking user. You can click Delete and stop tracking user to comply with General Data Protection Regulation (GDPR). Select Yes to permanently delete and stop tracking the user. To begin tracking the user again, delete the user's aliases from the reference set UBA : Users Not Tracked. To view all the user's aliases, download the GDPR report before you delete the user. You can view the following information about the selected user: Risk Score Risky Activity Timeline Recent Offenses Risk Category Breakdown Add Notes Total Activity (shown if the Machine Learning app is installed and the analytic is enabled) The risk score graph shows the risk trends for the selected user during the selected date range. Click the Calendar icon to specify a date range. You can click Group by Activity or Group by Hour to see a list of the user's activities and then filter and search by any column in the timeline. In V2.5.0 and later, you can click any activity in the timeline to open the event viewer pane that lists supporting log events that are associated with the user's activity. Click an event to view more details such as syslog events and payload information. Shows any user type offense, where the username matched any of the selected user's aliases. The last 5 offenses are displayed. Click an offense to open the Offenses tab in QRadar. Shows the risk categories of the selected user during the last hour. Click the Add icon to add notes for the selected user. Tip: To save the note indefinitely, mark the note as important by clicking the Flag icon. If you do not mark the note as important, it is automatically removed at the end of the retention period that you set in Application Settings. Shows the actual and expected (learned) amount of activity of users throughout the day. User Behavior Analytics app 7

12 User Activity by Category (shown if the Machine Learning app is installed and the analytic is enabled) Risk Posture (shown if the Machine Learning app is installed and the analytic is enabled) Activity Distribution (shown if the Machine Learning app is installed and the analytic is enabled in V2.2.0 or later) Peer Group (shown if the Machine Learning app is installed and the analytic is enabled in V2.2.0 or later) Shows actual and expected user activity behavior patterns by high-level category. Shows if a user's risk score deviates from their expected risk score pattern. Shows dynamic behavior clusters for all users that are monitored by machine learning. Shows how much the user deviated from the inferred peer group they were expected to be in. To return to the main Dashboard, click Dashboard. Related concepts UBA dashboard with Machine Learning Analytics on page 136 The IBM QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the Machine Learning Analytics status and additional details for the selected user. Related tasks Viewing the whitelist for trusted users on page 23 You can view the list of trusted users that are whitelisted in the reference set management list. Adding log sources to the trusted log source group on page 25 If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA : Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them. Investigating users in QRadar Advisor with Watson on page 8 You can select users from the User Behavior Analytics (UBA) app to send to QRadar Advisor with Watson for investigation. Investigating users in QRadar Advisor with Watson You can select users from the User Behavior Analytics (UBA) app to send to QRadar Advisor with Watson for investigation. Before you begin You must have User Behavior Analytics (UBA) app V2.7.0 installed and configured with user data. You must have Admin privileges. You must have QRadar Advisor with Watson V installed. For more information, see About this task Note: This feature is only available in User Behavior Analytics V2.7.0 and later and QRadar Advisor with Watson V and later. 8 IBM QRadar User Behavior Analytics (UBA) app: User Guide

13 Procedure 1. Click the User Analytics tab to open the UBA Dashboard. 2. Select a user or search for a user to open the User Details page. 3. Click the Search Watson icon. When the icon stops spinning, you can review your results in the QRadar Advisor with Watson app. 4. From the Watson tab, on the Incident Overview page, select the user investigation. User investigations are indicated with the Investigation initiated from UBA icon. Prerequisites for installing the User Behavior Analytics app Before you install the IBM QRadar User Behavior Analytics (UBA) app, ensure that you meet the requirements. Verify that you have IBM Security QRadar V7.2.8 or later installed. For the best experience, upgrade your QRadar system to the following versions: QRadar Patch 11 ( ) or later QRadar Patch 7 ( ) or later QRadar Add the IBM Sense DSM for the User Behavior Analytics (UBA) app. Installing the IBM Sense DSM manually The IBM QRadar User Behavior Analytics (UBA) app uses the IBM Sense DSM to add user risk scores and offenses into QRadar. You can install the DSM through auto-updates or you can upload to QRadar and install it manually. Note: If your system is disconnected from the internet, you might need to install the DSM RPM manually. Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar. 1. Download the DSM RPM file from the IBM support website: For QRadar V7.2.8: DSM-IBMSense noarch.rpm For QRadar V7.3.0 and later: DSM-IBMSense noarch.rpm 2. Copy the RPM file to your QRadar Console. 3. Use SSH to log in to the QRadar host as the root user. 4. Go to the directory that includes the downloaded file. 5. Type the following command: rpm -Uvh <rpm_filename> 6. From the Admin settings, click Deploy Changes. 7. From the Admin settings, select Advanced > Restart Web Services. Supported browsers for the UBA app For the features in IBM Security QRadar products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. User Behavior Analytics app 9

14 Web browser Mozilla Firefox Google Chrome Supported versions 45.2 Extended Support Release Latest Note: To maximize your experience with UBA, you should do one of the following: Disable the pop-up blocker for your browser Configure your browser to allow exceptions for pop-ups coming from the QRadar Console IP address Log source types relevant to the UBA app The User Behavior Analytics (UBA) app and the ML app can accept and analyze events from certain log sources. In general, the UBA app and the ML app require log sources that supply a username. For UBA, if there is no username, enable the Search assets for username, when username is not available for event or flow data check box in UBA Settings so that UBA can attempt to look up the user from the asset table. If no user can be determined, UBA does not process the event. For more details about specific use cases and the corresponding log source types, see Use cases for the UBA app on page 31. Related tasks Configuring UBA settings on page 19 To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBA application settings. 10 IBM QRadar User Behavior Analytics (UBA) app: User Guide

15 Chapter 2. Installing and uninstalling Installing the User Behavior Analytics app Use the IBM QRadar Extension Management tool to upload and install your app archive directly to your QRadar Console. Before you begin Complete the Prerequisites for installing the User Behavior Analytics app on page 9. About this task Note: The installation of apps does not void your IBM warranty for QRadar. Attention: After the app is installed, you must: Enable indexes Deploy the full configuration. Clear your browser cache and refresh the browser window. Set up permissions for users that require access to view the User Analytics tab. The following permissions must be assigned to each user role that requires access to the app: User Analytics Offenses Log Activity After you download your app from the IBM Security App Exchange, use the IBM QRadar Extension Management tool to install it on your QRadar Console. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. In the Extension Management window, click Add and select the UBA app archive that you want to upload to the console. 4. Select the Install immediately check box. Important: You might have to wait several minutes before your app becomes active. 5. From the Admin settings, click Index Management and then enable the following indexes: High Level Category Low Level Category Username sensevalue usecaseuuid 6. From the Admin settings, click Advanced > Deploy Full Configuration. Copyright IBM Corp. 2016,

16 Note: The following content packages are installed after the UBA installation completes and UBA is configured. User Behavior Analytics QRadar Network Insights Support Content User Behavior Analytics Anomaly Detection Engine Content What to do next When the installation is complete, clear your browser cache and refresh the browser window before you use the app. Manage permissions for UBA app user roles. Related tasks Enabling indexes to improve performance on page 27 To improve the performance of your IBM QRadar User Behavior Analytics (UBA) app, enable indexes in IBM QRadar. Managing permissions for the QRadar UBA app on page 23 Administrators use the User Role Management feature in IBM QRadar to configure and manage user accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity permissions for each user role that is permitted to use the QRadar UBA app. Uninstalling the UBA app Use the IBM QRadar Extension Management tool to uninstall your application from your QRadar Console. Before you begin If you have the Machine Learning Analytics (ML) app installed, you must uninstall the ML app from the Machine Learning Settings page before uninstalling the UBA app from the Extension Management window. If you do not remove the ML app before you uninstall UBA, you must remove it from the interactive API documentation interface. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. On the INSTALLED tab of the Extension Management window, select your app and click Uninstall. When you uninstall an app, it is removed from the system. If you want to reinstall it, you must add it again. 12 IBM QRadar User Behavior Analytics (UBA) app: User Guide

17 Chapter 3. Upgrading Upgrading the User Behavior Analytics app Use the IBM QRadar Extension Management tool to upgrade your app. Before you begin For the best experience, upgrade your QRadar system to the following versions: QRadar Patch 11 ( ) or later QRadar Patch 7 ( ) or later QRadar About this task Attention: You should upgrade during your scheduled maintenance window because data collection is interrupted when deploying the full configuration. If you are upgrading to V2.7.0 on a V7.2.8 console, you must complete the instructions in the following technote: If you are upgrading to V2.7.0 on a QRadar V7.3.0 or later console, complete the following procedure. Important: After you have upgraded, you must complete the following steps: Deploy the full configuration. Restart the web server. Clear your browser cache and refresh the browser window. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click Extension Management. 3. In the Extension Management window, click Add and select the UBA app archive that you want to upload to the console. 4. At the prompt, select Overwrite. All of your existing UBA app data remains intact. Important: You might have to wait several minutes before your app becomes active. 5. From the Admin settings, click Advanced > Deploy Full Configuration. 6. From the Admin settings, click Advanced > Restart Web Server. What to do next When the upgrade is complete, clear your browser cache and refresh the browser window before you use the app. Copyright IBM Corp. 2016,

18 14 IBM QRadar User Behavior Analytics (UBA) app: User Guide

19 Chapter 4. Configuring Configuring the User Behavior Analytics app Before you can use the IBM QRadar User Behavior Analytics (UBA) app, you must configure additional settings. When you install the UBA app, the IBM QRadar Reference Data Import LDAP app is also installed. If you choose to use the LDAP app, you must configure the Reference Data Import LDAP app before you set up the UBA app. The data that the UBA app uses comes from an LDAP query. The LDAP query retrieves the list of users that is used to populates the UBA app. Complete the following setup procedures: Create authorized service tokens Configure the Reference Data Import LDAP app if you are using LDAP Configure user analytics settings for the UBA app Creating authorized service tokens You must create authorized service tokens for the IBM QRadar User Behavior Analytics (UBA) app to authenticate the background polling service that the UBA app uses to request data from IBM QRadar. If you are using the Reference Data Import LDAP app to import user data, you must also create an authorized service token for the Reference Data Import LDAP app. About this task IBM QRadar, the Reference Data Import LDAP app, and the UBA app require that you use authentication tokens to authenticate the API calls that the apps make. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the User Management section, click the Authorized Services icon. 3. Click Add Authorized Services. If you are using the Reference Data Import LDAP app, go to step 4 to create the LDAP service token. If you are using Active Directory, go to step 7 to create the UBA service token. 4. Configure the following information to create the LDAP service: a) In the Service Name field, type LDAP. b) From the User Role list, select the Admin user role. c) From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d) In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 5. Click Create Service. Copyright IBM Corp. 2016,

20 6. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar. 7. On the Reference Data Import LDAP app main window, click Configure and paste the authorized service token string into the Token field. 8. Click Add Authorized Services. 9. Configure the following information to create the UBA service: a) In the Service Name field, type UBA. b) From the User Role list, select the Admin user role. c) From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d) In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 10. Click Create Service. 11. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar, and close the Manage Authorized Services window. 12. In the UBA Settings window, paste the authorized service token string into the Token field. Configuring the Reference Data Import LDAP app When you install the IBM QRadar User Behavior Analytics (UBA) app, the Reference Data Import LDAP app is also installed. You can use the LDAP app to import user data into a reference table or you can import data into a reference table by using your own tools. Before you begin If you do not want to configure the LDAP app, continue to the Configuring UBA settings on page 19 topic and select the UBA_Default reference table that is delivered with the UBA app. If you decide to use the LDAP app to import your user data, you must create and add an authentication token to the LDAP app before you can add an LDAP configuration. Attention: If you previously installed the stand-alone Reference Data Import LDAP app, it is replaced when you install the UBA app. Your configurations are added to the updated version of the Reference Data Import LDAP app. About this task Note: Make sure that you note the reference table name and if you give a custom alias to any of the attributes. When you set up the UBA app, select the reference table that you created in the Reference Data Import LDAP app. For more information about the Reference Data Import LDAP app, see the following section of the IBM Knowledge Center: c_qapps_ldap_intro.html Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Reference Data Import LDAP icon. 3. Optional: If you need to add a private root certificate authority file, click Choose File and then click Upload. The following file type is supported:.pem. 4. Click OK. 16 IBM QRadar User Behavior Analytics (UBA) app: User Guide

21 5. On the Reference Data Import LDAP app main window, click Add Import. The Add a New LDAP Configuration dialog box opens. 6. On the LDAP Configuration tab, add connection information for the LDAP server. The Filter and Attribute List fields are automatically populated from your Active Directory attributes. a) Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field. b) Enter the point in the LDAP directory tree from where the server must search for users in the Base DN field. For example, if your LDAP server was on the domain example.com, you might use: dc=example,dc=com. c) Enter the attribute or attributes you want to use to sort the data that is imported into the reference table in the Filter field. For example: cn=*; uid=*; sn=*. The following default values will work with Active Directory: (&(samaccountname=*)(samaccounttype= )). d) Enter attributes that you want to import into the reference table in the Attribute List field. The following default values will work with Active Directory: userprincipalname,cn,sn,telephonenumber,l,co,department,displayname,mail, title. Tip: If you do not specify attributes, you can still click Test Connection. The top 10 records are returned to help you choose your attributes. e) Enter the user name that is used to authenticate the LDAP server in the Username field. f) Enter the password for the LDAP server in the Password field. 7. Click Test Connection to confirm that IBM QRadar can connect to the LDAP server. If your connection attempt is successful, information from your LDAP server is displayed on the LDAP Configuration tab. 8. On the LDAP Attribute Mapping tab, you can create custom aliases for the attributes. Aliases must be unique. Tip: You can create new LDAP fields by combining two attributes. For example, you can use the following syntax: "Last: {ln}, First: {fn}". Tip: If you want to merge LDAP data from multiple sources in the same reference table, you can use custom aliases to differentiate LDAP attributes with the same name in different sources. When you add aliases to the Attribute List field on the LDAP configuration tab, they are added automatically to the LDAP Attribute Mapping tab. 9. On the Reference Configuration tab, create a new reference map of maps or designate an existing reference map of maps to which you want to add LDAP data. Configuring 17

22 a) In the Reference table field, enter the name for a new reference table. Alternatively, add the name of an existing reference table to which you want to append the LDAP data from the list. b) In the Outer key selection list, select Default or select the outer (unique) key selection based on your environment. c) The Generate map of sets check box is disabled by default. If you enable the check box, it sends data to a reference set format to improve QRadar searching, however, it might impact performance. d) In the Time to live section, define how long you want the data to persist in the reference map of maps. By default, the data you add never expires. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. Note: If you append data to an existing reference map of maps, the app uses the original time-tolive parameters. These parameters cannot be overridden on the Reference Configuration tab. 10. On the Polling tab, define how often you want the app to poll your LDAP server for data. a) In the Polling interval in minutes field, define in minutes how often you want the app to poll your LDAP server for data. Note: The minimum polling interval value is 120. You can also enter a polling interval of zero. If you enter a polling interval of zero, you must poll the app manually with the poll option that is displayed in the feed. b) In the Record retrieval limit field, enter a value for the number of records you want the poll to return. By default, 100,000 records are returned. The maximum number of records that can be returned is 200,000. c) Optional: The Paged results check box is selected by default to avoid limiting the number of records the LDAP server returns for each poll. Note: Paged results are not supported by all LDAP servers. 18 IBM QRadar User Behavior Analytics (UBA) app: User Guide

23 11. Click Save. Configuring UBA settings To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBA application settings. Before you begin You must create an authentication token for the UBA app before you can configure UBA settings. About this task The steps for configuring your UBA settings have changed starting with V Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the UBA Settings icon in the Plug-ins section. The IBM UBA Settings dialog box opens. 3. In the QRadar Settings section, click Manage Authorized Services. 4. Click the row that contains the UBA service you created and then select and copy the token string from the Selected Token field in the menu bar. 5. In the UBA Settings window, paste the authorized service token string into the Token field. 6. In the Application Settings section, configure the following settings: Option Risk threshold to trigger offenses Indicates how high a user's risk score should get before an offense is triggered against that user. The default value is 100,000. The value is set to a high value by default to avoid triggering offenses before the environment is analyzed. Tip: Consider setting up UBA and leaving the default value. Allow the settings to run for at least a day to see the type of scores that are returned. After a few days, review the results on the dashboard to determine a pattern. You can then adjust the threshold. For example, if you see one or two people with scores in the 500s but most are in the 100s then consider Configuring 19

24 Option setting the threshold to 200 or 300. So "normal" for your environment might be 100 or so, and any score above that might require your attention. Decay risk by this factor per hour Risk decay is the percentage that the risk score is reduced by every hour. The default value is 0.5. Note: The higher the number, the faster the risk score decays; the lower the number, the slower the risk score decays. Date range for user details graph Duration of investigation status Search assets for username, when username is not available for event or flow data The date range that is displayed for the user details graphs on the User Details page. The default value is 3. The number of hours (1-10,000) that is assigned for an investigation to be completed. Select the check box to search for user names in the asset table. The UBA app uses assets to look up a user for an IP address when no user is listed in an event. Important: This feature might cause performance issues in the UBA app and your QRadar system. Tip: If the query timeout threshold is exceeded, the app does not return any data. If you receive an error message on the UBA Dashboard, clear the check box and click Refresh. Display country/ region flags for IP addresses Clear the check box if you do not want to display country and region flags for IP addresses. 7. In the Import User Data section, select a Reference table. 8. Enter the number of hours to determine how often you want the reference table to ingest data. 9. In the User Coalescing section, select the attributes that are pulled from the selected reference table and that appear as "Username" by your QRadar system. The risk scores of these identifiers are added to, and are also associated with the primary identifier. Do not select attributes that have shared values across users. For example, if there are many people from the same department, do not select 20 IBM QRadar User Behavior Analytics (UBA) app: User Guide

25 "Department" as a username. Selecting a shared attribute like "Department" or "Country" causes UBA to combine all users with the same department or country value. 10. In the Display Attributes section, select the attributes that you want to display on the User Details page. Configuring 21

26 11. Click Save Configuration. 22 IBM QRadar User Behavior Analytics (UBA) app: User Guide

27 Chapter 5. Administering Managing permissions for the QRadar UBA app Administrators use the User Role Management feature in IBM QRadar to configure and manage user accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity permissions for each user role that is permitted to use the QRadar UBA app. About this task After you install the QRadar UBA app, the User Analytics, Offenses, and Log Activity permissions must be enabled for the user roles that are assigned to users intending to use the QRadar UBA app. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, under User Management, click the User Roles icon. 3. Select an existing user role or create a new role. 4. Select the following check boxes to add the permissions to the role. User Analytics Offenses Log Activity 5. Click Save. Viewing the whitelist for trusted users You can view the list of trusted users that are whitelisted in the reference set management list. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Trusted Usernames reference set. 4. Click View Contents. Copyright IBM Corp. 2016,

28 Managing network monitoring tools You can manage network monitoring tools for the IBM QRadar User Behavior Analytics (UBA) app. About this task If you want to monitor the use of network capture, monitoring or analysis program usage, make sure the programs are listed in the UBA : Network Capture, Monitoring and Analysis Program Filenames reference set. You must then enable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Network Capture, Monitoring and Analysis Program Filenames reference set. 4. Click View Contents. 5. To add an application to manage, click Add and enter the values in the box. 6. To remove an application, select an application and click Delete. What to do next Enable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule. Managing restricted programs You can manage restricted programs for the IBM QRadar User Behavior Analytics (UBA) app. About this task If there are any applications that you want to monitor for usage, go to the UBA : Restricted Program Filenames reference set and enter the applications that you want to monitor. You must then enable the UBA : Restricted Program Filenames rule. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click Reference Set Management. 3. On the Reference Set Management window, select the UBA : Restricted Program Filenames reference set. 4. Click View Contents. 5. To add an application to manage, click Add and enter the values in the box. 6. To remove an application, select an application and click Delete. What to do next Enable the UBA : Restricted Program Filenames rule. 24 IBM QRadar User Behavior Analytics (UBA) app: User Guide

29 Adding log sources to the trusted log source group If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA : Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the common parameters for your log source. 5. Configure the protocol-specific parameters for your log source. 6. Select the UBA : Trusted Log Source Group check box. 7. Click Save. 8. On the Admin tab, click Deploy Changes. Administering 25

30 26 IBM QRadar User Behavior Analytics (UBA) app: User Guide

31 Chapter 6. Tuning Enabling indexes to improve performance To improve the performance of your IBM QRadar User Behavior Analytics (UBA) app, enable indexes in IBM QRadar. About this task To improve the speed of searches in IBM QRadar and the UBA app, narrow the overall data by adding the following indexed fields to your search query: High Level Category Low Level Category sensevalue senseoverallscore Username usecaseuuid For more information about indexing, see the following section of the IBM Knowledge Center at c_qradar_adm_index_mgmt.html. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. In the System Configuration section, click the Index Management icon. 3. On the Index Management page, in the search box, enter High Level Category. 4. Select High Level Category and then click Enable Index. 5. Click Save. 6. Select Low Level Category and then click Enable Index. Copyright IBM Corp. 2016,

32 7. Click Save. 8. On the Index Management page, in the search box, enter sense. 9. Select sensevalue and senseoverallscore and then click Enable Index. 10. Click Save. 11. On the Index Management page, in the search box, enter username. 12. Select Username and then click Enable Index. 13. Click Save. 14. On the Index Management page, in the search box, enter usecaseuuid. 15. Select usecaseuuid and then click Enable Index. 28 IBM QRadar User Behavior Analytics (UBA) app: User Guide

33 16. Click Save. Integrating new or existing QRadar content with the UBA app Use the Rules Wizard in QRadar to integrate existing or custom QRadar rules with the UBA app. About this task To meet your specific needs, you can use the capabilities built into QRadar by integrating your existing QRadar rules with the UBA app. Restriction: Do not customize your rules to use the UBA and Machine Learning reference sets. Attempting to use the reference sets in custom rules can lead to failures within the UBA app. Procedure 1. Create a copy of the existing rule. This prevents updates to the base rule from affecting the edits made to the new rule. 2. Open the rule in the Rule Wizard and then navigate to the Rule Response section. 3. Enable or edit the Dispatch New Event option by making sure the Event text is formatted in the following way: sensevalue=#,sensedesc='sometext',usecase_id='rule UUID' 4. Set the High-Level-Category to Sense. 5. Click Finish to save the changes. Note: If the rule works on flow data, you must enable the Search assets for username, when username is not available for event or flow data option so that events with no usernames can attempt a lookup for user mapping. Tuning 29

34 30 IBM QRadar User Behavior Analytics (UBA) app: User Guide

35 Chapter 7. Reference Use cases for the UBA app The IBM QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral The User Behavior Analytics (UBA) app includes use cases that are based on custom rules and anomaly detection rules. These rules are used to generate data for the UBA app dashboard. You can view and modify the rules in the User Behavior Analytics Group on the Rules List in QRadar. Note: By default not all of the UBA app rules are enabled. Note: One or more of the log sources should provide information for the specific UBA rule. The log sources are not prioritized in any particular order. Restriction: Do not customize your rules to use the UBA and Machine Learning reference sets. Attempting to use the reference sets in custom rules can lead to failures within the UBA app. IBM plans to update the UBA app with additional use cases on a continuous delivery model. Check back frequently for the latest updates to the app. For more information about working with rules in QRadar, see knowledgecenter/en/ss42vs_7.2.8/com.ibm.qradar.doc/c_qradar_rul_mgt.html Accounts and privileges UBA : Account, Group or Privileges Added or Modified UBA : Account, Group or Privileges Added or Modified True 5 Detects events that a user performs and that fit into one of the following categories. The rule dispatches an IBM Sense event to increment the originating user's risk score. Authentication.Group Added Authentication.Group Changed Authentication.Group Member Added Authentication.Computer Account Added Authentication.Computer Account Changed Authentication.Policy Added Authentication.Policy Change Authentication.Trusted Domain Added Authentication.User Account Added Copyright IBM Corp. 2016,

36 Authentication.User Account Changed Authentication.User Right Assigned Note: To tune the impact of this rule on users' overall risk scores, consider modifying the building block rule "CategoryDefinition: Authentication User or Group Added or Changed" by adding event categories of interest to your organization. Akamai KONA, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Blue Coat Web Security Service, BlueCat Networks Adonis, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CRE System,Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400,Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Nexus, Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler, Configurable Firewall Filter, CorreLog Agent for IBM zos, Custom Rule Engine, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme Stackable and Standalone Switches, F5 Networks BIG- IP AFM, F5 Networks BIG-IP ASM, Fidelis XPS, Flow Classification Engine, Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HP Network Automation, HP Tandem, Honeycomb Lexicon File Integrity Monitor, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Mobile, IBM Security Identity Manager, IBM Security Network IPS (GX), IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, ISC BIND, Illumio Adaptive Security Platform, Imperva Incapsula, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Juniper vgw, Kaspersky Security Center, Kisco Information Systems SafeNet/i, Lieberman Random Password Manager, Linux DHCP Server, Linux OS, Linux iptables Firewall, Mac OS X,McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway, McAfee epolicy Orchestrator, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server, Microsoft Windows Security Event Log, NCC Group DDos Secure, Nortel Contivity VPN Switch, Nortel Multiprotocol Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, Okta, Open LDAP Software, OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Palo Alto PA Series, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, Solaris Operating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos Web Security Appliance, Squid Web Proxy, Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec Gateway Security (SGS) Appliance, Symantec System Center, Symark Power Broker, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech Venusense Security Platform, Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss,genua genugate, it-cube agilesi Related concepts UBA : Dormant Account Used UBA : First Privilege Escalation 32 IBM QRadar User Behavior Analytics (UBA) app: User Guide

37 UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Account Change UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant UBA : Dormant Account Used UBA : Dormant Account Used False 10 Provides reporting functions to indicate that a user successfully logged in after a dormant period. How quickly the rule is triggered after the user goes dormant is governed by the time-to-live setting in "UBA : User Accounts, Successful, Recent". Note: For best results, wait 2-4 weeks before you enable both "UBA : Dormant Account Used" and "UBA : Username to User Accounts, Successful, Dormant". This allows the "UBA : User Accounts, Successful, Observed" and "UBA : User Accounts, Successful, Recent" reference sets to be populated and reduce the chances of prematurely triggering "UBA : Dormant Account Used". APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Reference 33

38 Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE,Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : Account, Group or Privileges Added or Modified UBA : First Privilege Escalation UBA : New Account Use Detected 34 IBM QRadar User Behavior Analytics (UBA) app: User Guide

39 UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Account Change UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant UBA : First Privilege Escalation UBA : First Privilege Escalation True 10 Indicates that a user executed privileged access for the first time. This reporting rule can be disabled to allow the tracking of user behaviors for baselining purposes. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Bit9 Security Platform, Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, Cisco Firewall Services Module (FWSM), Cisco IOS,Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator, CorreLog Agent for IBM zos, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC, Extreme NetsightASM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Reference 35

40 Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HBGary Active Defense, HP Network Automation, Honeycomb Lexicon File Integrity Monitor, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Packet Capture, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Directory Server, IBM Security Identity Governance, IBM Security Identity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, ISC BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform,Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Juniper vgw, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Endpoint Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA SeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,Sybase ASE, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec System Center, System Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion Prevention System (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend Micro Deep Discovery Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Universal DSM, VMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) 36 IBM QRadar User Behavior Analytics (UBA) app: User Guide

41 UBA : User Account Change UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant UBA : New Account Use Detected UBA : New Account Use Detected True 5 Provides reporting functions that indicate a user successfully logged in for the first time. This reporting rule can be disabled temporarily for baselining purposes. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM Reference 37

42 z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE,Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : First Privilege Escalation UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Account Change UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant 38 IBM QRadar User Behavior Analytics (UBA) app: User Guide

43 UBA : Orphaned or Revoked or Suspended Account Used UBA : Orphaned or Revoked or Suspended Account Used True 10 Indicates that a user attempted to log in to a disabled or an expired account on a local system. This rule might also suggest that an account was compromised. Cisco CatOS for Catalyst Switches, Cisco Intrusion Prevention System (IPS), Extreme Dragon Network IPS, IBM Proventia Network Intrusion Prevention System (IPS), Juniper Junos WebApp Secure, Microsoft IAS Server, Microsoft Windows Security Event Log Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : First Privilege Escalation UBA : New Account Use Detected UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Account Change UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant Reference 39

44 UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (First Observed Privilege Use) True 5 Indicates that a user executed a privileged action that the user never executed before. Observations are kept in "UBA : Observed Activities by Low Level Category and Username" map-of-sets. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Bit9 Security Platform, Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, Cisco Firewall Services Module (FWSM), Cisco IOS,Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator, CorreLog Agent for IBM zos, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC, Extreme NetsightASM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HBGary Active Defense, HP Network Automation, Honeycomb Lexicon File Integrity Monitor, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Packet Capture, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Directory Server, IBM Security Identity Governance, IBM Security Identity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, ISC BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform,Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Juniper vgw, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Endpoint Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA 40 IBM QRadar User Behavior Analytics (UBA) app: User Guide

45 WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA SeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,Sybase ASE, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec System Center, System Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion Prevention System (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend Micro Deep Discovery Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Universal DSM, VMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : First Privilege Escalation UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Account Change UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : Suspicious Privileged Activity (Rarely Used Privilege) True Reference 41

46 10 Indicates that a user executed a privileged action that the user has not executed recently. Observations are kept in "UBA : Recent Activities by Low Level Category and Username" map-of-sets. The sensitivity of this event can be modified by changing the TTL (time-to-live) of the Reference Map-of-Sets for "UBA : Recent Activities by Low Level Category and Username". Increasing the TTL reduces the sensitivity. Decreasing the TTL increases the sensitivity. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Bit9 Security Platform, Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, Cisco Firewall Services Module (FWSM), Cisco IOS,Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator, CorreLog Agent for IBM zos, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC, Extreme NetsightASM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HBGary Active Defense, HP Network Automation, Honeycomb Lexicon File Integrity Monitor, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Packet Capture, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Directory Server, IBM Security Identity Governance, IBM Security Identity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, ISC BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform,Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Juniper vgw, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Endpoint Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA SeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,Sybase 42 IBM QRadar User Behavior Analytics (UBA) app: User Guide

47 ASE, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec System Center, System Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion Prevention System (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend Micro Deep Discovery Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Universal DSM, VMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : First Privilege Escalation UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : User Account Change UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant UBA : User Account Change UBA : User Account Change True 10 Indicates when a user account was affected by an action which changes the user s effective privileges, either up or down. Reference 43

48 False positive note: This event might misattribute modifications to an account name to the user making the changes. If you want to reduce this false positive possibility you can add the test 'and when Username equals AccountName'. False negative note: This event might not detect all cases of account modifications for a user. Microsoft Windows Security Event Log Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : First Privilege Escalation UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Attempt to Use a Suspended Account UBA : User Has Gone Dormant UBA : User Attempt to Use a Suspended Account UBA : User Attempt to Use a Suspended Account True 10 Detects that a user attempted to access a suspended or a disabled account. 44 IBM QRadar User Behavior Analytics (UBA) app: User Guide

49 Cisco Intrusion Prevention System (IPS), Extreme Dragon Network IPS, IBM Proventia Network Intrusion Prevention System (IPS), Microsoft ISA, Microsoft Windows Security Event Log Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : First Privilege Escalation UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Account Change UBA : User Has Gone Dormant UBA : User Has Gone Dormant UBA : User Has Gone Dormant (no activity anomaly rule) UBA : Dormant Account Found (privileged) False 10 Ensure that "UBA : User Has Gone Dormant (no activity anomaly rule)" is enabled to activate this rule. This rule indicates that a username's activity count has changed by greater than 80%. "UBA : User Dormant Account Found (privileged)" and "UBA : User Has Gone Dormant (no activity anomaly rule)" are intended to point out when a user has stopped producing activity for an extended period. This condition Reference 45

50 might indicate that the user no longer requires access as indicated by a long absence of activity that is associated with their username. False alarms are possible if a Username's activity drops to zero during the short interval period (14 days by default) and before zero is the new baseline (28 days by default). These do not affect a user's risk score if the response frequency limit for "UBA : User Dormant Account Found (privileged)" is set to a time period equal to or greater than the long interval per user name. Note: False alarms are possible for 'UBA : User Has Gone Dormant (no activity anomaly rule)' if a Username's activity decreases to zero during the short interval period (14 days by default) and before zero is the new baseline (28 days by default). The false alarms do not affect a user's risk score if the response frequency limit for "UBA : User Dormant Account Found (privileged)" is set to a period of time equal to or greater than the long interval per Username. All supported log sources. Related concepts UBA : Account, Group or Privileges Added or Modified UBA : Dormant Account Used UBA : First Privilege Escalation UBA : New Account Use Detected UBA : Orphaned or Revoked or Suspended Account Used UBA : Suspicious Privileged Activity (First Observed Privilege Use) UBA : Suspicious Privileged Activity (Rarely Used Privilege) UBA : User Account Change UBA : User Attempt to Use a Suspended Account DNS Analysis For more information, see IBM QRadar DNS Analyzer. UBA : Potential Access to Blacklist Domain UBA : Potential Access to Blacklist Domain 46 IBM QRadar User Behavior Analytics (UBA) app: User Guide

51 False 5 Detects events that indicate the user potentially accessed a blacklist domain. Requires the IBM QRadar DNS Analyzer app. IBM QRadar DNS Analyzer UBA : Potential Access to DGA Domain UBA : Potential Access to DGA Domain False 5 Detects events that indicate the user potentially accessed a DGA (Domain Generated by Algorithm) domain. Requires the IBM QRadar DNS Analyzer app. IBM QRadar DNS Analyzer UBA : Potential Access to Squatting Domain UBA : Potential Access to Squatting Domain False 5 Detects events that indicate the user potentially accessed a squatting domain. Requires the IBM QRadar DNS Analyzer app. IBM QRadar DNS Analyzer Reference 47

52 Network attacks UBA : D/DoS Attack Detected UBA : D/DoS Attack Detected False 15 Detects network Denial of Service (DoS) attacks by a user. Note: Before you can use this rule, complete the following steps: 1. From the Admin tab, click UBA Settings. 2. Select the Search assets for username, when username is not available for event or flow data check box to search for user names in the asset table. The UBA app uses assets to look up a user for an IP address when no user is listed in an event. 3. The event rule needs "Snort Open Source IDS" Log Source to work. Akamai KONA, Application Security DbProtect, Aruba Mobility Controller, Barracuda Web Application Firewall, Brocade FabricOS, CRE System, Check Point, Cisco Adaptive Security Appliance (ASA), Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Intrusion Prevention System (IPS), Cisco PIX Firewall, Cisco Stealthwatch, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Custom Rule Engine, CyberGuard TSP Firewall/VPN, Enterprise-IT-Security.com SF-Sherlock, Event CRE Injected, Extreme Dragon Network IPS, Extreme HiPath, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, Fair Warning, FireEye, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, Huawei AR Series Router, IBM Proventia Network Intrusion Prevention System (IPS), IBM Security Network IPS (GX), Imperva Incapsula, Juniper Junos OS Platform, Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Motorola SymbolAP, NCC Group DDos Secure, Niksun 2005 v3.5, Nortel Application Switch, OS Services Qidmap, OSSEC, Palo Alto PA Series, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, SonicWALL SonicOS, Squid Web Proxy, Stonesoft Management Center, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), Top Layer IPS, Trend Micro Deep Security, Universal DSM, Vectra Networks Vectra, Venustech Venusense Security Platform, WatchGuard Fireware OS Related concepts UBA : Pass the Hash UBA : Possible TGT Forgery 48 IBM QRadar User Behavior Analytics (UBA) app: User Guide

53 UBA : Pass the Hash UBA : Pass the Hash False 15 Detects Windows logon events that are possibly generated during pass the hash exploits. Microsoft Windows Security Event Log Related concepts UBA : D/DoS Attack Detected UBA : Possible TGT Forgery UBA : Possible TGT Forgery UBA : Possible TGT Forgery False 15 Detects Kerberos TGTs that contain Domain Name These possibly indicate tickets that are generated by using pass the ticket exploits. Microsoft Windows Security Event Log Related concepts UBA : D/DoS Attack Detected UBA : Pass the Hash Reference 49

54 Network traffic UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal data volume to external domain UBA : Abnormal data volume to external domain Found Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system. False 15 UBA : Abnormal data volume to external domain This rule uses the Anomaly Detection engine to monitor user's traffic usage and alert on abnormal data volumes of traffic to external domains. UBA : Abnormal data volume to external domain Found This is a CRE rule that supports the identical respective ADE rule : UBA: Abnormal data volume to external domain, which uses the Anomaly Detection engine to monitor user's traffic usage and alert on abnormal data volumes of traffic to external domains. Juniper SRX Series Services Gateway, Microsoft ISA, Pulse Secure Pulse Connect Secure Related concepts UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Windows) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) 50 IBM QRadar User Behavior Analytics (UBA) app: User Guide

55 UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Abnormal Outbound Transfer Attempts (called UBA : Abnormal Outbound Attempts in V2.4.0) UBA : Abnormal Outbound Transfer Attempts Found Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system. False 15 UBA : Abnormal Outbound Transfer Attempts (ADE rule) This rule uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts. UBA : Abnormal Outbound Transfer Attempts Found This is a CRE rule that supports the identical respective ADE rule : UBA : Abnormal Outbound Attempts, which uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts. All supported logs sources. Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Windows) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) Reference 51

56 UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Detect Insecure Or Non-Standard Protocol False 5 Detects any user that is communicating over unauthorized protocols that are regarded as insecure or nonstandard protocols. Authorized protocols are listed in the UBA : Ports of Authorized Protocols reference set with default value 0, which is the port of QRadar events. Edit the UBA : Ports of Authorized Protocols reference set to flag from your environment before you enable this rule. All supported log sources. Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Windows) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Volume of Activity Anomaly - Traffic (ADE rule) 52 IBM QRadar User Behavior Analytics (UBA) app: User Guide

57 UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Linux) True 15 Detects netcat process on a Linux system. Linux OS Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Windows) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : Netcat Process Detection (Windows) UBA : Netcat Process Detection (Windows) Reference 53

58 True 15 Detects netcat process on a Windows system. Microsoft Windows Security Event Logs Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Linux) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage False IBM QRadar User Behavior Analytics (UBA) app: User Guide

59 Indicates that a process is created and the process name matches one of the binary names that are listed in the reference set "UBA : Network Capture, Monitoring and Analysis Program Filenames". This reference set lists the binary names of network packet capturing software. The reference set is pre-populated with the names of some common network protocol analysis software filenames. For more information about adding or removing programs for monitoring, see Managing network monitoring tools. Microsoft Windows Security Event Log Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Windows) UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Behavior, Session Anomaly by Destination UBA : User Behavior, Session Anomaly by Destination Found Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system. False 10 Reference 55

60 UBA : User Behavior, Session Anomaly by Destination Indicates that a user is accessing significantly different destination IP addresses than the user accessed in the past. The event is not necessarily an indication of compromise. The change in behavior might indicate a significant change in the user s job responsibilities or work habits. UBA : User Behavior, Session Anomaly by Destination Found This is a CRE rule that supports the identical respective ADE rule : UBA : User Behavior, Session Anomaly by Destination which indicates that a user is accessing significantly different destination IP addresses than were accessed by the user in the past. The event is not necessarily an indication of compromise. The change in behavior might indicate a significant change in the user s job responsibilities or work habits. All supported log sources. Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Windows) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) UBA : User Event Frequency Anomaly - Categories Found Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system. False 56 IBM QRadar User Behavior Analytics (UBA) app: User Guide

61 5 UBA : User Event Frequency Anomaly Categories Uses the Anomaly Detection engine to monitor the category distribution of a user's events. It alerts on unusual frequency changes. UBA : User Event Frequency Anomaly - Categories Found This is a CRE rule that supports the identical respective ADE rule : UBA : User Event Frequency Anomaly - Categories which uses the Anomaly Detection engine to monitor the category distribution of a user's events. It will alert on unusual frequency changes. All supported log sources. Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Windows) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : User Volume of Activity Anomaly - Traffic (ADE rule) UBA : User Volume of Activity Anomaly rules UBA : Abnormal Outbound Attempts Found Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system. Starting with V2.3.0, UBA : User Volume of Activity Anomaly - Traffic should be disabled and the following updated versions of the rule should be used: UBA : User Volume Activity Anomaly - Traffic to External Domains Reference 57

62 UBA : User Volume Activity Anomaly - Traffic to External Domains Found UBA : User Volume Activity Anomaly - Traffic to Internal Domains UBA : User Volume Activity Anomaly - Traffic to Internal Domains Found False 10 Uses the Anomaly Detection engine to monitor user traffic usage and to send an alert on unusual volumes of traffic. UBA : Abnormal Outbound Attempts Found This is a CRE rule that supports the identical respective ADE rule : UBA : Abnormal Outbound Attempts, which uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts. Juniper SRX Series Services Gateway, Microsoft ISA, Pulse Secure Pulse Connect Secure Related concepts UBA : Abnormal data volume to external domain (ADE rule) UBA : Abnormal Outbound Transfer Attempts (ADE rule) UBA : Detect Insecure Or Non-Standard Protocol UBA : Netcat Process Detection (Linux) UBA : Netcat Process Detection (Windows) UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage UBA : User Behavior, Session Anomaly by Destination (ADE rule) UBA : User Event Frequency Anomaly Categories (ADE rule) QRadar Network Insights (QNI) Attention: QNI rules are no longer installed with the UBA app. For more information about installing QNI rules, see 58 IBM QRadar User Behavior Analytics (UBA) app: User Guide

63 UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Expired False 5 QRadar Network Insights (QNI) detected an SSL/TLS session which uses an expired certificate. Servers and clients use certificates when establishing communication using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Certificates are issued with an expiration date that indicates how long the certificate remains valid. QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Certificate Invalid False Reference 59

64 5 QRadar Network Insights (QNI) has detected an SSL/TLS session that uses an invalid certificate. Servers and clients use X.509 certificates when establishing communication using Secure Sockets Layer (SSL). Certificates are issued with a Not Before date that indicates the earliest date the certificate is valid. QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length False 5 QRadar Network Insights (QNI) detected an SSL/TLS session that uses a certificate with a low public key bit count of less than A server that provides a weak Public Key Certificate (less than 1024 bits) can represent a security risk. According to NIST publication , the recommended minimum RSA key beginning in 2011 is 2048 bits. 60 IBM QRadar User Behavior Analytics (UBA) app: User Guide

65 QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate False 5 QRadar Network Insights (QNI) detected an SSL/TLS session that uses a self-signed certificate. A selfsigned certificate in a public-facing or production server application might allow a remote attacker to start a man-in-the-middle attack. QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid Reference 61

66 UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Associated with Malware Threat False 15 This rule triggers when flow content includes a file hash that matches known bad file hashes included in a Threat Intelligence data feed. Indicates that someone has transferred malware over the network. QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Seen Across Multiple Hosts 62 IBM QRadar User Behavior Analytics (UBA) app: User Guide

67 UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Observed File Hash Seen Across Multiple Hosts False 15 This rule triggers when the same file hash associated with malware is seen being transferred to multiple destinations. QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers Reference 63

68 UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient False 5 This rule triggers when rejected events sent to a non-existing recipient address are seen in the system. This can indicate a spam or phishing attempt. Configure the BB:CategoryDefinition: Rejected Recipient building block to include QIDs relevant to your organization. It is pre-populated with the following QIDs that are good for monitoring: Microsoft Exchange; Linux OS [running sendmail]; Solaris Operating System Sendmail Logs and Barracuda Spam and Virus Firewall. QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers 64 IBM QRadar User Behavior Analytics (UBA) app: User Guide

69 False 5 This rule triggers when multiple sending servers send the same subject in a period of time which may indicate spam or phishing. QRadar Network Insights (QNI) Related concepts UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient Risky resources UBA : Abnormal visits to Risky Resources (ADE rule) UBA : Abnormal visits to Risky Resources UBA : Abnormal visits to Risky Resources Found Warning: Enabling ADE rules can affect the performance of the UBA app and your QRadar system. False Reference 65

70 15 UBA : Abnormal visits to Risky Resources This rule uses the Anomaly Detection engine to monitor the number of times a user accesses a risky resource (such as suspicious URLs, anonymizers, and malware hosts) and alerts when the number of visits changes abnormally. UBA : Abnormal visits to Risky Resources Found This is a CRE rule that supports the identical respective ADE rule : UBA : Abnormal visits to Risky Resources, which uses the Anomaly Detection engine to monitor the number of times a user accesses risky resources (such as suspicious URLs, anonymizers, malware hosts) and alerts when the number of visits changes abnormally. All supported log sources. Related concepts Risky browsing Risky IP Risky browsing Related concepts UBA : Abnormal visits to Risky Resources (ADE rule) Risky IP UBA : Browsed to Communications Website UBA : Browsed to Communications Website True 5 A user has accessed a URL which may indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Entertainment Website UBA : Browsed to Entertainment Website 66 IBM QRadar User Behavior Analytics (UBA) app: User Guide

71 True 5 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Gambling Website UBA : Browsed to Gambling Website True 5 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Information Technology Website UBA : Browsed to Information Technology Website True 5 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series Reference 67

72 UBA : Browsed to Job Search Website UBA : Browsed to Job Search Website True 15 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Malicious Website UBA : Browsed to Malicious Website True 15 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Mixed Content/Potentially Adult Website UBA : Browsed to Mixed Content/Potentially Adult Website True IBM QRadar User Behavior Analytics (UBA) app: User Guide

73 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Phishing Website UBA : Browsed to Phishing Website True 15 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Pornography Website UBA : Browsed to Pornography Website True 10 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series UBA : Browsed to Scam/Questionable/Illegal Website UBA : Browsed to Scam/Questionable/Illegal Website Reference 69

74 True 5 A user accessed a URL that might indicate elevated security or legal risk. Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid Web Proxy, Palo Alto PA Series Risky IP Related concepts UBA : Abnormal visits to Risky Resources (ADE rule) Risky browsing UBA : User Accessing Risky Resources UBA : User Accessing Risky Resources is disabled by default starting with V The rules are now listed by the following types and enabled by default: UBA : User Accessing Risky IP, Anonymization UBA : User Accessing Risky IP, Botnet UBA : User Accessing Risky IP, Dynamic UBA : User Accessing Risky IP, Malware UBA : User Accessing Risky IP, Spam False 15 Indicates that a user accessed an external resource that is deemed to be inappropriate or risky, or that shows signs of infection. All supported log sources. 70 IBM QRadar User Behavior Analytics (UBA) app: User Guide

75 Suspicious application UBA : Detect IOCs For Locky UBA : Detect IOCs For Locky False 10 Detects user computers that show Indicators of Compromise (IOCs) for Locky by using URLs or IPs that are populated from X-Force campaign feeds. All supported log sources. Related concepts UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application Reference 71

76 UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : Detect IOCs for WannaCry UBA : Detect IOCs For WannaCry False 10 Detects user computers that show Indicators of Compromise (IOCs) for WannaCry by using URLs, IPs, or hashes that are populated from X-Force campaign feeds. All supported log sources. Related concepts UBA : Detect IOCs For Locky UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage 72 IBM QRadar User Behavior Analytics (UBA) app: User Guide

77 UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : Detect Persistent SSH session UBA : Detect Persistent SSH session True 10 Detects SSH sessions that are active for more than 10 hours. Linux OS Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) Reference 73

78 UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : Internet Settings Modified UBA : Internet Settings Modified True 15 Detects modifications of internet settings on the system. Microsoft Windows Security Event Logs Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Malware Activity - Registry Modified In Bulk 74 IBM QRadar User Behavior Analytics (UBA) app: User Guide

79 UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : Malware Activity - Registry Modified In Bulk UBA : Malware Activity - Registry Modified In Bulk True 15 Detects processes that modify multiple registry values in bulk within a shorter interval. Microsoft Windows Security Event Logs Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry Reference 75

80 UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Linux) False 15 Detects processes that are created on a Linux system and alerts when the process is outside of the golden disk process whitelist. Note: The rule is disabled by default. Enable the rule only after you populate or modify the process names to be whitelisted in the reference set 'UBA : Gold Disk Process Whitelist - Linux'. 76 IBM QRadar User Behavior Analytics (UBA) app: User Guide

81 Linux OS Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Process Executed Outside Gold Disk Whitelist (Windows) False 15 Reference 77

82 Detects processes that are created on a Windows system and alerts when the process is outside the golden disk process whitelist. Note: The rule is disabled by default. Enable the rule only after you populate or modify the process names to be whitelisted in the reference set 'UBA : Gold Disk Process Whitelist - Windows'. Microsoft Windows Security Event Logs Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : Ransomware Behavior Detected UBA : Ransomware Behavior Detected 78 IBM QRadar User Behavior Analytics (UBA) app: User Guide

83 False 15 Detects behavior that is typically seen during a ransomware infection. Microsoft Windows Security Event Logs Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created Reference 79

84 UBA : Restricted Program Usage UBA : Restricted Program Usage False 5 Indicates that a process is created and the process name matches one of the binary names listed in the reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management. For more information about adding or removing programs for monitoring, see Managing restricted programs. Microsoft Windows Security Event Log Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : ShellBags Modified By Ransomware 80 IBM QRadar User Behavior Analytics (UBA) app: User Guide

85 UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : ShellBags Modified By Ransomware UBA : ShellBags Modified By Ransomware True 10 Detects ShellBag registry modifications that indicate typical malware or ransomware behavior. Microsoft Windows Security Event Logs Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) Reference 81

86 UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : User Installing Suspicious Application UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : User Installing Suspicious Application Supports the following rules: UBA : User Installing Suspicious Application UBA : Populate Authorized Applications False 15 Detects application installation events and then alerts when suspicious applications are seen. Note: Populate the reference set "UBA : Authorized Applications" with the application names that are authorized in the organization. Rule "UBA : Populate Authorized Applications" can be enabled for a short duration to populate this reference set. Rule "UBA : Populate Authorized Applications" populates the reference set "UBA : Authorized Applications" with the names of applications that are installed while this rule is enabled. Note: The rule is disabled by default. Enable for a shorter duration to populate the names while users are installing applications. Microsoft Windows Security Event Logs Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry 82 IBM QRadar User Behavior Analytics (UBA) app: User Guide

87 UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Running New Process UBA : Volume Shadow Copy Created UBA : User Running New Process Supports the following rules: UBA : User Running New Process UBA : Populate Process Filenames False 15 Detects processes that are created by the user and then alerts when a user runs a new process. Reference 83

88 Rule "UBA: Populate Process Filenames" populates the reference set "UBA : Process Filenames" used as a utility rule for "UBA : User Running New Process." Note: The rule is disabled by default. Enable the rule for a shorter duration to populate the filenames. Microsoft Windows System Event Log Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : Volume Shadow Copy Created UBA : Volume Shadow Copy Created UBA : Volume Shadow Copy Created 84 IBM QRadar User Behavior Analytics (UBA) app: User Guide

89 True 15 Detects shadow copies that were created using vssadmin.exe or Windows Management Instrumentation Command-line (WMIC). Microsoft Windows Security Event Logs Related concepts UBA : Detect IOCs For Locky UBA : Detect IOCs for WannaCry UBA : Detect Persistent SSH session UBA : Internet Settings Modified UBA : Malware Activity - Registry Modified In Bulk UBA : Process Executed Outside Gold Disk Whitelist (Linux) UBA : Process Executed Outside Gold Disk Whitelist (Windows) UBA : Ransomware Behavior Detected UBA : Restricted Program Usage UBA : ShellBags Modified By Ransomware UBA : User Installing Suspicious Application UBA : User Running New Process Reference 85

90 System monitoring (Sysmon) For more information about IBM QRadar Content for Sysmon, see exchange.xforce.ibmcloud.com/hub/extension/e41e758e2ab cd09219a9d0. UBA : Common Exploit Tools Detected UBA : Common Exploit Tools Detected False 10 Detects the use of commonly used exploit tools such as keyloggers and PsExec. Microsoft Windows Security Event Logs UBA : Common Exploit Tools Detected (Asset) UBA : Common Exploit Tools Detected False 10 Detects the use of commonly used exploit tools such as keyloggers and PsExec. Microsoft Windows Security Event Logs UBA : Malicious Process Detected UBA : Malicious Process Detected False 86 IBM QRadar User Behavior Analytics (UBA) app: User Guide

91 10 Detects processes that indicate malicious behavior on Windows hosts. Microsoft Windows Security Event Logs UBA : Process Creating Suspicious Remote Threads Detected (Asset) UBA : Process Creating Suspicious Remote Threads Detected (Asset) False 10 Detects processes that are suspiciously creating threads on a remote machine. Microsoft Windows Security Event Logs UBA : Suspicious Activities on Compromised Hosts UBA : Suspicious Activities on Compromised Hosts False 10 Detects activities that are performed on a compromised host. Microsoft Windows Security Event Logs UBA : Suspicious Activities on Compromised Hosts (Assets) UBA : Suspicious Activities on Compromised Hosts (Assets) False Reference 87

92 10 Detects activities that are performed on a compromised host. Microsoft Windows Security Event Logs UBA : Suspicious Administrative Activities Detected UBA : Suspicious Administrative Activities Detected False 10 Detects rarely performed administrative activities that appear suspicious. Microsoft Windows Security Event Logs UBA : Suspicious Command Prompt Activity UBA : Suspicious Command Prompt Activity False 10 Detects activities around command prompt scripts. Microsoft Windows Security Event Logs UBA : Suspicious Entries in System Registry (Asset) UBA : Suspicious Entries in System Registry (Asset) False 88 IBM QRadar User Behavior Analytics (UBA) app: User Guide

93 10 Detects suspicious activities that involve Windows Registry modifications or updates. Microsoft Windows Security Event Logs UBA : Suspicious Image Load Detected (Asset) UBA : Suspicious Image Load Detected (Asset) False 10 Detects suspicious images that are uploaded into sensitive locations. Microsoft Windows Security Event Logs UBA : Suspicious Pipe Activities (Asset) UBA : Suspicious Pipe Activities (Asset) False 10 Detect suspicious activities that involve process pipes on Windows hosts. Microsoft Windows Security Event Logs UBA : Suspicious PowerShell Activity UBA : Suspicious PowerShell Activity False Reference 89

94 10 Detect activities around Microsoft PowerShell scripts. Microsoft Windows Security Event Logs UBA : Suspicious PowerShell Activity (Asset) UBA : Suspicious PowerShell Activity (Asset) False 10 Detects activities around Microsoft PowerShell scripts. This rule requires the "Search assets for username, when username is not available for event or flow data"' functionality to be enabled. Microsoft Windows Security Event Logs UBA : Suspicious Scheduled Task Activities UBA : Suspicious Scheduled Task Activities False 10 Detects the suspicious creation of scheduled tasks on Windows hosts Microsoft Windows Security Event Logs UBA : Suspicious Service Activities UBA : Suspicious Service Activities 90 IBM QRadar User Behavior Analytics (UBA) app: User Guide

95 False 10 Detects suspicious service activities on Windows computers. Microsoft Windows Security Event Logs UBA : Suspicious Service Activities (Asset) UBA : Suspicious Service Activities (Asset) False 10 Detects suspicious service activities on Windows computers. Microsoft Windows Security Event Logs UBA : User Access Control Bypass Detected (Asset) UBA : User Access Control Bypass Detected (Asset) False 10 Detects process activities that indicate User Access Control (UAC) bypass. Microsoft Windows Security Event Logs Reference 91

96 Time and geography UBA : User Anomalous Geography UBA : User Anomalous Geography True 5 Indicates that multiple locations or sources are using the same user account simultaneously. Adjust the match and duration parameters to tune responsiveness. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol 92 IBM QRadar User Behavior Analytics (UBA) app: User Guide

97 Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : User Geography Change UBA : User Geography, Access from Unusual Locations UBA : User Time, Access at Unusual Times UBA : User Geography Change UBA : User Geography Change True 5 A match indicates that a user logged in remotely from a country that is different from the country of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Reference 93

98 Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Support rule User Geography Map This rule updates the associated reference sets with the required data. Related concepts UBA : User Anomalous Geography UBA : User Geography, Access from Unusual Locations UBA : User Time, Access at Unusual Times 94 IBM QRadar User Behavior Analytics (UBA) app: User Guide

99 UBA : User Geography, Access from Unusual Locations UBA : User Geography, Access from Unusual Locations True 15 Indicates that users were able to authenticate in countries that are unusual for your network, as defined by the building block rule "UBA : BB : Unusual Source Locations". APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Reference 95

100 Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : User Anomalous Geography UBA : User Geography Change UBA : User Time, Access at Unusual Times UBA : User Time, Access at Unusual Times UBA : User Time, Access at Unusual Times True 5 Indicates that users are successfully authenticating at times that are unusual for your network, as defined by "UBA: Unusual Times, %" building blocks. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication 96 IBM QRadar User Behavior Analytics (UBA) app: User Guide

101 message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi Related concepts UBA : User Anomalous Geography UBA : User Geography Change UBA : User Geography, Access from Unusual Locations Reference 97

102 User access UBA : User Access - First Access to Critical Assets Supports: UBA : User Access First Access to Critical Assets UBA : Critical Systems Users Seen Update True 10 UBA : User Access First Access to Critical Assets: Indicates that this is the first time the user accessed a critical asset. The "Critical Systems Users Seen" reference collection governs the time-to-live of an observation. By default this rule detects the first access in three months. UBA : Critical Systems Users Seen Update: Updates the last seen value in the "Critical Systems Users Seen" reference collection for Destination IP/Username matches that already exist. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and 98 IBM QRadar User Behavior Analytics (UBA) app: User Guide

103 VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi UBA : User Accessing Account from Anonymous Source UBA : User Accessing Account from Anonymous Source True 15 Indicates that a user is accessing internal resources from an anonymous source such as TOR or a VPN. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Reference 99

104 Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance,McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi UBA : User Access Login Anomaly UBA : User Access Login Anomaly True 5 Indicates a sequence of login failures on a local asset. The rule might also indicate an account compromise or lateral movement activity. Ensure that the Multiple Login Failures for Single Username rule is enabled. Adjust the match and time duration parameters for this rule to tune the responsiveness. 100 IBM QRadar User Behavior Analytics (UBA) app: User Guide

105 All supported log sources. UBA : User Access - Failed Access to Critical Assets UBA : User Access - Failed Access to Critical Assets True 5 This rule detects authentication failures for systems located in the Critical Assets reference set. 3Com 8800 Series Switch, APC UPS, AhnLab Policy Center APC, Application Security DbProtect, Arpeggio SIFT-IT,Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform,Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, CyberGuard TSP Firewall/VPN, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT- Security.com SF-Sherlock, Epic SIEM,Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG- IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM Guardium, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, ISC BIND, Illumio Adaptive Security Platform, Imperva SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform, Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Lieberman Random Password Manager, LightCyber Magna, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security Event Log, Motorola SymbolAP, Netskope Active, Nortel Application Switch, Nortel Contivity VPN Switch,Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, Okta, Open LDAP Software, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Reference 101

106 Oracle Database Listener, Oracle Enterprise Manager,Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure,RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Monitoring, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise, Tropos Control, Universal DSM, VMware vcloud Director, Venustech Venusense Security Platform, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi UBA : User Access to Internal Server From Jump Server UBA : User Access to Internal Server From Jump Server False 10 Detects when a user uses a jump server to access the VPN or internal servers. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and 102 IBM QRadar User Behavior Analytics (UBA) app: User Guide

107 VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi UBA : Windows Access with Service or Machine Account UBA : Windows Access with Service or Machine Account True 15 Detects any interactive session (RDP, local login) that is initiated by a service or machine account in Windows Server. Accounts are listed in the UBA : Service, Machine Account reference set. Edit the list to add or remove any accounts to flag from your environment. Microsoft Windows Security Event Log UBA : Unix/Linux System Accessed With Service or Machine Account UBA : Unix/Linux System Accessed With Service or Machine Account True Reference 103

108 15 Detects any interactive session (through GUI and CLI, both local and remote login) that is initiated by a service or machine account in UNIX and Linux servers. Accounts and allowed interactive sessions are listed in the UBA : Service, Machine Account and the UBA : Allowed Interaction Session reference sets. Edit the reference sets to add or remove any interactive session that you want to flag from your environment. Linux OS UBA : Executive Only Asset Accessed by Non-Executive User UBA : Executive Only Asset Accessed by Non-Executive User False 15 Detects when a non-executive user logs on to an asset that is for executive use only. Two empty reference sets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit the reference sets to add or remove any accounts and IP addresses that are flagged from your environment. Enable this rule after you configure the reference sets. APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter, CorreLog Agent for IBM zos, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control 104 IBM QRadar User Behavior Analytics (UBA) app: User Guide

109 Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee epolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell edirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSMVMware vcloud Director, VMware vshield, Venustech Venusense Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, it-cube agilesi UBA : Unauthorized Access UBA : Unauthorized Access True 10 Indicates that unauthorized access activities were found. Akamai KONA, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Blue Coat Web Security Service, BlueCat Networks Adonis, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2,CA SiteMinder, CRE System, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Nexus,Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler, Configurable Firewall Reference 105

110 Filter, CorreLog Agent for IBM zos, Custom Rule Engine, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme Stackable and Standalone Switches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, Fidelis XPS, Flow Classification Engine, Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HP Network Automation, HP Tandem, Honeycomb Lexicon File Integrity Monitor, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Mobile, IBM Security Identity Manager, IBM Security Network IPS (GX), IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, ISC BIND, Illumio Adaptive Security Platform, Imperva Incapsula, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Juniper vgw, Kaspersky Security Center, Kisco Information Systems SafeNet/i, Lieberman Random Password Manager, Linux DHCP Server, Linux OS, Linux iptables Firewall, Mac OS X, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway, McAfee epolicy Orchestrator, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server, Microsoft Windows Security Event Log, NCC Group DDos Secure, Nortel Contivity VPN Switch, Nortel Multiprotocol Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, Okta, Open LDAP Software, OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Palo Alto PA Series, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, Solaris Operating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos Web Security Appliance, Squid Web Proxy, Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec Gateway Security (SGS) Appliance, Symantec System Center, Symark Power Broker, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech Venusense Security Platform,Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, it-cube agilesi UBA : Repeat Unauthorized Access UBA : Repeat Unauthorized Access True 10 Indicates that repeat unauthorized access activities were found. Akamai KONA, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Blue Coat Web Security Service, BlueCat Networks Adonis, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2,CA SiteMinder, CRE System, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco 106 IBM QRadar User Behavior Analytics (UBA) app: User Guide

111 Nexus,Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler, Configurable Firewall Filter, CorreLog Agent for IBM zos, Custom Rule Engine, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme Stackable and Standalone Switches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, Fidelis XPS, Flow Classification Engine, Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HP Network Automation, HP Tandem, Honeycomb Lexicon File Integrity Monitor, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Mobile, IBM Security Identity Manager, IBM Security Network IPS (GX), IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/os, IBM zsecure Alert, ISC BIND, Illumio Adaptive Security Platform, Imperva Incapsula, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Juniper vgw, Kaspersky Security Center, Kisco Information Systems SafeNet/i, Lieberman Random Password Manager, Linux DHCP Server, Linux OS, Linux iptables Firewall, Mac OS X, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway, McAfee epolicy Orchestrator, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server, Microsoft Windows Security Event Log, NCC Group DDos Secure, Nortel Contivity VPN Switch, Nortel Multiprotocol Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, Okta, Open LDAP Software, OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Palo Alto PA Series, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, Solaris Operating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos Web Security Appliance, Squid Web Proxy, Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec Gateway Security (SGS) Appliance, Symantec System Center, Symark Power Broker, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech Venusense Security Platform,Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, it-cube agilesi Unusual scanning For more information, see IBM Security Reconnaissance Content. UBA : Unusual Scanning of DHCP Servers Detected UBA : Unusual Scanning of DHCP Servers Detected False 15 Detects unusual scanning in network to DHCP servers. Reference 107

112 UBA : Unusual Scanning of Database Servers Detected UBA : Unusual Scanning of Database Servers Detected False 15 Detects unusual scanning in network to database servers. UBA : Unusual Scanning of DNS Servers Detected UBA : Unusual Scanning of DNS Servers Detected False 15 Detects unusual scanning in network to DNS servers. UBA : Unusual Scanning of FTP Servers Detected UBA : Unusual Scanning of FTP Servers Detected False 15 Detects unusual scanning in network to FTP server. 108 IBM QRadar User Behavior Analytics (UBA) app: User Guide

113 UBA : Unusual Scanning of Game Servers Detected UBA : Unusual Scanning of Game Servers Detected False 15 Detects unusual scanning in network to game servers. UBA : Unusual Scanning of Generic ICMP Detected UBA : Unusual Scanning of Generic ICMP Detected False 15 Detects unusual scanning in network on servers that use ICMP protocol. UBA : Unusual Scanning of Generic TCP Detected UBA : Unusual Scanning of Generic TCP Detected False 15 Detects unusual scanning in network on servers using common TCP ports. Reference 109

114 UBA : Unusual Scanning of Generic UDP Detected UBA : Unusual Scanning of Generic UDP Detected False 15 Detects unusual scanning in network on servers using common UDP ports. UBA : Unusual Scanning of IRC Servers Detected UBA : Unusual Scanning of IRC Servers Detected False 15 Detects unusual scanning in network to IRC servers. UBA : Unusual Scanning of LDAP Servers Detected UBA : Unusual Scanning of LDAP Servers Detected False 15 Detects unusual scanning in network to LDAP servers. 110 IBM QRadar User Behavior Analytics (UBA) app: User Guide

115 UBA : Unusual Scanning of Mail Servers Detected UBA : Unusual Scanning of Mail Servers Detected False 15 Detects unusual scanning in network to mail servers. UBA : Unusual Scanning of Messaging Servers Detected UBA : Unusual Scanning of Messaging Servers Detected False 15 Detects unusual scanning in network to messaging servers. UBA : Unusual Scanning of P2P Servers Detected UBA : Unusual Scanning of P2P Servers Detected False 15 Detects unusual scanning in network to P2P servers. Reference 111

116 UBA : Unusual Scanning of Proxy Servers Detected UBA : Unusual Scanning of Proxy Servers Detected False 15 Detects unusual scanning in network to proxy servers. UBA : Unusual Scanning of RPC Servers Detected UBA : Unusual Scanning of RPC Servers Detected False 15 Detects unusual scanning in network to RPC servers. UBA : Unusual Scanning of SNMP Servers Detected UBA : Unusual Scanning of SNMP Servers Detected False 15 Detects unusual scanning in network to SNMP servers. 112 IBM QRadar User Behavior Analytics (UBA) app: User Guide

117 UBA : Unusual Scanning of SSH Servers Detected UBA : Unusual Scanning of SSH Servers Detected False 15 Detects unusual scanning in network to SSH servers. UBA : Unusual Scanning of Web Servers Detected UBA : Unusual Scanning of Web Servers Detected False 15 Detects unusual scanning in network to Web servers. UBA : Unusual Scanning of Windows Servers Detected UBA : Unusual Scanning of Windows Servers Detected False 15 Detects unusual scanning in network to Windows servers. Reference 113

118 VPN access UBA : Multiple VPN Accounts Failed Login From Single IP UBA : Multiple VPN Accounts Failed Login From Single IP True 5 Detects any VPN account login failures from the "UBA : Multiple VPN Accounts Failed Login From Single IP" reference set. Support rule UBA : Populate Multiple VPN Accounts Failed Login From Single IP Cisco Adaptive Security Appliance (ASA) Related concepts UBA : Multiple VPN Accounts Logged In From Single IP UBA : VPN Access By Service or Machine Account UBA : VPN Certificate Sharing UBA : Multiple VPN Accounts Logged In From Single IP UBA : Multiple VPN Accounts Logged In From Single IP False 5 Maps multiple VPN users that are coming from the same IP address and then raises the risk score. When the rule detects VPN users coming from the same IP address, the IP address is added to the "UBA : 114 IBM QRadar User Behavior Analytics (UBA) app: User Guide

119 Multiple VPN Accounts Logged In From Single IP". Before enabling this rule, make sure the rule "UBA : Populate Multiple VPN Accounts Logged In From Single IP" is enabled and the "UBA : Multiple VPN Accounts Logged In From Single IP" reference set has data. Support rule UBA : Populate Multiple VPN Accounts Logged In From Single IP Cisco Adaptive Security Appliance (ASA) Related concepts UBA : Multiple VPN Accounts Failed Login From Single IP UBA : VPN Access By Service or Machine Account UBA : VPN Certificate Sharing UBA : VPN Access By Service or Machine Account UBA : VPN Access By Service or Machine Account True 10 Detects when a Cisco VPN is accessed by a service or machine account. Accounts are listed in the 'UBA : Service, Machine Account' reference set. Edit this list to add or remove any accounts to flag from your environment. Cisco Adaptive Security Appliance (ASA) Related concepts UBA : Multiple VPN Accounts Failed Login From Single IP UBA : Multiple VPN Accounts Logged In From Single IP UBA : VPN Certificate Sharing Reference 115

120 UBA : VPN Certificate Sharing UBA : VPN Certificate Sharing True Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall DSM to the following: For V7.2.8: DSM-CiscoFirewallDevices noarch.rpm For V7.3.0 and later: DSM-CiscoFirewallDevices noarch.rpm 15 X-Force This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can make it difficult to identify who's done what. This can complicate taking next steps in the event of a compromise. Support rules UBA : Subject_CN and Username Mapping UBA : Subject_CN and Username Map Update These rules update the associated reference sets with the required data. Cisco Adaptive Security Appliance (ASA) Related concepts UBA : Multiple VPN Accounts Failed Login From Single IP UBA : Multiple VPN Accounts Logged In From Single IP UBA : VPN Access By Service or Machine Account X-Force Risky IP, Anonymization X-Force Risky IP, Anonymization 116 IBM QRadar User Behavior Analytics (UBA) app: User Guide

121 True This rule detect when a local user or host is connecting to an external anonymization service. All supported log sources. X-Force Risky IP, Botnet X-Force Risky IP, Botnet True This rule detects when a local user or host is connecting to a botnet command and control server. All supported log sources. X-Force Risky IP, Dynamic X-Force Risky IP, Dynamic True This rule detects when a local user or host is connecting to a dynamically assigned IP address. All supported log sources. X-Force Risky IP, Malware X-Force Risky IP, Malware True This rule detects when a local user or host is connecting to a malware host. Reference 117

122 All supported log sources. X-Force Risky IP, Spam X-Force Risky IP, Spam True This rule detects when a local user or host is connecting to a spam-sending host. All supported log sources. X-Force Risky URL X-Force Risky URL True This rule detects when a local user is accessing questionable online content. Juniper SRX Series Services Gateway, Microsoft ISA, Pulse Secure Pulse Connect Secure 118 IBM QRadar User Behavior Analytics (UBA) app: User Guide

123 Chapter 8. Reference Data Import - LDAP app Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAP sources into your QRadar Console. Note: The Reference Data Import - LDAP app requires QRadar V7.2.8 or later. The app polls one or more LDAP servers for data and adds the data to new or existing reference data tables in QRadar. You can use the data to focus your investigations on specific groups, identify users by department, or any other information that is available. Using the LDAP data in QRadar Every time the reference table is updated, a ReferenceDataUpdated event is triggered. You can set a time-to-live value for the LDAP data in the reference table. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to these events, or create searches to query the payloads of these events on the QRadar Log Activity tab. Accessing the Reference Data Import - LDAP app Access the QRadar Reference Data Import - LDAP app by clicking the Reference Data Import LDAP icon from the Admin settings. For more information on reference data collections in QRadar, see IBM QRadar SIEM Administration Guide. Supported browsers for the LDAP app For the features in IBM Security QRadar products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. Table 1: Supported web browsers for the QRadar Reference Data Import LDAP app Web browser Mozilla Firefox Google Chrome Supported versions 45.2 Extended Support Release Latest Copyright IBM Corp. 2016,

124 Creating an authorized service token Before you can configure LDAP server to add data to a reference table, you must create an authorized service token. About this task Note: After you submit the authorized service token, you must deploy changes for the new authorized service token to take effect. IBM QRadar requires that you use an authentication token to authenticate the API calls that the Reference Data Import - LDAP app makes. You use the Manage Authorized Services window in the Admin settings to create authorized service token. Procedure 1. On the Reference Data Import - LDAP app window, click Configure. 2. In the Configure Authorized Service Token dialog box, click Manage Authorized Services. 3. In the Manage Authorized Services window, click Add Authorized Service. 4. Add the relevant information in the following fields and click Create Service: a) In the Service Name field, type a name for this authorized service. The name can be up to 255 characters in length. b) From the User Role list, select Admin. c) From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d) In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not necessary, select No Expiry. 5. Click the row that contains the service you created, select and copy the token string in the Selected Token field on the menu bar, and close the Manage Authorized Services window. 6. In the Configure Authorized Service Token dialog box, paste the token string into the Token field, and click OK. 7. Deploy changes for the new authorized service token to take effect. What to do next Adding an LDAP configuration on page 121 Adding a private root certificate authority You can upload a private root certificate authority (CA) bundle to IBM QRadar for use with the LDAP app. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Reference Data Import LDAP icon. 3. On the Reference Data Import LDAP app main window, click Configure. 4. Click Choose File and then click Upload. Only the.pem file type is supported. 5. Click OK. 120 IBM QRadar User Behavior Analytics (UBA) app: User Guide

125 Adding an LDAP configuration Add LDAP server information that you use to insert user data into a reference map of maps. Before you begin You must create and add an authentication token to the Reference Data Import - LDAP app before you can add an LDAP configuration. Procedure 1. On the Reference Data Import - LDAP app window, click Add Import. 2. Enter the following information on the LDAP Configuration tab: a) Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field. b) Enter the point in the LDAP directory tree from where the server must search for users in the Base DN field. For example, if your LDAP server was on the domain example.com, you might use: dc=example,dc=com c) Enter the attribute or attributes you want to use to sort the data that is imported into the reference table in the Filter field. For example: cn=*; uid=*; sn=* The following default values will work with Active Directory: (&(samaccountname=*) (samaccounttype= )). d) Enter attributes you want to import into the reference table in the Attribute List field. The following default values will work with Active Directory: userprincipalname,cn,sn,telephonenumber,l,co,department,displayname,mail,t itle. e) Enter the user name that is used to authenticate the LDAP server in the Username field. f) Enter the password for the LDAP server in the Password field. 3. Click Test Connection to confirm that IBM QRadar can connect to the LDAP server before you proceed. If your connection attempt is successful, information from your LDAP server is displayed on the LDAP Configuration tab. 4. Click Next. What to do next Add LDAP attribute mappings. Related tasks Creating an authorized service token Before you can configure LDAP server to add data to a reference table, you must create an authorized service token. Adding LDAP attribute mappings You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. Adding a private root certificate authority on page 120 Reference Data Import - LDAP app 121

126 You can upload a private root certificate authority (CA) bundle to IBM QRadar for use with the LDAP app. Adding LDAP attribute mappings You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. About this task If you want to merge LDAP data from multiple sources into the same reference table, you can use custom aliases to differentiate LDAP attributes with the same name in different sources. When you add attributes to the Attributes field on the LDAP Configuration tab, they are added automatically to the LDAP Attribute Mapping tab. Procedure 1. On the LDAP Attribute Mapping tab, enter a new name in the Alias field for any of the LDAP attributes you added and then click Add. 2. Click Next. Note: Aliases must be unique. Tip: You can create new LDAP fields by combining two attributes. For example, you can use the following syntax: "Last: {ln}, First: {fn}". What to do next Configure a reference data table to store LDAP data.. Related tasks Adding a reference data configuration Use the Reference Configuration tab to set up a reference data table to store LDAP data. Creating a rule that responds to LDAP data updates After you have configured the IBM QRadar Reference Data Import - LDAP app to store data from your LDAP server in a reference table in QRadar, you can use the data to create event rules. Adding a reference data configuration Use the Reference Configuration tab to set up a reference data table to store LDAP data. Before you begin After you configure your LDAP server information, you must set up a reference table to store the LDAP data that is passed to the app. You can then use the stored data to construct rules in QRadar or create searches and reports. Procedure 1. Use the Reference Configuration tab to enter a new reference table or designate an existing reference table to which you want to add LDAP data. a) Enter a name for the reference data collection in the Reference Data field or select an existing reference data collection from the list. b) In the Outer key selection list, select Default or select the outer (unique) key selection based on your environment. c) The Generate map of sets check box is disabled by default. If you enable the check box, it sends data to a reference set format to improve QRadar searching and might impact performance. 122 IBM QRadar User Behavior Analytics (UBA) app: User Guide

127 d) Use the Time to live fields to define how long you want the data to persist in the reference table. By default, the data you add never expires. When the time-to-live period is exceeded, a ReferenceDataExpiry event is triggered. Note: If you append data to an existing reference map of maps, the app uses the original time-tolive parameters. These parameters cannot be overridden on the Reference Configuration tab. 2. Click Next. What to do next Set the polling interval. Related tasks Configuring polling Use the Polling Interval tab to configure how often the app polls your LDAP server for new information. Configuring polling Use the Polling Interval tab to configure how often the app polls your LDAP server for new information. Before you begin After you configure your LDAP server information and reference data collection, you configure how often you want the app to draw down data from the LDAP server. Procedure 1. Use the Polling Interval in minutes field to define in minutes how often you want the app to poll your LDAP server for data. The minimum permissible polling interval value is Enter a value for the number of records you want the poll to return in the Record retrieval limit field. By default, 100,000 records are returned. The maximum number of records that can be returned is 200,000. Reference Data Import - LDAP app 123

128 3. The Paged results check box is selected by default to avoid limiting the number of records the LDAP server returns for each poll. Note: Paged results are not supported by all LDAP servers. 4. Click Save. Results Data from your LDAP server is added to the reference data collection you selected at the interval you configured. You can use the API page on your IBM QRadar console to check that data was added to the reference data collection. Related tasks Checking that data is added to the reference data collection You can use the IBM QRadar API documentation page to test if data was added to the reference data collection you created. Checking that data is added to the reference data collection You can use the IBM QRadar API documentation page to test if data was added to the reference data collection you created. About this task The API Documentation page on your QRadar Console can show the data that is stored in the reference table that you created in the Reference Data Import - LDAP app. You can use the API Documentation page to check that LDAP information was updated by the app. Procedure 1. Log in to the QRadar API Documentation page In the navigation tree, open the most recent API. 3. Go to /reference_data > /table > /name > GET 4. In the Value field of the Name parameter, enter the name of the reference data collection you created to store LDAP information, and click Try it out!. The data added by the app is returned in the Response Body field. 124 IBM QRadar User Behavior Analytics (UBA) app: User Guide

129 Creating a rule that responds to LDAP data updates After you have configured the IBM QRadar Reference Data Import - LDAP app to store data from your LDAP server in a reference table in QRadar, you can use the data to create event rules. About this task When you poll your LDAP server and data are added to the reference table, ReferenceDataUpdated events are triggered. When the time-to-live period you configured on the Reference Configuration tab is exceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to content within a ReferenceDataUpdated or ReferenceDataExpiry event payloads. LDAP data stored by the app in a reference data collection is available to rules you can configure by using the QRadar Rules Wizard. The Rules Wizard can be accessed from the Offenses, Log Activity, or Network Activity tabs. Procedure 1. Click Log Activity > Rules > Actions > New Event Rule. 2. On the Rule Wizard introduction page, click Next. 3. Ensure that the Events radio button is selected, and click Next. 4. Enter a name for the rule in the field provided. 5. Select a test from the Test Group list, and click the + icon beside the test you want to use: The rule test you select depends on the information you want to retrieve from the reference data collection that holds your LDAP data. The following reference maps of maps event property test is designed to test events that triggered when the Reference Data Import - LDAP app reference table is updated: when any of these event properties is the key of the first map and any of these event properties is the key of the second map and any of these event properties is the value in any of these reference map of maps. A rule is configured to test the ReferenceDataExpiry event payload if the LDAP attribute PasswordIsExpired is updated to true for any UID in a the LDAPtest1 reference data collection. Reference Data Import - LDAP app 125

130 To use this event property test, you must create custom event properties for the outer key (the key of the first map), inner key (the key of the second map) and value fields. In the following example, the Reference Data Import - LDAP app was configured to import information on users whose password is expired from an LDAP server at example.com. 126 IBM QRadar User Behavior Analytics (UBA) app: User Guide

131 The outer key This property contains the data entered in the LDAP fields specified in the Base DN and Filter fields in the app LDAP configuration tab. The regex for the custom event property might look like this: (uid=(.*?),dc=example,dc=com) The inner key This property contains the data entered in the LDAP fields specified in the Attribute field in the app LDAP configuration tab. You can use attribute aliases in this field. The regex for the custom event property might look like this: (passwordisexpired) The value field This property contains the data retrieved for passwordisexpired LDAP attribute for each user. The regex for the custom event property might look like this: (\['true'\]) For more information about custom event properties, see the IBM QRadar SIEM Users Guide. 6. Click Next. 7. Select the rule action, rule response and rule limiter you want to apply to the rule and click Finish. For more information on custom event rules, see the IBM QRadar SIEM Users Guide. Results The next time you poll your LDAP server and the reference data collection you created is updated, your rule is triggered. Reference Data Import - LDAP app 127

132 Related tasks Adding LDAP attribute mappings You can create aliases that map to the LDAP attributes you added on the LDAP configuration tab. Adding a reference data configuration Use the Reference Configuration tab to set up a reference data table to store LDAP data. 128 IBM QRadar User Behavior Analytics (UBA) app: User Guide

133 Chapter 9. Machine Learning Analytics app The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine Learning Analytics use cases, you can gain additional insight into user behavior with predictive modeling. The ML app helps your system to learn the expected behavior of the users in your network. Important: Attention: You must install IBM QRadar V7.2.8 or later before you install the UBA app and the ML app. It is best to enable Machine Learning Analytics Settings one day after you initially configure the UBA app. This waiting period ensures that the UBA app has sufficient time to create risk profiles for users. The model updates every 7 days. This is to ensure the Machine Learning Analytics app has the latest risky users to monitor. The QRadar Console limits the amount of memory that can be used by apps. To maximize results, the ML app requires: 64 GB console to allow the top 2000 risky users provided by the UBA app to be monitored. 128 GB console to allow the top 5000 risky users provided by the UBA app to be monitored. To install the Machine Learning Analytics app on a QRadar App node, the QRadar App node must have a minimum of 5 GB of available memory. The installation might fail due to a lack of available memory. This situation can occur if the amount of memory available for applications is decreased because other applications are installed. Known issues for Machine Learning Analytics The Machine Learning Analytics app has known issues. The Machine Learning Analytics app has the following known issues: If you are upgrading from Machine Learning Analytics app V2.1.0 or lower, the Risk Value of Sense Event value for each User Analytic will be updated to the current Machine Learning default value. The Machine Learning app might show warning messages in the Status of Machine Learning section. For more information, see Machine Learning app status shows warning on dashboard on page 144. The installation might fail due to a lack of available memory. This situation can occur on 128 GB consoles if several other apps are already installed and less than 10 GB remains for the ML app to use. If the installation fails, the error message "FAILED" is displayed. To remedy this situation, uninstall some of the other apps and then try again. Prerequisites for installing the Machine Learning Analytics app Before you install the Machine Learning Analytics app, ensure that you meet the requirements. You must meet the following system requirements and fully install and configure the User Behavior Analytics (UBA) app before you can install the Machine Learning Analytics app. Component System memory IBM QRadar version Minimum requirements Console: 64 GB App node: 5 GB V7.2.8 or later Copyright IBM Corp. 2016,

134 Component Sense DSM User Behavior Analytics (UBA) app Minimum requirements Install the DSM RPM file. Install the UBA V2.7.0 app. Configure the UBA User Analytics Settings. Click the User Analytics tab and confirm that the UBA Dashboard contains user data. Installing the IBM Sense DSM manually The UBA app and the Machine Learning Analytics app use the following IBM Sense DSM files to add user risk scores and offenses into QRadar. For V7.2.8: DSM-IBMSense noarch.rpm For QRadar V7.3.0 and later: DSM-IBMSense noarch.rpm Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar. 1. Copy the DSM RPM file to your QRadar Console. 2. Use SSH to log in to the QRadar host as the root user. 3. Go to the directory that includes the downloaded file. 4. Type the following command: rpm -Uvh <rpm_filename> 5. From the Admin settings, click Advanced > Deploy Full Configuration. Note: Instructions for installing and configuring the UBA app are on the IBM Knowledge Center. Related tasks Installing the User Behavior Analytics app on page 11 Use the IBM QRadar Extension Management tool to upload and install your app archive directly to your QRadar Console. Configuring UBA settings on page 19 To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBA application settings. Installing the Machine Learning Analytics app Install the Machine Learning Analytics app after you have installed the UBA app from the Extension Manager. Before you begin Make sure you have completed all of the Prerequisites for installing the Machine Learning Analytics app. About this task After you install your User Behavior Analytics (UBA) app V2.1.0 or later, you can install the Machine Learning Analytics app from the Machine Learning Settings page. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 130 IBM QRadar User Behavior Analytics (UBA) app: User Guide

135 2. Click the Machine Learning Settings icon in the Plug-ins section. 3. On the Machine Learning Settings screen, click Install ML App. 4. At the prompt, click Yes to install the app. The ML app takes several minutes to install. What to do next When the installation is complete, you can enable ML use cases and then click Save Configuration. Upgrading the Machine Learning Analytics app Upgrade the Machine Learning Analytics app from the Machine Learning Settings page. Before you begin Starting with UBA with ML V2.2.0 there are no upgrade procedures. The Machine Learning app is automatically upgraded with the UBA app. After you install or upgrade your User Behavior Analytics (UBA) app, you can upgrade your existing Machine Learning Analytics app from the Machine Learning Settings page. Attention: If you have the Machine Learning Analytics (ML) app V2.0.0 installed and you upgrade to the latest version of the UBA app, do not uninstall the Machine Learning Analytics app from the QRadar Extension Manager. If you attempt to uninstall the Machine Learning Analytics app from the Extension Manager, you might encounter issues with your ML app installation. Note: If you are upgrading from Machine Learning Analytics app V2.1.0 or lower, the Risk Value of Sense Event value for each User Analytic will be updated to the current Machine Learning default value. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. Machine Learning Analytics app 131

136 In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Settings icon in the Plug-ins section. 3. On the Machine Learning Settings screen, click Upgrade ML App. 4. At the prompt, click Yes. The ML app takes several minutes to upgrade. 5. After the upgrade is complete, the model building restarts. What to do next Verify your Machine Learning Settings are configured correctly. If you change any settings, make sure to Save Configuration. Configuring Machine Learning Analytics settings To view information in the Machine Learning Analytics app, you must configure Machine Learning Analytics application settings. About this task Attention: After you configure your settings, it takes a minimum of 1 hour to ingest data, build an initial model, and see initial results for users. Important: Starting with V2.2.0, the default values for Risk value of sense event have been changed. Because the new default values are significantly less than the previous default values, the new default values will overwrite the existing default values or any value you previously modified. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. 132 IBM QRadar User Behavior Analytics (UBA) app: User Guide

137 In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Analytics icon in the Plug-ins section. 3. On the Machine Learning Analytics configuration page, click the following user analytics to configure settings. Option Total Activity Click Enabled to turn on the Total Activity analytic and display the Total Activity graph on the User Details page. Important: You must have 7 days of data available for the analytic to generate a model. In the Risk value of sense event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. User Activity by Category Click Enabled to turn on the User Activity by Category analytic and display the User Activity by Category graph on the User Details page. Important: You must have 7 days of data available for the analytic to generate an initial model. If you have less than 7 days of user data for this QRadar system then the initial model will be generated after 7 days of user data has been accumulated. In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 1. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. In the Categories to track section, the high-level event categories are enabled by default. Click any category to disable it from being monitored. Machine Learning Analytics app 133

138 Option For more information about categories, see the high-level categories topic in the IBM Knowledge Center. Risk Posture Click Enabled to turn on the Risk Posture analytic and display the Risk Posture graph on the User Details page. Important: You must have 7 days of sense event data available for the analytic to generate a model. In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. Activity Distribution (V2.2.0 or later) Click Enabled to turn on the Activity Distribution analytic and display the Activity Distribution graph on the User Details page. Depending on the data, the model can take a few hours to build. Important: You must have 7 days of event data available for the analytic to generate a model. In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. Defined Peer Group (V2.6.0 or later) Click Enabled to turn on the Defined Peer Group use case and display the Defined Peer Group graph on the User Details page. Depending on the data, the model can take an hour or more to build. {placeholder for explaining groups} 134 IBM QRadar User Behavior Analytics (UBA) app: User Guide

139 Option Important: To enable the Defined Peer Group analytic, you must have valid user groups in a reference table and then configure UBA Settings > Display Attributes > Custom Groups to use the reference table. For more information, see User groups for the defined peer group analytic on page 140 You must have 7 days of event data available for the analytic to generate a model. In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. In the Group By field, select the group you want the analytic to use. Learned Peer Group (V2.2.0 or later) Click Enabled to turn on the Peer Group use case and display the Peer Group graph on the User Details page. Depending on the data, the model can take an hour or more to build. Important: You must install an App Node to enable the analytic. For more information, see com.ibm.qradar.doc/c_adm_appnode_intro.html You must have 7 days of event data available for the analytic to generate a model. In the Risk Value of Sense Event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5. Enable the toggle to scale the risk value. When enabled, the base risk value will be multiplied by a factor (range 1-10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated. In the Confidence Interval to Trigger Anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is In the Data Retention Period field, set the number of days you want to save the model data. The default value is 60. Note: If you want to disable automatic purging of data, set the value to 0 (zero). All of your modeling data is stored indefinitely. 4. Click Save Configuration. Machine Learning Analytics app 135

140 Results It can take a minimum of one hour for the app to ingest data and build an initial model. What to do next Click the User Analytics tab to go to the Dashboard. UBA dashboard with Machine Learning Analytics The IBM QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the Machine Learning Analytics status and additional details for the selected user. Dashboard After you enable the Machine Learning Analytics, click the User Analytics tab to open the dashboard. The Status of Machine Learning Models section shows you the model ingestion and model building progress for each analytic you have enabled. Note that the models are updated every seven days. The blue progress bar indicates that the analytic is ingesting data. The green progress bar indicates that the analytic is building the model. The green check mark indicates that the analytic is enabled. The yellow warning icon indicates a problem was encountered during the model building phase. See Machine Learning app status shows warning on dashboard on page 144 Click the ML Settings icon to open the Machine Learning Analytics page and edit the configuration for the Machine Learning Analytics use cases. Note: If you edit the configuration after it has been saved, a new model will be built and the time to wait for the ingestion and model building is reset. User details page You can click a user name from anywhere in the app to see details for the selected user. Starting with V2.5.0, you can learn more about the user's activities with the event viewer pane. The event viewer pane shows information about a selected activity or point in time. Clicking an event in the event 136 IBM QRadar User Behavior Analytics (UBA) app: User Guide

141 viewer pane reveals more details such as syslog events and payload information. The event viewer pane is available for all donut and line graphs on the User details page. The following table describes the Machine Learning Analytics graphs available on the User Details page. Total Activity Shows the actual and expected (learned) amount of activity of users throughout the day. The actual values are the number of events for that user during the selected time period. The expected values are the number of events predicted for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the Total Activity graph, you can: Click a data node and get a query listing of the events that make up the anomaly. Click the Calendar icon to specify a custom date range. User Activity by Category Shows actual and expected user activity behavior patterns by high-level category. The actual values are the number of events per high-level category for that user during the selected time period. The expected values are the predicted number of events per high-level category for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the User Activity by Category graph, you can: Click the Calendar icon to specify a time and date. Click a category to open the timeline graph for the selected category. On the timeline graph for the selected category, you can: Click a data node and get a query listing of the events that represent that node. Click the Calendar icon to specify a custom date range. Machine Learning Analytics app 137

142 Risk Posture Shows if a user's risk score deviates from their expected risk score pattern. The actual values are the sum of the sense values for the sense events for that user during the selected time period. The expected values are the predicted sum of the sense values for the sense events for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. On the Risk Posture graph, you can: Click a node and get a query listing of the events. Click the Calendar icon to specify a custom date range. Activity Distribution (V2.2.0 or later) Shows dynamic behavior clusters for all users that are monitored by machine learning. The clusters are inferred by the low-level activity categories for all users that are monitored by machine learning. The actual values are the percent match to that cluster. The expected values are the predicted percent match to that cluster. Each color in the graph represents a unique dynamic behavior cluster for all users monitored by machine learning. A color used to denote a particular group is the same for all users. A red vertical line indicates that an anomaly was detected and a sense event was generated by machine learning. On the Activity Distribution graph, you can: Hover over each cluster to view the actual and predicted activity percentiles and the top 3 contributing low-level categories. Click the Calendar icon to specify a date range. 138 IBM QRadar User Behavior Analytics (UBA) app: User Guide

143 Learned Peer Group (V2.2.0 or later) Shows how much the user deviated from the inferred peer group they were expected to be in. The Learned Peer Group is inferred by the low-level activity categories for the user. The "Deviation from peer group" signifies how confident the machine learning analytic is that the user deviated from their inferred peer group. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. An alert is triggered if the score and the confidence both exceed their thresholds. Score is the measure of the extent of deviation from the normal pattern. Confidence is the percentile of the deviation in the context of historical data upon which the model is built. On the Learned Peer Group graph, you can: Click a data point to view the Peers in Group table. Click the Calendar icon to specify a date range. The Peers in Group table shows you all the users that are expected and that are actually in the group. You can: Click a user name to open the User Details page "Expected match" shows how confident the analytic is for that user to be in the group Click the drop-down list to select the user attributes to display Search to filter the user names Defined peer group (V2.6.0 or later) Shows how much a user's event activity deviates from that of their defined peer group. The analytic uses the low-level activity categories of the users' events to determine the users' deviation from their defined peer group. The "Deviation from peer group" signifies how confident the machine learning analytic is that the user deviated from their inferred peer group. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. To view the Defined peer group analytic, you must define user groups. For more information, see User groups for the defined peer group analytic on page 140. An alert is triggered if the score and the confidence both exceed their thresholds. Score is the measure of the extent of deviation from the normal pattern. Confidence Machine Learning Analytics app 139

144 is the percentile of the deviation in the context of historical data upon which the model is built. On the Defined Peer Group graph, you can: Click a data point to view the Peers in group you defined table. Click the Calendar icon to specify a date range. The Peers in users current group table shows you the riskiest users in the current user's group. You can: Click a user name to open the User Details page Click the drop-down list to select the user attributes to display Search to filter the user names User groups for the defined peer group analytic You can enable the Defined Peer Group analytic in the Machine Learning app if UBA is configured to use a reference table that contains at least two groupings with a minimum of five users using one of the group by selections. Note: In V2.6.0 or later, you can extract user groups in UBA and enable the Defined Peer Group analytic. The grouping selections are Job Title, Department, or a custom property that you define on the UBA Settings page in the Custom Group field under Display Attributes. When UBA detects more than two distinct groups each with five or more users, the Defined Peer Group analytic can be enabled. To have valid user groups, you can configure the Reference Data Import LDAP App so that the user properties (Job Title, Department, or other LDAP attribute grouping) can be extracted as a reference table. You can then configure UBA to use the reference table that you created. The Defined Peer Group analytic can monitor up to 20 groups. The largest 20 groups in the configured Group By field are chosen. The number of users to monitor is proportionally reduced from each group to meet the monitored user limit for your Machine Learning installation size. Remember: The reference table import has a 2-hour minimum repeating schedule as configured on the UBA Settings page. Any new user grouping attributes are imported when the import is scheduled to run. 140 IBM QRadar User Behavior Analytics (UBA) app: User Guide

145 Uninstalling the Machine Learning Analytics app Uninstall the Machine Learning Analytics app from the Machine Learning Settings page. About this task Before you uninstall the UBA app, you must complete the following procedure for uninstalling the ML app. If you do not uninstall the ML app before you uninstall UBA, you must remove it from the interactive API documentation interface. Procedure 1. Open the Admin settings: In IBM QRadar V7.3.0 or earlier, click the Admin tab. In IBM QRadar V7.3.1 and later, click the navigation menu ( ), and then click Admin to open the admin tab. 2. Click the Machine Learning Settings icon in the Plug-ins section. 3. On the Machine Learning Settings screen, click Uninstall ML App. Machine Learning Analytics app 141

146 4. At the uninstall prompt, click Yes. What to do next You must clear your browser cache before logging back in to the QRadar Console. 142 IBM QRadar User Behavior Analytics (UBA) app: User Guide