IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
As the depth and breadth of the use cases in QRadar have grown, so has the frequency of the questions I hear from clients about maturing their insider threat program with UBA. In this blog series, I’ll address and answer these questions for our UBA clients.In my previous blog, we covered getting started with a collection of account access and authentication behavioral use cases. In this blog, we’ll focus on deploying use cases that detect abnormal access behaviors, browsing patterns, network or cloud activity, and endpoint activity. The table below highlights the 9 categories in which these use cases fall. When enabled, these help SOC analysts detect 78 distinct behavioral anomalies.
Before embarking on configuring, enabling and deploying these use cases, I would strongly recommend taking a look at each of the use case and the corresponding log or flow data sources. In the tuning page of UBA [Figure 1 below], clicking the information icon on the right it will take you to the documentation of that individual use case. The description of the use case, its logic, building blocks, risk score and the utilized log sources are documented here.
Figure 1: UBA Use Case Tuning Page
It’s important to ensure that the required log sources are fed into QRadar, and that they are instrumented to include the users’ identity and are being parsing properly. If certain use cases require a reference set, ensure to populate the reference set with the required data.Refer to the DSM guide for the comprehensive list of log sources supported by QRadar and their configurations.In the second phase of implementation I recommend you deploy use cases related to user access behavior, network, and flow anomalies. Identifying user behavior based on how they access their systems, or corporate assets, or use network resources can help detect potential threats and compromised or stolen accounts.Below are selected list of 42 use cases, grouped by user behavioral anomalies that might interest you and relevant to your environment. Each use case name is hot linked to the documentation of that use case on the IBM Security App exchange. Each page provides a short description of the use case, the logic and building blocks used to detect the behavior, its default risk score and most importantly the data source(s) – logs and/or flows needed to help UBA detect the anomalous activity.Access and Authentication anomalies:
UBA : Executive Only Asset Accessed by Non-Executive User
Detects when a non-executive user logs on to an asset that is for executive use only. Two empty reference sets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit the reference sets to add or remove any accounts and IP addresses that are flagged from your environment. Enable this rule after you configure the reference sets.
UBA : High Risk User Access to Critical Asset
Detects when a user involved in incidents (offenses) access to critical asset.
UBA : Multiple VPN Accounts Failed Login From Single IP
Detects any VPN account login failures from the "UBA : Multiple VPN Accounts Failed Login From Single IP" reference set.
UBA : Multiple VPN Accounts Logged In From Single IP
Maps multiple VPN users that are coming from the same IP address and then raises the risk score. When the rule detects VPN users coming from the same IP address, the IP address is added to the "UBA : Multiple VPN Accounts Logged In From Single IP". Before enabling this rule, make sure the rule "UBA : Populate Multiple VPN Accounts Logged In From Single IP" is enabled and the "UBA : Multiple VPN Accounts Logged In From Single IP" reference set has data.
UBA : User Access from Multiple Hosts
Detects when a single user logs in from more than an allowed number of devices.
UBA : AWS Console Accessed by Unauthorized User
Detects an unauthorized attempt to access the Amazon Web Services (AWS) console by a user that is outside the authorized list in the 'AWS - Standard Users' reference set.
UBA : Non-Standard User Accessing AWS Resources
Detects a non-standard user who is attempting to access Amazon Web Services (AWS) resources.
Domain Controller-based anomalies:
UBA : Kerberos Account Enumeration Detected
Detects Kerberos account enumeration by detecting high number of user names being used to make Kerberos requests from same source IP.
UBA : Multiple Kerberos Authentication Failures from Same User
Detects multiple Kerberos authentication ticket rejections or failures.
UBA : Non-Admin Access to Domain Controller
Detects non-admin account access attempts to domain controller.
UBA : Pass the Hash
Detects Windows logon events that are possibly generated during pass the hash exploits.
UBA : Possible SMB Session Enumeration on a Domain Controller
Detects attempts at SMB enumeration against a domain controller.
UBA : Possible TGT Forgery
Detects Kerberos TGTs that contain Domain Name anomalies. These possibly indicate tickets that are generated by using pass the ticket exploits.
UBA : Possible TGT PAC Forgery
Detects use of Forged PAC certificate to get a Service Ticket from Kerberos TGS.
UBA : TGT Ticket Used by Multiple Hosts
Detects Kerberos TGT ticket being used on two (or more) different computers.
UBA : Detect Insecure Or Non-Standard Protocol
Detects any user that is communicating over unauthorized protocols that are regarded as insecure or non-standard protocols. Authorized protocols are listed in the UBA : Ports of Authorized Protocols reference set with default value 0, which is the port of QRadar events. Edit the UBA : Ports of Authorized Protocols reference set to flag from your environment before you enable this rule.
UBA : Malware Activity - Registry Modified In Bulk
Detects processes that modify multiple registry values in bulk within a shorter interval.
UBA : Process Executed Outside Gold Disk Whitelist (Windows)
Detects processes that are created on a Windows system and alerts when the process is outside the golden disk process whitelist.
UBA : Ransomware Behavior Detected
Detects behavior that is typically seen during a ransomware infection.
UBA : Restricted Program Usage
Indicates that a process is created and the process name matches one of the binary names listed in the reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management.
UBA : User Running New Process
Detects processes that are created by the user and then alerts when a user runs a new process. Rule "UBA: Populate Process Filenames" populates the reference set "UBA : Process Filenames" used as a utility rule for "UBA : User Running New Process." Note: The rule is disabled by default. Enable the rule for a shorter duration to populate the filenames.
UBA : Volume Shadow Copy Created
Detects shadow copies that were created using vssadmin.exe or Windows Management Instrumentation Command-line (WMIC).
Anomalous data movement and transfers:
UBA : Large Outbound Transfer by High Risk User
Detects an outbound transfer of 200,000 bytes or more by a high risk user.
UBA : Multiple Blocked File Transfers Followed by a File Transfer
Detects exfiltration by checking for file uploads that were initially blocked but were followed by a successful upload within a span of 5 minutes.
UBA : Suspicious Access Followed by Data Exfiltration
Detects access from unusual, restricted, or prohibited locations followed by a data exfiltration attempt.
UBA : Data Exfiltration by Print.
Detects users that are sending files to print or that are using screen capture tools such as Print Screen and Snipping Tool
UBA : Data Exfiltration by Cloud Services.
Detects users that are uploading files to personal cloud services.
UBA : Data Exfiltration by Removable Media.
Detects users that are transferring files to removable media such as USB and CD.
UBA : Data Loss Possible
Detects possible data loss determined by either the data source, event category or specific events related to data loss detection and prevention.
UBA : Anomalous Cloud Account Created From New Location
Detects cloud account creation activities from a new location.
UBA : User Access from Multiple Locations
Indicates that multiple locations or sources are using the same user account simultaneously. Adjust the match and duration parameters to tune responsiveness.
UBA : User Geography Change
A match indicates that a user logged in remotely from a country that is different from the country of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time.
UBA : User Geography, Access from Unusual Locations
Indicates that users were able to authenticate in countries that are unusual for your network, as defined by the building block rule "UBA : BB : Unusual Source Locations".
UBA : D/DoS Attack Detected
Detects network Denial of Service (DoS) attacks by a user.
UBA : Honeytoken Activity
Detects activity using a Honeytoken account.
UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage
Indicates that a process is created and the process name matches one of the binary names that are listed in the reference set "UBA : Network Capture, Monitoring and Analysis Program Filenames". This reference set lists the binary names of network packet capturing software. The reference set is pre-populated with the names of some common network protocol analysis software filenames.
UBA : Potential Access to DGA Domain
Detects events that indicate the user potentially accessed a DGA (Domain Generated by Algorithm) domain. Requires the IBM QRadar DNS Analyzer app.
UBA : Potential Access to Tunneling Domain
Detects events that indicate the user potentially accessed a tunneling domain. Requires the IBM DNS Analyzer app.
UBA : User Accessing Risky IP, Anonymization
This rule detect when a local user or host is connecting to an external anonymization service.
UBA : User Accessing Risky IP, Botnet
This rule detects when a local user or host is connecting to a botnet command and control server.
UBA : User Accessing Risky IP, Dynamic
This rule detects when a local user or host is connecting to a dynamically assigned IP address.
UBA : User Accessing Risky IP, Malware
This rule detects when a local user or host is connecting to a malware host.
Tuning and enabling this selection of 42 use cases will help you advance your Insider Threat program to the next level of detecting anomalous activities of users that may be an indication of usage of compromised or stolen credentials, authentic insiders either being careless and exposing the company to unwanted risks or engaging other risky or suspicious activities.