Now that you have enabled use cases based on account access, user access, network and flow anomalies, you can enable more advanced use cases that can help detect risky user behavior based on a user accessing questionable or malicious websites or urls. The use case content in this article cover communication to malicious locations using proxy logs and data exfiltration use cases for the QRadar User Behavior Analytics application.

 

Use cases related to risky user behavior based on proxy logs

Proxy logs are a great source to identify risky user behavior when it comes to employees accessing websites that show questionable content inappropriate for a workplace or are at a high risk of infecting your endpoints with malware

 

Use cases based on endpoint activity indicating data exfiltration

A great source to identify malicious activity is monitoring endpoints for data exfiltration activity. The goal of the use cases below is to help users identify abnormal activity between endpoints on your network and external sources. For example, an employee on their last day of work might try to copy confidential information about your organization in the form of data, financials, account names, and send it to an external cloud storage application. By enabling the abnormal data volume to external domain use case, you can easily identify this behavior and take appropriate action against the malicious employee.

  • Abnormal Outbound Attempts Found – This is a CRE rule that supports the identical respective ADE rule: Abnormal Outbound Attempts (ADE rule), which uses the Anomaly Detection engine to monitor outbound traffic usage and to alert on abnormal number of attempts.
  • Abnormal visits to Risky Resources Found – This is a CRE rule that supports the identical respective ADE rule: UBA: Abnormal visits to Risky Resources, which uses the Anomaly Detection engine to monitor the number of times a user accesses risky resources (such as suspicious URLs, anonymizers, malware hosts) and alerts when the number of visits changes abnormally.
  • Abnormal data volume to external domain Found – This is a CRE rule that supports the identical respective ADE rule: UBA: Abnormal data volume to external domain, which uses the Anomaly Detection engine to monitor user’s traffic usage and alert on abnormal data volumes of traffic to external domains.
  • Restricted Program Usage – Indicates that a process is created and the process name matches one of the binary names listed in the reference set “UBA : Restricted Program Filenames”. This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management. For more information about adding or removing programs for monitoring, see Managing restricted programs.
  • User Volume of Activity Anomaly – Traffic Found – This is a CRE rule that supports the identical respective ADE rule: UBA : User Volume of Activity Anomaly – Traffic which uses the Anomaly Detection engine to monitor user’s traffic usage and alert on unusual volumes of traffic.
  • VPN Access By Service or Machine Account – This rule detects when a Cisco VPN is accessed by a service or machine account. Accounts are listed in the UBA: Service, Machine Account reference set. Edit this list to add or remove any accounts to flag from your environment.

By enabling and tuning rules related to the above use cases and previous ones mentioned in prior blogs, you will have matured your UBA environment to detect most user behavior anomalies. If you have unique requirements for your organization, you can customize these rules as required.

Next article: Stepping up your UBA game with the Machine Learning app

The next article in this series discusses how users can identify malicious activity amongst your riskiest users and how machine learning can help with differentiating characteristics are much more subtle than behaviors that trigger regular rules? Stay tuned for our next blog that will dive into how you can use the Machine Learning companion app for QRadar UBA to identify anomalous behavior among your most risky users.

Authors: Milan Patel and Rohan Ramesh

Join The Discussion

Your email address will not be published. Required fields are marked *