User Behavior Analytics Content Pack

Overview

Understanding user behavior analytics (UBA) helps you identify threats hidden among your data, allowing you to increase security operations accuracy while shortening investigation timelines. Rather than focusing exclusively on users or entities, McAfee Enterprise Security Manager uses a combination of anomaly detection and customized rules, along with other intelligent and advanced correlation models. These analytics use baselines to establish what is “normal,” then factor in outlier behavior as part of ongoing monitoring and alerting. User activities are treated as part of a larger calculation of security and risk that helps operations recognize and prioritize incidents.

Content Pack Components

Alarms
  • UBA - New User Logon Detected
Reports
  • UBA - Source User 1 Week
Views
  • Source User Risk
  • Suspicious Geo Events
  • User Behavior Events
Watchlists
  • Domain Policy - Security Groups
  • UBA - Accounts Not Requiring a Password
  • UBA - Accounts with Expired Password
  • UBA - Computer Accounts
  • UBA - Default Usernames
  • UBA - Password Never Expires
  • UBA - Privileged Users
  • UBA - Rules
  • UBA - Servers (FQDN)
  • UBA - Servers (Name)
  • UBA - User Accounts Disabled
  • UBA - User Accounts Locked Out
  • UBA - User Logon Observed
Correlation Rules
  • Domain Policy - Domain Policy Changed
  • Domain Policy - Group Policy Object Deleted
  • Domain Policy - Group Policy Object Created
  • Domain Policy - Group Policy Object Modified
  • Domain Policy - Suspicious Domain Privilege Changes
  • Domain Policy - Suspicious Local Privilege Changes
  • Domain Policy - User Added to Domain Security Group
  • Domain Policy - User Added to Local Security Group
  • Domain Policy - User Removed from Domain Security Group
  • Domain Policy - User Removed from Local Security Group
  • GTI - Successful Login from Suspicious Host
  • GTI - Successful Login to Suspicious Host
  • UBA - Default Username Logon
  • UBA - Increase in Authentication Events 7-days
  • UBA - Login Attempt from Locked or Disabled Account
  • UBA - Login Attempt from User with Expired Password
  • UBA - Login from Account that Does Not Require Password
  • UBA - Login from User with Non-Expiring Password
  • UBA - New User Observed
  • UBA - Remote Login to Server
  • UBA - Suspicious Privileged Logon
  • UBA - Username ending with Dollar Sign
  • UBA - User Logon from Multiple Geolocations
  • UBA - User Logon from Multiple Hosts
  • UBA - User Logon from Multiple IP Addresses
  • Windows Authentication - Admin Logon from Non-Company Geolocation on Vista-2008 or Later
  • Windows Authentication - Admin Logon from Non-Company Geolocation on 2000-2003XP
  • Windows Authentication - Admin Logon from Suspicious Geolocation on Vista-2008 or Later
  • Windows Authentication - Admin Logon from Suspicious Geolocation on 2000-2003 XP
  • Windows Authentication - Domain User Failed Logon Due to Invalid Password
  • Windows Authentication - Domain User Logon After Multiple Failed Attempts
  • Windows Authentication - Failed Domain Logon on Restricted Host
  • Windows Authentication - Restricted Domain Account Failed Logon

Required Products

  • McAfee Advanced Correlation Engine (ACE) 10.0.x
  • McAfee Enterprise Security Manager (ESM) 10.0.x
  • Some rules require McAfee Global Threat Intelligence (GTI).
  • Some rules require that a Windows data source be set up to receive events from Windows devices within the network environment.

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register for Free Trial