Behavior-based detection reference for UEBA cloud

The following behavior-based detections are available in cloud-deployments of Splunk Enterprise Security:

  • UEBA - Abnormal RDP Login Active Directory
  • UEBA - Account Creation Deletion In Short Span
  • UEBA - Anomalous usage of Archive Tools
  • UEBA - Attempt To Delete Services
  • UEBA - Attempt To Disable Services
  • UEBA - Attempted Credential Dump From Registry via Reg exe
  • UEBA - BCDEdit Failure Recovery Modification
  • UEBA - Brute Force Login By User and Failure Reason In Active Directory
  • UEBA - Brute Force Login Failures By Device In Active Directory
  • UEBA - Clear Unallocated Sector Using Cipher App
  • UEBA - Cloud Storage New Access Data Model
  • UEBA - Create Local Admin Accounts Using Net Exe
  • UEBA - Create Local User Accounts Using Net Exe
  • UEBA - DNS Exfiltration Using Nslookup App
  • UEBA - Delete A Net User
  • UEBA - Deleting Shadow Copies
  • UEBA - Deny Permission using Cacls Utility
  • UEBA - Detect PowerShell Applications Spawning cmd exe
  • UEBA - Detect Prohibited Browsers Spawning cmd exe
  • UEBA - Detect Prohibited Office Applications Spawning cmd exe
  • UEBA - Detect RClone Command-Line Usage
  • UEBA - Disable Net User Account
  • UEBA - Excessive File Size Change Model
  • UEBA - Fsutil Zeroing File
  • UEBA - Grant Permission Using Cacls Utility
  • UEBA - Hiding Files And Directories With Attrib exe
  • UEBA - Impacket Lateral Movement WMIExec Commandline Parameters
  • UEBA - Impacket Lateral Movement smbexec CommandLine Parameters
  • UEBA - Land Speed Violation
  • UEBA - Member Added Removed In Short Span
  • UEBA - Modify ACLs Permission Of Files Or Folders
  • UEBA - Office Product Spawning Windows Script Host
  • UEBA - Password Policy Circumvention
  • UEBA - Password Spraying In Active Directory Authentication Data
  • UEBA - Password Spraying In Active Directory Data
  • UEBA - Possible Lateral Movement PowerShell Spawn
  • UEBA - Powershell Suspicious Script Detection
  • UEBA - Rare Device Authentication by Windows User
  • UEBA - Rare Device Login by Windows User
  • UEBA - Rare File Access by User
  • UEBA - Rare File Activity by Company
  • UEBA - Rare File Activity by User
  • UEBA - Rare File Client by Company
  • UEBA - Rare File Client by User
  • UEBA - Rare Successful VPN Login Location by Company
  • UEBA - Rare Successful VPN Login Location by Device
  • UEBA - Rare Successful VPN Login Location by User
  • UEBA - Rare Windows Authentication Return Code by Device
  • UEBA - Rare Windows Authentication Return Code by User
  • UEBA - Rare Windows Domain Authentication by User
  • UEBA - Rare Windows Domain Login by User
  • UEBA - Rare Windows Event Code by User
  • UEBA - Rare Windows Login Return Code by Device
  • UEBA - Rare Windows Login Return Code by User
  • UEBA - Rare Windows Logon Process by Device
  • UEBA - Rare Windows Logon Process by User
  • UEBA - Rare Windows Logon Process by User and Device
  • UEBA - Rare Windows Logon Type by Device
  • UEBA - Rare Windows Logon Type by User
  • UEBA - Rare Windows Process Name by Device
  • UEBA - Rare Windows Process Name by User
  • UEBA - Rare Windows Resource Type by User
  • UEBA - Rare Windows User Authentication by Device
  • UEBA - Rare Windows User Login by Device
  • UEBA - Resize Shadowstorage Volume
  • UEBA - Sdelete Application Execution
  • UEBA - ServicePrincipalNames Discovery with PowerShell
  • UEBA - System Process Running from Unexpected Location
  • UEBA - Unauthorized Activity Time
  • UEBA - Unauthorized Login Type
  • UEBA - Unauthorized Machine Login
  • UEBA - Unusual Large Email Size Sent Per User
  • UEBA - Unusual Login Hour Of The Day
  • UEBA - Unusual Service Account Login via VPN
  • UEBA - Unusual Volume of Active Directory Authentication Failures
  • UEBA - Unusual Volume of Active Directory Login Failures
  • UEBA - Unusual Volume of Box Login Failures
  • UEBA - Unusual Volume of Cloud File Activity
  • UEBA - Unusual Volume of Cloud File Deletions
  • UEBA - Unusual Volume of Cloud File Downloads
  • UEBA - Unusual Volume of Kerberos TGS Ticket Requests
  • UEBA - Unusual Volume of O365 Login Failures
  • UEBA - Unusual Volume of Outgoing Emails to Rare Domains
  • UEBA - Unusual Volume of VPN Login Failures
  • UEBA - WBAdmin Delete System Backups
  • UEBA - WevtUtil Usage To Clear Logs
  • UEBA - Wevtutil Usage To Disable Logs
  • UEBA - Windows Bits Job Persistence
  • UEBA - Windows Bitsadmin Download File
  • UEBA - Windows COM Hijacking InprocServer32 Modification
  • UEBA - Windows CertUtil Decode File
  • UEBA - Windows CertUtil URLCache Download
  • UEBA - Windows CertUtil VerifyCtl Download
  • UEBA - Windows Curl Upload to Remote Destination
  • UEBA - Windows Default Group Policy Object Modified with GPME
  • UEBA - Windows Defender Tools in Non Standard Path
  • UEBA - Windows Diskshadow Proxy Execution
  • UEBA - Windows DotNet Binary in Non Standard Path
  • UEBA - Windows Exchange PowerShell Module Usage
  • UEBA - Windows Execute Arbitrary Commands with MSDT
  • UEBA - Windows File Share Discovery With Powerview
  • UEBA - Windows Findstr GPP Discovery
  • UEBA - Windows Ingress Tool Transfer Using Explorer
  • UEBA - Windows LOLBin Binary in Non Standard Path
  • UEBA - Windows MSHTA Child Process
  • UEBA - Windows MSHTA Command-Line URL
  • UEBA - Windows MSHTA Inline HTA Execution
  • UEBA - Windows OS Credential Dumping with Ntdsutil Export NTDS
  • UEBA - Windows OS Credential Dumping with Procdump
  • UEBA - Windows Odbcconf Load Response File
  • UEBA - Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
  • UEBA - Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
  • UEBA - Windows PowerShell Start-BitsTransfer
  • UEBA - Windows PowerSploit GPP Discovery
  • UEBA - Windows Powershell Connect to Internet With Hidden Window
  • UEBA - Windows Powershell DownloadFile
  • UEBA - Windows Powershell DownloadString
  • UEBA - Windows Rasautou DLL Execution
  • UEBA - Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities At exe LOLBAS in Non Standard Path
  • UEBA - Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
  • UEBA - Windows Rundll32 Comsvcs Memory Dump
  • UEBA - Windows Rundll32 Inline HTA Execution
  • UEBA - Windows Screen Capture Via Powershell
  • UEBA - Windows Script Host Spawn MSBuild
  • UEBA - Windows System Binary Proxy Execution Compiled HTML File Decompile
  • UEBA - Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
  • UEBA - Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
  • UEBA - Windows System Binary Proxy Execution MSIExec DLLRegisterServer
  • UEBA - Windows System Binary Proxy Execution MSIExec Remote Download
  • UEBA - Windows System Binary Proxy Execution MSIExec Unregister DLL
  • UEBA - Windows WMIPrvse Spawn MSBuild