Behavior-based detection reference for UEBA on-premises

The following behavior-based detections are available in on-premises deployments of Splunk Enterprise Security:

  • UEBA - Http Unusual Traffic to Anonymizing Sites - Rule
  • UEBA - Http Unusual Job Search Activity - Rule
  • UEBA - Http Suspicious Domain File Download - Rule
  • UEBA - Http Excessive Transfer to Storage Site - Rule
  • UEBA - Unusual Volume of Print per User by Company - Rule
  • UEBA - Unusual Volume of Print per User - Rule
  • UEBA - Unusual Volume of Print per Printer by Company - Rule
  • UEBA - Unusual Volume of Print per Printer - Rule
  • UEBA - Unusual Volume of Print per Device by Company - Rule
  • UEBA - Unusual Volume of Print per Device - Rule
  • UEBA - Unusual Volume of Print at Unusual Time per User by Company - Rule
  • UEBA - Unusual Volume of Print at Unusual Time per Printer by Company - Rule
  • UEBA - Unusual Volume of Print at Unusual Time per Device by Company - Rule
  • UEBA - Unusual Volume of Data Transmitted to Printer per User by Company - Rule
  • UEBA - Unusual Volume of Data Transmitted to Printer per User - Rule
  • UEBA - Unusual Volume of Data Transmitted to Printer per Printer by Company - Rule
  • UEBA - Unusual Volume of Data Transmitted to Printer per Printer - Rule
  • UEBA - Unusual Volume of Data Transmitted to Printer per Device by Company - Rule
  • UEBA - Unusual Volume of Data Transmitted to Printer per Device - Rule
  • UEBA - Unusual Print Time per User - Rule
  • UEBA - Unusual Print Time per Printer - Rule
  • UEBA - Unusual Print Time per Device - Rule
  • UEBA - Compromised Windows Host Correlation - Rule
  • UEBA - Compromised Linux Host Correlation - Rule
  • UEBA - AWS Compromised Account - Rule
  • UEBA - Unusual Volume of Outgoing Connections per Device by Company - Rule
  • UEBA - Unusual Volume of Outgoing Connections per Device by Business Unit - Rule
  • UEBA - Unusual Volume of Outgoing Connections per Device - Rule
  • UEBA - Unusual Volume of Outgoing Connections Per User By Company - Rule
  • UEBA - Unusual Volume of Outgoing Connections Per User By Business Unit - Rule
  • UEBA - Unusual Volume of Outgoing Connections Per User - Rule
  • UEBA - Unusual Volume of Data Uploaded per User by Company - Rule
  • UEBA - Unusual Volume of Data Uploaded per User - Rule
  • UEBA - Unusual Volume of Data Uploaded per Device by Company - Rule
  • UEBA - Unusual Volume of Data Uploaded per Device by Business Unit - Rule
  • UEBA - Unusual Volume of Data Uploaded per Device - Rule
  • UEBA - Unusual Volume of Data Uploaded To DMZ Devices Per User By Company - Rule
  • UEBA - Unusual Volume of Data Uploaded To DMZ Devices Per User By Business Unit - Rule
  • UEBA - Unusual Volume of Data Uploaded To DMZ Devices Per User - Rule
  • UEBA - Unusual Volume of Data Downloaded per User by Company - Rule
  • UEBA - Unusual Volume of Data Downloaded per User - Rule
  • UEBA - Unusual Volume of Data Downloaded per Device by Company - Rule
  • UEBA - Unusual Volume of Data Downloaded per Device by Business Unit - Rule
  • UEBA - Unusual Volume of Data Downloaded per Device - Rule
  • UEBA - Unusual Volume of Data Bytes per Device by Company - Rule
  • UEBA - Unusual Volume of Data Bytes per Device by Business Unit - Rule
  • UEBA - Unusual Volume of Data Bytes per Device - Rule
  • UEBA - Unusual Volume of Blocked Connections per Device by Company - Rule
  • UEBA - Unusual Volume of Blocked Connections per Device by Business Unit - Rule
  • UEBA - Unusual Volume of Blocked Connections per Device - Rule
  • UEBA - Unusual Volume Of Data Uploaded Per User By Business Unit - Rule
  • UEBA - Unusual Volume Of Data Downloaded Per User By Business Unit - Rule
  • UEBA - Unusual Volume Of Data Downloaded From Internal Server Per User By Company - Rule
  • UEBA - Unusual Volume Of Data Downloaded From Internal Server Per User By Business Unit - Rule
  • UEBA - Unusual Volume Of Data Downloaded From Internal Server Per User - Rule
  • UEBA - Unusual Volume Of Blocked Connections Per User By Company - Rule
  • UEBA - Unusual Volume Of Blocked Connections Per User By Business Unit - Rule
  • UEBA - Unusual Volume Of Blocked Connections Per User - Rule
  • UEBA - Unusual Volume Of USB Denies Per User By Company - Rule
  • UEBA - Unusual Volume Of USB Denies Per User - Rule
  • UEBA - Unusual Volume Of File Operations To USB Per User By Company - Rule
  • UEBA - Unusual Volume Of File Operations To USB Per User - Rule
  • UEBA - Unusual Volume Of Bytes Written To USB Per User By Company - Rule
  • UEBA - Unusual Volume Of Bytes Written To USB Per User - Rule
  • UEBA - Unusual Volume Of Bytes Read From USB Per User By Company - Rule
  • UEBA - Unusual Volume Of Bytes Read From USB Per User - Rule
  • UEBA - Email over 5 MB Sent to Personal Email - Rule
  • UEBA - Email Sent to Personal Email with Privacy Keywords - Rule
  • UEBA - Email Sent to Personal Email with Attachment - Rule
  • UEBA - Email Sent to Personal Email Using Same Alias - Rule
  • UEBA - Email Sent to Disposable Email Provider - Rule
  • UEBA - Windows Event Log Cleared - Rule
  • UEBA - Short Lived Windows Accounts - Rule
  • UEBA - Password Policy Circumvention - Rule
  • UEBA - Member Added Removed In Short Span Universal Groups - Rule
  • UEBA - Member Added Removed In Short Span Global Groups - Rule
  • UEBA - Unusual Volume Success Logins To Computer By Company - Rule
  • UEBA - Unusual Volume Success Logins To Computer By Business Unit - Rule
  • UEBA - Unusual Volume Success Logins To Computer - Rule
  • UEBA - Unusual Volume Success Login Per User by Company - Rule
  • UEBA - Unusual Volume Success Login Per User by Business Unit - Rule
  • UEBA - Unusual Volume Success Login Per User - Rule
  • UEBA - Unusual Volume Login Type Per User by Company - Rule
  • UEBA - Unusual Volume Login Type Per User by Business Unit - Rule
  • UEBA - Unusual Volume Login Type Per User - Rule
  • UEBA - Unusual Unlock Time Per User By Company - Rule
  • UEBA - Unusual Unlock Time Per User - Rule
  • UEBA - Unusual Login Time Per User By Company - Rule
  • UEBA - Unusual Login Time Per User - Rule
  • UEBA - Unauthorized Machine Login - Rule
  • UEBA - Unauthorized Login Type - Rule
  • UEBA - Unauthorized Activity Time - Rule
  • UEBA - Rare Windows User Login By Device - Rule
  • UEBA - Rare Windows Logon Type By User - Rule
  • UEBA - Rare Windows Logon Type By Device - Rule
  • UEBA - Rare Windows Logon Process By User And Device - Rule
  • UEBA - Rare Windows Logon Process By User - Rule
  • UEBA - Rare Windows Logon Process By Device - Rule
  • UEBA - Rare Windows Domain Login By User - Rule
  • UEBA - Rare Login Return Code By Windows User - Rule
  • UEBA - Rare Login Return Code By Device - Rule
  • UEBA - Rare Device Login By Windows User - Rule
  • UEBA - Brute Force Access Logon Type Per User by Company - Rule
  • UEBA - Brute Force Access Logon Type Per User by Business Unit - Rule
  • UEBA - Brute Force Access Logon Type Per User - Rule
  • UEBA - Brute Force Access Behavior Per User by Company - Rule
  • UEBA - Brute Force Access Behavior Per User by Business Unit - Rule
  • UEBA - Brute Force Access Behavior Per User - Rule
  • UEBA - Brute Force Access Behavior Per Device By Company - Rule
  • UEBA - Brute Force Access Behavior Per Device By Business Unit - Rule
  • UEBA - Brute Force Access Behavior Per Device - Rule