Understand the UEBA Indicator Types

An Indicator is a validated anomaly, which is different from the typical or baseline behavior of the user. The following tables list indicators that display in the user interface when a potentially malicious activity is detected for users.

Indicator Alert Type Description
Abnormal File Access Time Non-Standard Hours A user has accessed a file at an abnormal time.
Abnormal File Access Permission Change Mass Permission Changes A user changed multiple share permissions.
Abnormal File Access Event Abnormal File Access A user has accessed a file abnormally.
Multiple File Access Permission Changes Mass Permission Changes A user changed multiple file share permissions.
Multiple File Access Events Snooping User A user accessed multiple files.
Multiple Failed File Access Events Snooping User A user failed multiple times to access a file.
Multiple File Open Events Snooping User A user opened multiple files.
Multiple Folder Open Events Snooping User A user opened multiple folders.
Multiple File Delete Events Abnormal File Access A user deleted multiple files.
Multiple Failed File Access Permission Changes Mass Permission Changes A user failed multiple attempts to change file access permissions.
Indicator Alert Type Description
Abnormal Active Directory Change Time Non-Standard Hours A user made Active Directory changes at an abnormal time.
Abnormal Active Directory Object Change Abnormal AD Changes A user made Active Directory attribute changes abnormally.
Multiple Group Membership Changes Mass Changes to Groups A user made multiple changes to groups successfully.
Multiple Active Directory Object Changes Abnormal AD Changes A user made multiple Active Directory changes successfully.
Multiple User Account Changes Abnormal AD Changes A user made multiple sensitive Active Directory changes successfully.
Multiple Failed Account Changes Abnormal AD Changes A user failed to make multiple Active Directory changes.
Admin Password Changed Admin Password Change The password of an admin was changed.
User Account Enabled Sensitive User Status Changes An account of a user was enabled.
User Account Disabled Sensitive User Status Changes An account of a user was disabled.
User Account Unlocked Sensitive User Status Changes An account of a user was unlocked.
User Account Type Changed Sensitive User Status Changes The type of user was changed.
User Account Locked Sensitive User Status Changes An account of a user was locked.
User Password Reset Sensitive User Status Changes The password of a user was reset.
User Password Never Expires Option Changed Sensitive User Status Changes The password policy of a user was changed.
Indicator Alert Type Description
Abnormal Remote Host Logon to Abnormal Remote Host A user attempted to access a remote computer abnormally.
Abnormal Logon Time Non-Standard Hours A user logged on at an abnormal time.
Abnormal Host User Logon to Abnormal Host A user attempted to access a host abnormally.
Multiple Successful Authentications Multiple Logons by User A user logged on multiple times.
Multiple Failed Authentications Multiple Failed Logons A user failed multiple authentication attempts.
Logon Attempts to Multiple Source Hosts User Logged into Multiple Hosts A user attempted to log on from multiple computers.
Abnormal VPN Logon Time Non-Standard Hours A user has logged on at an abnormal time.
Abnormal VPN Logon Country* Abnormal Logon Country A user attempted to establish VPN access from an abnormal country.
Multiple Failed VPN Authentications Multiple Failed VPN Logons A user failed multiple times to authenticate for VPN access.
Abnormal Azure AD Logon Time Non-Standard Hours A user has logged on at an abnormal time.
Abnormal Azure AD Logon Country* Abnormal Logon Country A user attempted to access Azure AD from an abnormal country.
Multiple Failed Azure AD Authentications Multiple Failed Logons A user failed multiple times to authenticate into Azure AD.
Azure AD - Abnormal Application Abnormal Remote Application A user attempted to log on to abnormal number of applications through Azure AD.
Azure AD - Logon Attempts to Multiple Applications Snooping User - Cloud Service Account A user attempted to log on to multiple applications through Azure AD.

Note

*For Abnormal Azure AD Logon Country, it is recommended to dynamically update the GeoIP repository to obtain optimal results.

Indicator Alert Type Description
Abnormal Process Created a Remote Thread in LSASS Credential Dumping An abnormal process was created into the LSASS process.
Abnormal Reconnaissance Tool Executed Discovery and Reconnaissance An abnormal process was executed.
Abnormal Process Executed a Scripting Tool PowerShell and Scripting An abnormal process executed a scripting tool.
Abnormal Process Executed a Scripting Tool PowerShell and Scripting An abnormal process was triggered by a scripting tool.
Scripting Tool Triggered an Abnormal Application PowerShell and Scripting An abnormal process was opened by a scripting tool.
Abnormal Process Created a Remote Thread in a Windows PowerShell and Scripting An abnormal process was injected into a known windows process.
Multiple Distinct Reconnaissance Tools Executed Discovery and Reconnaissance Multiple reconnaissance tools were executed in an hour.
Multiple Reconnaissance Tool Activities Executed Discovery and Reconnaissance Multiple reconnaissance tool activities were executed in an hour.
User Ran an Abnormal Process to Execute a Scripting Tool PowerShell / Scripting An abnormal process executed a scripting tool.
User Ran a Scripting Tool that Triggered an Abnormal Application PowerShell / Scripting A scripting tool was executed that triggered an abnormal application.
User Ran a Scripting Tool to Open an Abnormal Process PowerShell / Scripting A scripting tool was executed to open an abnormal process.
Indicator Alert Type Description
Abnormal Process Modified a Registry Key Group Registry Run Keys An abnormal process modified a service key registry.

See also