场景概述
内部人员滥用权限或账号被盗用。
QRadar + UBA 检测
-- 账号共享检测
SELECT username,
COUNT(DISTINCT sourceip) as unique_ips,
ARRAY_AGG(DISTINCT sourceip) as ip_list
FROM events
WHERE CATEGORYNAME(category) = 'Authentication'
AND QIDNAME(qid) = 'Successful Login'
GROUP BY username
HAVING unique_ips > 3
LAST 24 HOURS
-- 离职员工活动(需 HR 数据同步到 Reference Set)
SELECT username, sourceip, QIDNAME(qid), COUNT(*)
FROM events
WHERE username IN REFERENCESET('Terminated_Employees')
GROUP BY username, sourceip, QIDNAME(qid)
LAST 7 DAYS