Behaviors Triggered by User and Entity Behavior Analytics (UEBA)
Question
An employee who often travels abroad logs in from a first-seen country during non-working hours.
The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out.
The investigation concludes that the external domain belongs to a competitor.
Which two behaviors triggered UEBA? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.AB.
The user and entity behavior analytics (UEBA) tool triggered an alert due to the following two behaviors:
C. Email forwarding to an external domain: The user is forwarding an increased amount of emails to an external mail domain. This behavior can be indicative of data exfiltration or unauthorized data sharing, especially when the external domain belongs to a competitor.
E. Increased number of sent mails: The user is sending an increased amount of emails, which can be an anomaly compared to their typical behavior. This behavior can also be an indicator of data exfiltration, especially when combined with other suspicious behaviors such as email forwarding to an external domain.
The other behaviors mentioned in the question, such as logging in from a first-seen country and logging in during non-working hours, may also be suspicious and trigger alerts, but they do not necessarily indicate data exfiltration or unauthorized data sharing on their own. They could be legitimate actions by the employee. However, when combined with other suspicious behaviors, they can add to the overall risk score and help identify potential threats.
