An employee who often travels abroad logs in from a first-seen country during non-working hours. The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out. The investigation concludes that the external domain belongs to a competitor. Which two behaviors triggered UEBA? (Choose two.)
An employee logging in from a first-seen country and forwarding emails to an external domain are behaviors that could trigger User and Entity Behavior Analytics (UEBA). Logging in from a first-seen country indicates a deviation from the user's usual login patterns which is flagged as unusual. Similarly, forwarding a significant amount of emails to an external domain is another irregular behavior that suggests potential data exfiltration. These anomalies in user activity are precisely what UEBA is designed to detect in order to alert potential security threats.
The employee travels often, hes proabaly used to working after work hours (Not B). It would be a pain to feed all competitor domains to UEBA, That was just a surprising conclusion not behavior. I think its CD
UEBA (User and Entity Behavior Analytics) (D). log in from a first-seen country User Behavior (B). log in during non-working hours User Behavior (C). email forwarding to an external domain This shit dont have sense... UEBA IS User and Entity Behavior Analytics REMEMBER!!
I agree 100%%
Confirmed it's CD
Could be AC https://docs.splunksecurityessentials.com/content-detail/flight_risk_email/
C is pointless.
I will choose C, E, because these two conditions together trigger the alert.
C &D. B is pointless if a employee works ''often'' in other countries... Please read the question. First country & external domain is the answer.
It's C and E
My answer is B. log in during non-working hours and C. email forwarding to an external domain UEBA (User and Entity Behavior Analytics) is a security technique that uses machine learning algorithms to identify abnormal behavior within an organization's network. In this scenario, two behaviors that likely triggered an UEBA alert are the employee logging in during non-working hours and forwarding an increased amount of emails to an external mail domain. These behaviors deviate from the employee's normal patterns of activity and may indicate an attempt to exfiltrate sensitive information to a competitor. A. domain belongs to a competitor is not a behavior, it's an information that's used in the investigation process. D. Log in from a first-seen country and E. increased number of sent mails also can be important indicators, but they are not enough to trigger UEBA alerts.
The two behaviors that triggered UEBA are: B. Log in during non-working hours E. Increased number of sent mails - ChatGPT
C and D. We operates in world time so non-working hours in US doesn't equate. Hard to track all the competitors.
It's C & E, the answer is in the question. The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out.
Going with BD as well