UBA : Pass the Hash

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Pass the Hash

Enabled by default

False

Default senseValue

15

Description

Detects Windows logon events that are possibly generated during pass the hash exploits.

Support rule

BB:UBA : Common Event Filters

Required configuration:

Add the appropriate values to the following reference set: UBA : Trusted Domains.

Log source types

Microsoft Windows Security Event Logs (EventID: 4624)