UBA : Process Executed Outside Gold Disk Allowlist (Linux)

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Process Executed Outside Gold Disk Allowlist (Linux®)

Enabled by default

False

Default senseValue

15

Description

Detects processes that are created on a Linux system and alerts when the process is outside of the golden disk process allowlist.
Note: The rule is disabled by default. Enable the rule only after you populate or modify the process names to be allowlisted in the reference set 'UBA : Gold Disk Process Allowlist - Linux'.

Required configuration

  • Add the appropriate values to the following reference set: "UBA : Gold Disk Process Allowlist - Linux".
  • Enable Search assets for username, when username is not available for event or flow data in Admin Settings > UBA Settings.

Support rule

BB:UBA : Common Log Source Filters

Log source types

Linux OS (EventID: SYSCALL)