UBA : User Installing Suspicious Application

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

Supports the following rules:
  • UBA : User Installing Suspicious Application
  • UBA : Populate Authorized Applications

Enabled by default

False

Default senseValue

15

Description

Detects application installation events and then alerts when suspicious applications are seen. Note: Populate the reference set "UBA : Authorized Applications" with the application names that are authorized in the organization. Rule "UBA : Populate Authorized Applications" can be enabled for a short duration to populate this reference set.

Rule "UBA : Populate Authorized Applications" populates the reference set "UBA : Authorized Applications" with the names of applications that are installed while this rule is enabled. Note: The rule is disabled by default. Enable for a shorter duration to populate the names while users are installing applications.

Log source types

Microsoft Windows Security Event Logs