UBA : User Installing Suspicious Application
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
- UBA : User Installing Suspicious Application
- UBA : Populate Authorized Applications
Enabled by default
Detects application installation events and then alerts when suspicious applications are seen. Note: Populate the reference set "UBA : Authorized Applications" with the application names that are authorized in the organization. Rule "UBA : Populate Authorized Applications" can be enabled for a short duration to populate this reference set.
Rule "UBA : Populate Authorized Applications" populates the reference set "UBA : Authorized Applications" with the names of applications that are installed while this rule is enabled. Note: The rule is disabled by default. Enable for a shorter duration to populate the names while users are installing applications.
Log source types
Microsoft Windows Security Event Logs