UBA : Executive only asset accessed by non-executive user from internal network
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Executive only asset accessed by non-executive user from internal network (formerly called UBA : Executive Only Asset Accessed by Non-Executive User)
Enabled by default
Detects when a non-executive user logs on to an asset that is for executive use only. Two empty reference sets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit the reference sets to add or remove any accounts and IP addresses that are flagged from your environment. Enable this rule after configuring the reference sets.
BB:UBA : Common Event Filters
- Add the appropriate values to the following reference set: "UBA : Executive Users" and "UBA : Executive Assets".
- Ensure the following custom property is defined: Logon Type
Log source types
Microsoft Windows Security Event Logs (EventID: 4624)