UBA : Restricted Program Usage

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Restricted Program Usage

Enabled by default


Default senseValue



Indicates that a process is created and the process name matches one of the binary names listed in the reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management.

For more information about adding or removing programs for monitoring, see Managing restricted programs.

Support rule

BB:UBA : Common Event Filters

Required configuration

Add the appropriate values to the following reference set: "UBA : Restricted Program Filenames".

Log source types

Microsoft Windows Security Event Log