UBA : Restricted Program Usage
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Restricted Program Usage
Enabled by default
False
Default senseValue
5
Description
Indicates that a process is created and the process name matches one of the binary names listed in the reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management.
For more information about adding or removing programs for monitoring, see Managing restricted programs.
Support rule
BB:UBA : Common Event Filters
Required configuration
Add the appropriate values to the following reference set: "UBA : Restricted Program Filenames".
Log source types
Microsoft Windows Security Event Log