UBA : Executive only asset accessed by non-executive user from external network

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Executive only asset accessed by non-executive user from external network

Enabled by default

False

Default senseValue

15

Description

Detects when a non-executive user from an external network logs on to an asset that is for executive use. Two empty reference sets will be imported with this rule: "UBA : Executive Users" and "UBA : Executive Assets". Edit the reference sets to add or remove any accounts and IP addresses that are flagged from your environment. Enable this rule after configuring the reference sets.

Support rules

BB:UBA : Common Event Filters

Required configuration

Add the appropriate values to the following reference sets: "UBA : Executive Users" and "UBA : Executive Assets". Ensure the following custom property is defined: Logon Type (custom).

Log source types

Microsoft Windows Security Event Logs (EventID: 4624)