UBA : Executive only asset accessed by non-executive user from internal network
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Executive only asset accessed by non-executive user from internal network (formerly called UBA : Executive Only Asset Accessed by Non-Executive User)
Enabled by default
False
Default senseValue
15
Description
Detects when a non-executive user logs on to an asset that is for executive use only. Two empty reference sets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit the reference sets to add or remove any accounts and IP addresses that are flagged from your environment. Enable this rule after configuring the reference sets.
Support rules
BB:UBA : Common Event Filters
Required configuration
- Add the appropriate values to the following reference set: "UBA : Executive Users" and "UBA : Executive Assets".
- Ensure the following custom property is defined: Logon Type
Log source types
Microsoft Windows Security Event Logs (EventID: 4624)