UBA : Detected Activity from a Locked Machine

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Detected Activity from a Locked Machine

Enabled by default

False

Default senseValue

10

Description

Detects activity from a locked machine.

Support rules

BB:UBA : Common Event Filters

BB:UBA : Windows Process Created

BB:UBA : Workstation Locked

BB:UBA : Workstation Unlocked

Log source types

Microsoft Windows Security Event Log (EventID: 4688, 4800, 4801)