UBA : Process Executed Outside Gold Disk Allowlist (Windows)
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Process Executed Outside Gold Disk Allowlist (Windows)
Enabled by default
False
Default senseValue
15
Description
Detects processes that are created on a Windows system
and alerts when the process is outside the golden disk process allowlist.
Note: The rule is disabled
by default. Enable the rule only after you populate or modify the process names to be allowlisted in
the reference set 'UBA : Gold Disk Process Allowlist - Windows'.
Required configuration
Add the appropriate values to the following reference set: "UBA : Gold Disk Process Allowlist - Windows".
Log source types
Microsoft Windows Security Event Logs (EventID: 4688)