UBA : Process Executed Outside Gold Disk Allowlist (Windows)

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Process Executed Outside Gold Disk Allowlist (Windows)

Enabled by default

False

Default senseValue

15

Description

Detects processes that are created on a Windows system and alerts when the process is outside the golden disk process allowlist.
Note: The rule is disabled by default. Enable the rule only after you populate or modify the process names to be allowlisted in the reference set 'UBA : Gold Disk Process Allowlist - Windows'.

Required configuration

Add the appropriate values to the following reference set: "UBA : Gold Disk Process Allowlist - Windows".

Log source types

Microsoft Windows Security Event Logs (EventID: 4688)