UBA : Volume Shadow Copy Created
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Volume Shadow Copy Created
Enabled by default
False
Default senseValue
15
Description
Detects shadow copies that were created using vssadmin.exe or Windows Management Instrumentation Command-line (WMIC).
Support rule
BB:UBA : Common Event Filters
Log source types
Microsoft Windows Security Event Logs (EventID: 1 or 4688)