UBA : Volume Shadow Copy Created

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Volume Shadow Copy Created

Enabled by default

False

Default senseValue

15

Description

Detects shadow copies that were created using vssadmin.exe or Windows Management Instrumentation Command-line (WMIC).

Support rule

BB:UBA : Common Event Filters

Log source types

Microsoft Windows Security Event Logs (EventID: 1 or 4688)