QRadar User Behavior Analytics

The IBM® QRadar® User Behavior Analytics app helps you to determine the risk profiles of users inside your network and to take action when the app alerts you to threatening behavior.

The QRadar User Behavior Analytics (UBA) app is a tool for detecting insider threats in your organization. It is built on top of the app framework to use existing data in your QRadar to generate new insights around users and risk. UBA adds two major functions to QRadar: risk profiling and unified user identities.

Risk profiling is done by assigning risk to different security use cases. Examples might include simple rules and checks such as bad websites, or more advanced stateful analytics that use machine learning. Risk is assigned to each one depending on the severity and reliability of the incident detected. UBA uses existing event and flow data in your QRadar system to generate these insights and profile risks of users.

UBA uses three types of traffic that enrich UBA and enable more use cases to profile risk. The three types are as follows:
  1. Traffic around access, authentication, and account changes.
  2. User behavior on the network, so devices such as: proxies, firewalls, IPS, and VPNs.
  3. Endpoint and application logs, such as from Windows or Linux®, and SaaS applications.

Unifying user identities is accomplished by combining disparate accounts for a user in QRadar. By importing data from an Active Directory, an LDAP server, Reference table, or CSV file, UBA can be taught what accounts belong to a user identity. This helps combine risk and traffic across the different user names in UBA.

Machine Learning (ML app) is an add-on tool that augments the UBA app. It enables more rich and in-depth use cases that perform time series profiling and clustering. It is installed from within the UBA app, on the Machine Learning settings page. The ML app adds visualizations to the existing UBA app that show learned behavior (models), current behavior, and alerts. The models can use more than four weeks of historical data in QRadar to make the predictive models and baselines of what is normal for a user.

For more information about using the ML app, see Machine Learning Analytics app.

Importing users and user data

You can import users and user data with the User import wizard. The User import wizard helps you to import users from an LDAP server, an Active Directory server, from reference tables, and CSV files. You can also create custom attributes with the User import wizard

For more information about importing user data with the User import wizard, see Configure user import.

Rules and tuning

Consider the following important information about rules and tuning in UBA.
  • UBA rule content is installed after the app is configured.
  • Rules should be edited in the QRadar Use Case Manager app
  • The rules that will produce a risk score for users are added to the UBA : Rule Data table. Building blocks and rules that do not produce risk score are not added.
  • A poll task runs that adds new rules created by users that contain 'senseValue=#' in the event description.
  • Existing rules should not be edited. You should make copies and ensure the eventname is also changed.

For more information, see Rules and tuning for the UBA app.

Browser conformance

UBA is supported on Google Chrome and Mozilla Firefox.
Note: To maximize your experience with UBA, you should do one of the following:
  • Disable the pop-up blocker for your browser
  • Configure your browser to allow exceptions for pop-ups coming from the QRadar Console IP address