IBM Support

QRadar: User Behavior Analytics (UBA) Support Utility (Updated)

Question & Answer


Question

How do administrators resolve memory issues, enable the IBM Sense DSM, and troubleshoot User Behavior Analytics with Machine Learning?

Cause

Before you begin
Administrators who install User Behavior Analytics version 2.5.0 are not required to run the uba_support.py utility unless the application detects an installation issue. In previous UBA releases, such as upgrading from older versions of UBA to v2.1.1, administrators were advised to run this support utility; however, with the release of newer versions of the UBA app, running this utility is only required when the application detects an installation issue or when the administrator believes there is a problem or configuration issue. The utility attached to this technical note is typically the first step for administrators to check their UBA app installation for common issues before contacting QRadar Support or administrators can ask questions about UBA in our forums.


The uba_support utility is compatible with QRadar 7.2.8, 7.3.0, and 7.3.1 software versions and is only intended to run on the QRadar Console. UBA installations on App Nodes will be updated when the utility is run on the QRadar Console. To complete the procedure below, the administrator must have root access to the QRadar Console.


Functionality provided by uba_support.py utility
Administrators can leverage the provided support utility for User Behavior Analytics in this technical note to resolve multiple issues:


  • Update the Machine Learning application after installing a new version of User Behavior Analytics
  • Updating memory settings for QRadar 7.2.8
  • Enables the IBM Sense DSM to ensure UBA offenses are created
  • Resolves a reference table link in the UBA "User Geography Change" rule

About older versions of the Machine Learning Analytics application


The upgrade to a newer version of UBA will also update the Machine Learning app to the latest version, which is bundled with the UBA installation. If advised during installation that the uba_support.py utility is required, the application might detect an old version of the Machine Learning app and direct you to these instructions. Depending on your Machine Learning version, the uba_support.py utility might require the administrator to rebuilt their learned data from QRadar, which will take a few hours to complete. The rebuilding process is intended to improve performance when old Machine Learning Analytics data is detected by the utility. QRadar Support recommends that administrators rebuild their Machine Learning data if prompted by the support utility to prevent future issues.

NOTE: User Behavior Analytics is only supported on QRadar 7.2.8 and later.

Answer


How to Run the UBA Support Utility



QRadar administrators who update to the latest version of the User Behavior Analytics application might be advised to run this utility when an issue is detected with the upgrade of the Machine Learning Analytics application, the IBM Sense DSM, or memory issues.

NOTE: Administrators must install the UBA app on the QRadar Console appliance before they run the uba_support.py utility.



    Procedure
    1. Download the latest User_Behavior_Analytics application (.zip file) from the X-Force App Exchange to your local workstation or laptop: https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:UserBehaviorAnalytics
    2. Log in to the QRadar Console as an administrator.
    3. On the Admin tab, click the Extension Management icon.
    4. In the Extension Management window, click Add and select the User_Behavior_Analytics_v2.5.0.zip application.
    5. Select the Install immediately check box.
    6. At the prompt, select Overwrite. All of your existing UBA app data remains intact.

      IMPORTANT: The UBA app must be installed on your QRadar Console before you complete the next section of this procedure.

    7. On the Admin tab, click Advanced > Deploy Full Configuration.
    8. Download the uba_support.py that is attached to this technical note.
      uba_support.pyuba_support.py

      The sha1sum for this file is: 012c6e1d1c51aaa324e7a1cd2cffcb0774a5040e
    9. SCP or secure copy the script to a directory on the Console.

      For QRadar 7.2.8: /tmp/
      For QRadar 7.3.0: /storetmp/
      For QRadar 7.3.1: /storetmp/

    10. Using SSH, log in to the QRadar Console as the root user.
    11. Navigate to the directory containing the uba_support.py utility.
    12. To set permissions on the file, type: chmod +x uba_support.py
    13. Type the following command to specify an authorized service token that has administrator user role: python uba_support.py -t admin_auth_token

      For example: python uba_support.py -t 0b453d06-xxx-xxxx-xxxx-xxxxxxxxxxxx

      NOTE:       The steps below are only displayed when an old version of the Machine Learning application is detected by the utility. Steps 14 to 19 are only required by administrators where an old version of Machine Learning is installed.
    14. Optional. If an older version of the Machine Learning application is detected, the following message is displayed:

      An older version of the Machine Learning (ML) app was detected. The ML app installation and upgrade is now controlled by UBA. The old ML app must be removed to continue.

      After this script is finished, please use the 'Machine Learning Settings' icon from the Admin tab to complete the setup. The machine learning app will then re-build the user models from historical QRadar data which, can take a few hours.

      Not removing the old machine learning app will cause functional issues. Selecting 'yes' is recommended to finish the upgrade process.

      Continue: (YES/NO)?
    15. Type Yes to continue.
    16. Log in to the QRadar Console.
    17. Click the Admin tab.
    18. Click the Machine Learning Settings icon at the bottom of the Admin tab.
    19. Complete the procedure in the settings to rebuild your learned data from QRadar data.

      Results
      After the script displays the progress and the Machine Learning update for UBA is complete. No further action is necessary and the script can be removed from the Console. If you have questions, ask in our forums for assistance or contact QRadar Support to open a software ticket.





Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"UBA","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg22005489

Page Feedback