Troubleshooting
Problem
A user's User Behavior Analytic Recent Risk scores can be set to 0 even though they have a high overall risk score. The discrepancy can lead you to believe the Recent Risk score is incorrect. This article provides troubleshooting steps to confirm whether the correct score is 0 or you are encountering an error.
Cause
Recent Risk is the amount of risk determined since the last time the risk scores were calculated. If no new events came in for that user since the last polling interval, the score is set to 0. The next refresh interval is displayed on the User Analytics Overview.
Note: The poll interval for the risk ingestion task is five minutes but might be delayed if other tasks have all threads blocked, resulting in a few intervals being skipped.
Resolving The Problem
Procedure
Identify a user with a Recent Risk score of 0 and determine whether they had any recent events with in the poll interval.
- Log on to your QRadar console web UI.
- Open the User Analytics tab.
- Click the user you want to investigate. In this example, we investigate autouser.
- Click View user details.
- Look at the list of events under the Timeline.
Result
If no new events with an associated risk score came in the last 5 minutes, the expected behavior is for Recent Risk to be 0. If there are events, wait five minutes for the next polling interval to confirm you are still seeing the issue, then contact support. WinCollect users can follow the extra troubleshooting steps if they believe events are failing to reach the User Behavior Analytics app or failing to be associated with the user.
Extra Troubleshooting for WinCollect users.
If you are monitoring windows users by using WinCollect, you can create a test event to ensure events are reaching the User Behavior Analytics app.
- Log on to the windows device associated with the user you want to test.
- Open the command prompt as an administrator.
- Create a test event by using the following command:
eventcreate /l SYSTEM /u [username as seen in UBA] /t ERROR /d “uba test event” /id 1 /s [device name]If you have trouble finding the username and device name, you can look at one of the past events you received from this user in the User Behavior Analytics app. The Username field contains your username, and the Log Source field contains the device name after the "at" (@) symbol.
If the eventcreate command asks for the user password, enter it. The successful output is the following:SUCCESS: An event of type ‘ERROR’ was created with ‘system’ as the log -
Return to the user Timeline in the User Analytics tab and select Events from the most recent entry in the timeline.
-
Check for a System Error Event and select it.
-
Confirm the payload message contains "uba test event".
Result
Finding the test event on the user's timeline confirms the User Behavior Analytics app is processing the events and associating them with the correct user.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
25 August 2022
UID
ibm16611075