User Behavior Analytics

IBM® QRadar® User Behavior Analytics is a tool for detecting insider threats in your organization. User Behavior Analytics, used in conjunction with the existing data in your QRadar system, can help you generate new insights around users and user risk.

Note: Your administrator must configure QRadar Proxy for your IBM Security QRadar Suite Software account and you need a valid authentication token so that you can connect to QRadar. For more information, see Setting up the connection to QRadar from QRadar Proxy.

On IBM Security QRadar Suite Software, the User Behavior Analytics page shows you the overall risk data for users in your network and details for the selected user.

You can view the following User Behavior Analytics dashboard widgets (My applications > Dashboard > User Behavior Analytics):

  • Risky Users
  • Most Frequent Offenders
  • User Cases
  • Active Investigations
Important:
  • Explicit permissions are no longer used for User Behavior Analytics. All users either have access or do not have access. After you upgrade, you should revisit user permissions.
  • The QRadar admin must configure User Behavior Analytics 4.0.0 or later including User Behavior Analytics settings, machine learning, rules, and user import in the QRadar system. There is no configuration for User Behavior Analytics in IBM Security QRadar Suite Software.
  • Links to QRadar (log activity, assets, offenses) from User Behavior Analytics will launch a new QRadar browser window or tab that opens QRadar. You must log in to QRadar if a session is not already active.
  • IBM Resilient® QRadar Integration app 4.0.0 and QRadar 7.4.2 are required for integration with Cases when UBA is displayed on IBM Security QRadar Suite Software. For more information, see IBM SOAR QRadar Plugin - QRadar v7.3.3FP6+/7.4.1FP2+.

For more information about downloading, installing, and using User Behavior Analytics, see User Behavior Analytics for QRadar documentation.