User Behavior Analytics

IBM® QRadar® User Behavior Analytics (UBA) is a tool for detecting insider threats in your organization. UBA, used in conjunction with the existing data in your QRadar system, can help you generate new insights around users and user risk.

Note: Your administrator must configure QRadar Proxy for your IBM Security QRadar Suite Software account and you need a valid authentication token so that you can connect to QRadar. For more information, see Setting up the connection to QRadar from QRadar Proxy.

On IBM Security QRadar Suite Software, the UBA Overview page shows you the overall risk data for users in your network and details for the selected user.

You can view the following UBA dashboard widgets (My applications > Dashboard > User Behavior Analytics):

  • Risky Users
  • Most Frequent Offenders
  • User Cases
  • Active Investigations
  • Explicit permissions are no longer used for UBA. All users either have access or do not have access. After you upgrade, you should revisit user permissions.
  • The QRadar admin must configure UBA 4.0.0 or later including UBA settings, machine learning, rules, and user import in the QRadar system. There is no configuration for User Behavior Analytics in IBM Security QRadar Suite Software.
  • Links to QRadar (log activity, assets, offenses) from UBA will launch a new QRadar browser window or tab that opens QRadar. You must log in to QRadar if a session is not already active.
  • IBM Resilient® QRadar Integration app 4.0.0 and QRadar 7.4.2 are required for integration with Cases when UBA is displayed on IBM Security QRadar Suite Software. For more information, see IBM SOAR QRadar Plugin - QRadar v7.3.3FP6+/7.4.1FP2+.

For more information about downloading, installing, and using User Behavior Analytics, see User Behavior Analytics for QRadar documentation.