UBA overview and user details
The IBM® QRadar® User Behavior Analytics (UBA) app shows you the overall risk data for users in your network.
Overview page
In the Viewing: All users field, you can create and select views to customize your dashboard view. For more information, see Managing the UBA dashboard views.
In the Search for User field, you can search for users by name, email address, user name. As you enter a name, the app shows you the top five results.
The Tenant label shows the domain name of the current tenant being viewed.
The risk level for each user is indicated by an icon. The yellow square icon (low) shows when risk is 25% or less of the risk threshold. The orange diamond (medium) shows when risk is at 50% of the risk threshold. The red pyramid (high) shows when risk is at 75%. The red triangle (critical) shows when risk is at 100% or more.
| Dashboard settings | Description |
|---|---|
| Monitored Users | Displays the total number of users that the UBA app is actively monitoring. |
| High Risk Users | Displays the number of users who are currently exceeding the risk score. The value for determining the risk score is set in the "Risk threshold to trigger offenses" in UBA Settings. |
| Users Discovered from Events | Displays the number of users that are discovered from events, excluding imported users. |
| Users Imported from Directory | Displays the number of users that were imported from reference tables. |
| Active Analytics |
|
| Monitored users | Displays the top 10 riskiest users. Click a username to view available details on the User
details panel.
|
| Recent offenses | Displays last five most recent offenses that are sorted by the time the offense was last updated. |
| [User] Watchlist | Watchlists that you created. You can create as many watchlists as you want and they display
on the Dashboard. You can view all the tracked users in the custom watchlist that you created on the
Search page. Tip: To add a user to a watchlist, click the
Watchlist icon.
The number indicates how many watchlists the user is a
member of. |
| System score | Overall accumulated risk score for all users at a specified point in time. Click the Calendar icon to specify a date range for longer than one day. The maximum duration that you can select is 30 days any time during the last year. Note: If you are viewing a custom dashboard view, the System Score graph is not shown. |
| Risk category breakdown | High-level risk categories over the last hour. Click the graph to see subcategories and then click to see a display of events. Click the Table view icon to view the same information in a table format. Note: If you are viewing a custom dashboard view, the Risk category breakdown graph is not shown. |
| Users with dormant accounts | Watchlist of users that are flagged as having dormant accounts. The Users with Dormant Accounts is automatically generated. |
| Active investigations | Users that are currently under investigation. Select the My investigations checkbox to show only those investigations that you started. |
| Status of machine learning models | Status of the Machine Learning Analytics is visible if the Machine Learning app is installed. For more information, see UBA dashboard with Machine Learning. |
User details page
You can click a user name from anywhere in the app to open the User details panel and see details for the selected user. To open the full User details page, click View user details on the panel.
You can learn more about the user's activities with the event viewer pane. The event viewer pane shows information about a selected activity or point in time. Clicking an event in the event viewer pane reveals more details such as syslog events and payload information. The event viewer pane is available for all donut and line graphs and activities in the Risky Activity Timeline on the User details page.
- Shows the name and aliases of the selected user and any additional details from attributes (including domain, manager, and peer information) that are imported from LDAP.
- Shows the status (dormant, active, never used) of all the accounts that are found to be associated with the user.
- If you have IBM QRadar Advisor with Watson 2.5.2 or later installed, you can search for information that is related to the user. You must have QRadar administrator privileges. Click the Search Watson icon.
- To initiate an investigation on the user, click the Start Investigation icon. When your investigation is complete, click the End Investigation icon.
- To add the user to a watchlist or create a watchlist, click the Watchlist icon.
| Advanced actions | Description |
|---|---|
| Add custom alert | You can set a custom alert that is displayed by the user name. Click Add Custom Alert, enter an alert message, and then click Set. To remove the custom alert for the selected user, click Remove Custom Alert. |
| Add to trusted users list | You must have QRadar administrator privileges. You can add the selected user to the trusted users list so that the user does not generate risk scores and offenses. To remove the selected user from the list, click Remove from trusted users list. To review the complete list of users who were added to the list, see Viewing the trusted users list. |
| Generate GDPR compliant report for user | You can generate a General Data Protection Regulation (GDPR) compliance report for the user.
Important: Generate the report before you click Delete and stop tracking
user.
|
| Delete and stop tracking user | You must have QRadar administrator
privileges. You can click Delete and stop tracking user to comply with
General Data Protection Regulation (GDPR). Select Yes to permanently delete
and stop tracking the user. To begin tracking the user again, delete the user's aliases from the
UBA : Users Not Tracked reference set. To view all the user's aliases, download
the GDPR report before you delete the user. For more information about the UBA : Users Not Tracked reference set, see Reference sets. |
| Always track with Machine Learning | You must have QRadar administrator privileges. You can click Always track with Machine Learning to add the user to the UBA: ML Always Tracked Watchlist reference set. Adding the user to the reference set provides the highest likelihood that the user is included in a machine learning model. For more information about reference sets in UBA, see Reference sets. To remove the selected user from the reference set, click Tracked with Machine Learning. |
| User details | Description |
|---|---|
| Overall Risk Score | The overall risk score shows the risk trends for the user. |
| Timeline |
The timeline graph shows Use cases and User events. Use cases are events that contribute to risk score. User events are all events triggered by the user. The Y-axis is event count and X-axis is time. You can click any activity in the timeline to open the event viewer pane that lists supporting log events that are associated with the user's activity. Click an event to view more details such as syslog events and payload information.
|
| Recent Offenses | Shows any user type offense, where the user name matched any of the selected user's aliases. The last five offenses are displayed. Click an offense to open the Offenses tab in QRadar. |
| Risk Category Breakdown | Shows the risk categories of the selected user during the last hour. |
| Notes | Type a note in the in New note section to add a note for the selected user. The notes are
automatically deleted after the 30-day retention period. Note: To save the note indefinitely, click
the Keep forever icon.
|
You can configure some machine learning graphs to display on the User Details page if the Machine Learning Analytics app is installed and the specified model is enabled. For more information, see UBA dashboard with Machine Learning.
To return to the main UBA Overview page, click Overview.