Earlier versions

In case you missed a release, review a list of features from previous versions.

What's new in 4.0.1 (Released 15 December 2020)

Version 4.0.1 or earlier require 7.3.3 or later.

  • Fixed issues with the Search Watson icon.
  • Fixed user limits for machine learning peer group models.

What's new in 4.0.0 (Released 03 December 2020)

Note: If you customized your dashboard layout in previous releases, the UI will reset to the default layout when you upgrade to 4.0.0.
  • Integrated UBA with IBM Cloud Pak for Security 1.5.0 via the IBM QRadar Proxy. You can view the User Behavior Analytics dashboards (Overview and User details) on IBM Cloud Pak for Security. Important: You must upgrade UBA to 4.0.0 and configure all of the UBA settings to be able to view the dashboards on Cloud Pak for Security.
  • Integrated UBA with IBM Security QRadar Analyst Workflow 1.3.0. You must install QRadar Analyst Workflow 1.3.0 for later or this feature to work. See the IBM Security App Exchange IBM Security QRadar Analyst Workflow.
  • Updated the Activity distribution machine learning model to use grouping from user import data. For more information, see Activity Distribution.
  • IBM Resilient QRadar Integration app 4.0.0 and QRadar 7.4.2 are required to integrate with cases when UBA is displayed on IBM Cloud Pak for Security. For more information about the Resilient Integration app, see IBM Resilient QRadar Integration.

What's new in 3.8.0 (Released 29 September 2020)

  • Added machine learning user and peer group models. .
  • Updated the Machine Learning settings page to show the model type and the users in each model.
  • Added the ability to synchronize to a reference table and create map of sets to CSV user import and to LDAP/AD user import. .
  • Increased the potential size of Machine Learning (40 GB that monitors 220 K users).
  • Reduced the time that it takes to build and train machine learning models.
  • Restricted the installation of all new machine learning containers greater than 5 GB to an App Host.
  • Added MITRE ATT&CK tactics and kill chain groupings to the Rules and Tuning page.
  • Updated all rules and events to make the event name match the rule name.
  • Added the following use case: UBA : Potential Lateral Movement.
  • Removed UBA : User Running New Process use case and replaced with a machine learning user model
  • Changed Add to Whitelist to Added to trusted users list on the Advanced Settings list on the User Details page.
  • Changed the following custom property names:
    • "ProcessName" is now "Process Name"
    • ObjectName_FileName" is now "ObjectName“ and "FileName
    • "ProcessCMD" is now "Process Commandline"

What's new in 3.7.0 (Released 29 June 2020)

  • Increased peer group model capacity to 10,000 monitored users from previous 1,000 monitored users.
  • Improved dashboard graphs for Machine Learning peer group models. For more information, see UBA dashboard with Machine Learning.
  • Added the following IBM QRadar Cloud Apps configuration options: 1000 users, 10,000 users, 20,000 users and 40,000 users.
  • Added watchlist groupings and lists for top anomalies to Dashboard tooltips.
  • Added use case UBA : User Attempt to Use Disabled Account. For more information, see UBA : User Attempt to Use Disabled Account.
  • Updated use case UBA : User Attempt to Use a Suspended Account to focus on suspended account events only (disabled account event monitored by new rule). For more information, see UBA : User Attempt to Use a Suspended Account.
  • Updated use case UBA : Expired Account Used to include Kerberos events. For more information, see UBA : Expired Account Used.

What's new in 3.6.0 (Released 17 April 2020)

Starting with the 3.6.0 version of the UBA app, the Reference Data Import - LDAP (LDAP) app is no longer included with the UBA app. However, you can still use the LDAP app and download it from the IBM App Exchange.

In 3.6.0, all of the rules are disabled by default except for the following 3 rules: UBA : Unauthorized Access, UBA : Dormant Account Used, and UBA : New Account Use Detected. If you made modifications to rules in 3.5.0 or earlier (such as enabling or disabling a rule), they are not changed to the new default value in 3.6.0 after you upgrade.
Attention: Rules that were not modified in 3.5.0 or earlier, will be disabled by default after upgrading.

What's new in 3.5.0 (Released 04 December 2019)

Note: When you upgrade to 3.5.0, a one-time task runs that disables all unsupported UBA rules (use cases) found on the system. If any of the rules are enabled at a later time, they will not be disabled again by the application. For the complete list of rules that are no longer supported, see Changed implementation for rules.
  • Added the ability to set and reset risk scores from the UBA Rules and Tuning page. For more information, see Rules and tuning for the UBA app.
  • Added the ability to manage any QRadar rules that dispatch Sense events from the UBA Rules and Tuning page.
  • Rule editing privileges are required to enable and disable rules from the UBA Rules and Tuning page.
  • Added the ability to configure whether to monitor only imported users and ignore users that are discovered in events. For more information, see Configuring application settings.
  • Fixed an issue where users were being added to UBA for any action, whether a potential threat or not, by a rule that monitored every event for a user that was never seen before. These users were added to the "UBA : User Accounts, Successful, Observed" reference set and had to remain so they would not be counted as new again. When you upgrade to V3.5.0, the rules that were populating the "UBA : User Accounts, Successful, Observed" reference set are disabled. On a new installation of 3.5.0, these rules and reference sets have been removed.
  • Removed ADE and flow rules status from the UBA Dashboard.
  • Added use case UBA : User Added to a Group on SharePoint or OneDrive by Site Admin. For more information, see UBA : User Added to a Group on SharePoint or OneDrive by Site Admin.
  • Added use case UBA : Sharing Link Sent to Guest. For more information, see UBA : Sharing Link Sent to Guest.
  • Added use case UBA : User Potentially Phished. For more information, see UBA : User Potentially Phished.
  • Added use case UBA : Initial Access Followed by Suspicious Activity. For more information, see UBA : Initial Access Followed by Suspicious Activity.
  • Added use case UBA : Suspicious Activity Followed by Exfiltration. For more information, see UBA : Suspicious Activity Followed by Exfiltration.
  • Added use case UBA : Potentially Compromised Account. For more information, see UBA : Potentially Compromised Account.
  • Added use case UBA : Detected Activity from a Locked Machine. For more information, see UBA : Detected Activity from a Locked Machine.
  • Added use case UBA : Multiple Sessions to Monitored Log Sources (NIS Directive). For more information, see UBA : Multiple Sessions to Monitored Log Sources (NIS Directive).

What's new in 3.4.0 (Released 16 October 2019)

Attention: Memory requirements have increased from 1 GB to 1.2 GB.
Important: UBA 3.4.0 introduces the User Import wizard. The User Import wizard allows you to import users and user data directly from the UBA app. You can use the new wizard or you can continue to import user data with the Reference Data Import - LDAP app. To import users from a CSV file, you must use the Reference Data Import - LDAP app.
  • Added the User Import wizard so that you can configure LDAP and Active Directory data retrieval and import LDAP/AD data directly into the UBA app.
  • Added the ability to configure LDAP/AD imports using APIs.
  • Added the ability to view domain, manager, and peer information for user profiles on the User Details page.
  • Added use case UBA : Anonymous User Accessed a Resource.
  • Added use case UBA : Browsed to Social Networking Website
  • Added use case UBA : External User Failed Mailbox Login.
  • Added use case UBA : Inbox Set to Forward to External Inbox.
  • Added use case UBA : Internal User Failed Mailbox Login Followed by Success.
  • Added use case UBA : Mailbox Permission Added and Deleted in a Short Period of Time.
  • Added use case UBA : Terminated User Activity.

What's new in 3.3.0 (Released 25 June 2019)

  • Increased the number of users supported by Machine Learning by 15 times.
  • Added Machine Learning use cases for Access, Authentication, and Suspicious Activity to replace the High Level Category use case.
  • Redesigned the Machine Learning settings page.
  • Added the ability to create custom machine learning models to support your unique use cases.
  • Added use case UBA : Browsed to Government Website.
  • Added use case UBA : Browsed to Religious Website
  • Added use case UBA : Browsed to Education Website
  • Added use case UBA : Data Exfiltration by Print.
  • Added use case UBA : Data Exfiltration by Cloud Services.
  • Added use case UBA : Data Exfiltration by Removable Media.
  • Added use case UBA : Data Loss Possible.

What's new in 3.2.0 (Released 27 March 2019)

  • Identify users with dormant accounts on the dashboard and on user profile pages.
  • Create watchlists of services accounts based on a missing user property.
  • Improved the LDAP app so that you can select the LDAP attributes to use in UBA. Note: When you configure LDAP, you must now select an outer key in the Attribute Mapping section.
  • Added the ability to import user information from a CSV file.
  • Added use case UBA : User Access from Multiple Hosts.
  • Added use case UBA : Possible Directory Services Enumeration.
  • Added use case UBA : Possible SMB Session Enumeration on a Domain Controller.
  • Added use case UBA : Suspicious Access Followed by Data Exfiltration.
  • Added use case UBA : Dormant Account Use Attempted.

What's new in 3.1.0 (Released 04 December 2018)

  • You can now customize the display of metrics in the user timeline and view the data that comprises the metrics.
  • Added the ability to set a dynamic risk threshold.
  • Added two new use case categories to the Rules and Tuning page: Cloud and Domain Controller.
  • Added use case UBA : Non-Standard User Accessing AWS Resources.
  • Added use case UBA : AWS Console Accessed by Unauthorized User.
  • Added use case UBA : Replication Request from a Non-Domain Controller.
  • Added use case UBA : Kerberos Account Enumeration Detected.
  • Added use case UBA : Possible TGT PAC Forgery.
  • Added use case UBA : DPAPI Backup Master Key Recovery Attempted.
  • Added use case UBA : DoS Attack by Account Deletion.
  • Added use case UBA : Multiple Blocked File Transfers Followed by a File Transfer.

What's new in 3.0.1 (Released 10 October 2018)

  • Added a use case to support DNS Tunneling detection by the IBM QRadar DNS Analyzer app.
  • Fixed an issue that might prevent the ability to ingest users from a reference table.

What's new in 3.0.0 (Released 27 September 2018)

  • You can now create and manage watchlists so that you can monitor custom groups of users.
  • You can now view, filter, and tune UBA use cases with the new Rules and Tuning page.
  • You can now view risky events and metrics in the user activity timeline by sessions of activity.
  • Added a machine learning analytic that detects abnormal volume of data to external domains.
  • Added use case UBA : Large Outbound Transfer by High Risk User.
  • Added use case UBA : Honeytoken Activity.
  • Added use case UBA : Bruteforce Authentication Attempts.
  • Added use case UBA : User Account Created and Deleted in a Short Period of Time.
  • Added use case UBA : High Risk User Access to Critical Asset.
  • Added use case UBA : Anomalous Account Created From New Location.
  • Added use case UBA : Anomalous Cloud Account Created From New Location.

What's new in 2.8.0 (Released 13 July 2018)

  • You can now filter by AQL queries with the Advanced Search Filter field when you configure machine learning analytics settings.
  • You can now view dashboard statistics for Users Discovered from Events and Users Imported from Directory.
  • You can now specify users that you want to track with machine learning.
  • You ca now configure whether to display graphs for each machine learning analytic.
  • You can now configure whether to install or upgrade UBA content packages (QRadar rules, custom properties, and reference data for use cases).
  • Added a machine learning analytic that you can enable to detect abnormal outbound transfer attempts.
  • Added machine learning memory configurations to support more users when you run UBA with Machine Learning on an app node.
  • Added a reference set to identify High Risk Users.
  • Added use cases for the following Browsed to Website categories: Business/Service, LifeStyle, and Uncategorized.
  • Added use case UBA : Network Share Accessed.
  • Added use case UBA : Non-Admin Access to Domain Controller.
  • Added use case UBA : User Access from Prohibited Location.
  • Added use case UBA : User Access from Restricted Location.
  • Added use case UBA : Multiple Kerberos Authentication Failures from Same User.
  • Added use case UBA : TGT Ticket Used by Multiple Hosts.

What's new in 2.7.0 (Released 24 May 2018)

  • You can now investigate users in the QRadar Advisor with Watson app. Note: You must have QRadar Advisor with Watson V1.13.0 installed.
  • You can now generate a General Data Protection Regulation (GDPR) compliance report for a user and stop a user from being tracked.
  • You can now mark a user's investigation status and view all users that are under investigation from the User Analytics dashboard.
  • You can now configure whether you want to display country and region flags for IP addresses.
  • Added support for domain access events that are generated by the IBM QRadar DNS Analyzer app.
  • Added 19 new unusual scanning use cases.
  • Added 3 new suspicious application use cases.
  • Added 10 new risky browsing use cases.
  • Added 13 new system monitoring (Sysmon) use cases.

What's new in 2.6.0

2.6.0 of the User Behavior Analytics app includes the following new features:
  • Extended the Machine Learning Analytics (ML) app to analyze anomalies based on defined peer groups in LDAP and Active Directory.
  • The Peer Group analytic for the ML app was renamed to Learned Peer Group.
  • Added use case: UBA : Process Executed Outside Gold Disk Whitelist (Windows / Linux)
  • Added use case: UBA : Ransomware Behavior Detected
  • Added use case: UBA : Netcat Process Detection (Windows / Linux)
  • Added use case: UBA : Multiple VPN Accounts Failed Login from Single IP
  • Added use case: UBA : Volume Shadow Copy Created
  • Added use case: UBA : Detect Insecure Or Non-Standard Protocol
  • Added use case: UBA : Malware Activity - Registry Modified In Bulk
  • Added use case: UBA : Internet Settings Modified
  • Added use case: UBA : Multiple VPN Accounts Logged In from Single IP
  • Added use case: UBA : Suspicious PowerShell Activity (Asset)
  • Added use case: UBA : Suspicious PowerShell Activity
  • Added use case: UBA : Suspicious Command shell Activity
  • Added use case: UBA : Malicious Process Detected

What's new in 2.5.0

  • Added the ability to quickly investigate a user's risky behavior with the inline contextual event viewer.
  • Added a help and support page that provides links to documentation, tutorials, and support information and also provides administrative functions.
  • Increased the accuracy and scalability for Machine Learning and improved the messaging on the Status of Machine Learning Models section of the dashboard.
  • Added use case: UBA : User Running New Process.
  • Added use case: UBA : User Installing Suspicious Application.
  • Added use case: UBA : Unix/Linux System Accessed With Service or Machine Account.
  • Added use case: UBA : User Access to Internal Server From Jump Server.
  • Added use case: UBA : Executive Only Asset Accessed by Non-Executive User.

What's new in 2.4.0

  • Display LDAP retrieval status in LDAP app.
  • Import up to 400,000 users by the LDAP app.
  • Streamlined and simplified integration and mapping of LDAP/AD data.
  • Ability to map an unlimited number of aliases to a primary user ID.
  • Added memory configuration settings in Machine Learning Settings to support more users when you run Machine Learning on an App Node.
  • Added feedback survey.
  • Added use case UBA: Windows access with Service or Machine Account.
  • Added use case UBA: D/DoS Attack Detected.
  • Added use case UBA: Detect Persistent SSH session.
  • Added use case UBA: Abnormal data volume to external domain.
  • Added use case UBA: Abnormal Outbound Attempts.

What's new in 2.2.0

  • Added two Machine Learning analytics:
    • Activity Distribution: Detects deviations in activity distributions for users.
    • Peer Group: Detects peer groups and deviations from peer groups. The Peer Group analytic is compute-intensive; therefore, the UBA app must be installed on a QRadar App node to enable.
  • Added use case: VPN Access By Service or Machine Account.

What's new in 2.1.1

  • Disabled UBA QNI rules by default. These rules must be re-enabled to gather information from existing QNI events for UBA.
  • Updated UBA ADE rules to use a shorter time interval for comparisons in order to improve rule performance.
  • Updated rule "UBA : User Geography Change" to not trigger prior to the first geography change.
  • Fixed an issue where the LDAP app might return a 404 error.

What's new and changed in 2.1.0

  • The Risky Activity Timeline in the dashboard can now be grouped by activity or by hour.
  • The Machine Learning Analytics (ML) app is integrated with the UBA app and can now be installed from within the UBA app. The Machine Learning Analytics app no longer needs to be downloaded separately.
  • Added 64 GB console support for the Machine Learning Analytics app
  • Added use case: UBA: VPN Certificate Sharing. Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall DSM to the following:
    • For 7.2.7 and 7.2.8: DSM-CiscoFirewallDevices-7.2-20170619124928.noarch.rpm
    • For 7.3.0 and later: DSM-CiscoFirewallDevices-7.3-20170619132427.noarch.rpm
  • Added 10 use cases that correspond to Blue Coat URL categories.
  • Updated UBA rules to decrease the response frequency. This might result in lower user risk scores.
  • Added CRE rules to support ADE use cases.
  • Updated the time to live of user reference data so alerts are not sent when user activity is consistent.
  • Performance improvements.
Note: Uninstalling and installing the Machine Learning Analytics App from the Extension Manager is no longer supported by 2.1.0. If you have the ML App 2.0.0 installed, consider uninstalling the ML app from the Extension Manager before you upgrade to 2.1.0.

What's new in 2.0.2

  • Improved QRadar version detection by the UBA app.

What's new in 2.0.1

  • Scenario 1: For QRadar deployments that do not have internet access, fixed an app installation and upgrade issue. For more information and upgrade instructions, see the following technote http://www.ibm.com/support/docview.wss?uid=swg22002994.
  • Scenario 2: For QRadar deployments that have internet access, fixed an app installation and upgrade issue.

What's new in 2.0.0

  • Added support for the IBM QRadar Machine Learning Analytics app.
  • Added eight use cases to allow UBA to monitor flow-based anomalies to use QRadar Network Insights. Requires QRadar Network Insights (QNI) and QRadar versions 7.2.8 and higher.
  • Performance improvements.
  • Defect fixes.

What's new in 1.4.0

1.4.0 of the User Behavior Analytics app includes the following items:
  • Userid is automatically retrieved from asset profiling when not available in event or flow record.
  • Fixed issue where User Details data retrieval might stall
  • Username searches are no longer case sensitive.
  • Added globalization support for the following languages: Brazilian Portuguese, French, German, Italian, Japanese, Korean, Spanish, Simplified Chinese, Russian, and Turkish
  • Extended use case support to take advantage of Microsoft ISA traffic throughput records.
  • Added the following use case: UBA : User Access - Failed Access to Critical Assets

What's new in 1.3.1

  • Added support for QRadar 7.2.6 Patch 4.
    Note: Anomaly detection (ADE) rules are not supported on QRadar 7.2.6.
  • Clicking a time in the user event timeline or risk score graph shows all events for a 1-hour interval (plus or minus 30 minutes). Previously, only sense events were displayed.
  • Fixed an issue that prevented the UBA app from working with QRadar 7.2.8 Patch 1.

What's new in 1.3.0

  • User details page lists the risky activity in a timeline based on use case.
  • Private certificate authority (Private CA) support for LDAP imports.
  • The overall risk score graph and the risk score graph show granularity by hour instead of by day.
  • User risk score can be calculated dynamically from right-clicking a user name.

What's new in 1.2.0

1.2.0 of the User Behavior Analytics app includes the following items:
  • Administrators can set access permissions for non-administrator users to access the app.
  • Ability to add trusted users to a whitelist so that the users do not generate risk scores or offenses.
  • Ability to add trusted log sources to specify log sources that are not tracked by UBA.
  • Ability to view all, instead of only the top 10, users on the dashboard.
  • A default configuration for Active Directory that eliminates the need to enter values for LDAP and UBA configurations.
  • Improved navigation for easier return to the main Quick Insights dashboard.
  • Modified default values for the User Analytics settings.
  • List only the most recent events instead of all the events from the last hour on the User Details page.

What's new in 1.1.0

With 1.1.0 of the User Behavior Analytics app, you can do the following things:
  • Refresh the Quick Insights dashboard to see up-to-date information. A timer shows you when the dashboard will automatically refresh.
  • Select the time duration for viewing the system score on the Quick Insights dashboard and for viewing the risk score on the User Details page.
  • Create new LDAP fields by combining attributes on the LDAP Attribute Mapping tab in the LDAP app.