UBA dashboard with Machine Learning

The IBM® QRadar® User Behavior Analytics (UBA) app with Machine Learning Analytics includes the Machine Learning model status and additional details for the selected user.

Dashboard

After you enable the Machine Learning models, click the User Analytics tab to open the main UBA Overview (Dashboard) page.

The Status of Machine Learning Models section shows you the ingestion and the building progress for each model you have enabled.
  • The purple progress bar indicates that the model is ingesting data.
  • The blue progress bar indicates that the model is building.
  • The green progress bar indicates that the model is training. Note: If the model is not receiving data, then it remains in training until enough data is received.
  • The green check mark indicates that the model is enabled.
  • The yellow warning icon indicates a problem was encountered during the model building phase. See Machine Learning app status shows warning on dashboard.
Click the ML Settings icon configuration icon to open the Machine Learning Analytics page and edit the configuration for the machine learning models.
Note: If you edit the configuration after it has been saved, a new model will be built and the time to wait for the ingestion and model building is reset.
The following image shows an example of a Machine Learning models status widget in the UBA 4.0.0 light theme UI.
Status of Machine Learning models widget

User details page

You can click a user name from anywhere in the app to see details for the selected user.

You can learn more about the user's activities with the event viewer pane. The event viewer pane shows information about a selected activity or point in time. Clicking an event in the event viewer pane reveals more details such as syslog events and payload information. The event viewer pane is available for all donut and line graphs on the User details page.

The following tables describes the Machine Learning Analytics graphs available on the User Details page.

Table 1. Names and descriptions of time series ML graphs
Time series graphs Description
  • Access activity
  • Aggregated activity
  • Authentication activity
  • Data uploaded to remote networks
  • Data downloaded
  • DML events
  • DDL events
  • Large HTTP transfers
  • Outbound transfer attempts
  • Risk posture
  • Suspicious activity
  • Successful access and authentication activity
Note: All custom models use this graph type.

Shows actual and expected user activity behavior patterns. The actual values are the number of events for that user during the selected time period. The expected values are the predicted number of events for that user during the selected time period. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning.

On the times series graph, you can:
  • Click a node and get a query listing of the events.
  • Click the Calendar icon to specify a time and date.
The following image shows an example of a time series graph in the UBA 4.0.0 light theme UI.
Risk posture graph
Table 2. Name and description of ML distribution graph
Distribution graph Description
Activity distribution

Shows dynamic behavior clusters for all users that are monitored by machine learning. The clusters are inferred by the activity categories for all users that are monitored by machine learning. The actual values are the percent match to that cluster. The expected values are the predicted percent match to that cluster. Each color in the graph represents a unique dynamic behavior cluster for all users monitored by machine learning. A color used to denote a particular group is the same for all users. A red vertical line indicates that an anomaly was detected and a sense event was generated by machine learning.

On the graph, you can:
  • Hover over each cluster to view the actual and predicted activity percentiles and the top 3 contributing categories.
  • Click the Calendar icon to specify a date range.
The following image shows an example of an activity distribution graph in the UBA 4.0.0 light theme UI.
Activity distribution graph
Table 3. Names and descriptions of peer group ML graphs
Peer group graphs Description
  • Defined peer group
  • Learned peer group

Shows how much a user's event activity deviates from that of their peer group. A red circle indicates that an anomaly was detected and a sense event was generated by machine learning. Defined group is the LDAP group chosen in the model settings. Behavior detected as are the groups the user behavior was similar to during the day. Deviation from peer group signifies the percentage a user has deviated from their defined peer group. Confidence is based on the amount of data gathered to build the model from users in the group to make accurate predictions. An alert is triggered if the deviation and the confidence both exceed their thresholds.

To view the peer group analytic, you must configure user imports to gather user grouping properties to meet minimum requirements. Select the grouping property on the configuration page that represents the groups to be modeled. See Tuning user import configurations for details on configuring the custom group.

On the graph, you can:
  • Click a data point to view the Peers in "your peer group" table.
  • Click the Calendar icon to specify a date range.
The Peers in "your peer group" table shows you the riskiest users in the current user's group. You can:
  • Click a user name to open the User Details page
  • Click the drop-down list to select the user attributes to display
  • Search to filter the user names
The following image shows an example of a defined peer group graph with custom groupings in the UBA 4.0.0 light theme UI.
Defined peer group graph
The following Machine Learning user models are not represented by a graph:
  • Lateral Movement: Internal Destination Port Activity
  • Lateral Movement: Network Zone Access
  • Lateral Movement: Internal Asset Usage
  • Process Usage