User Behavior Analytics rules can help you identify potential insider threats inside your
network. After the user analytics rules from IBM®
QRadar® User Behavior
Analytics 4.1.0 or later are integrated in IBM
QRadar Use Case Manager 3.2.0 or later, you can
manage and tune them to best suit your organization's needs. Then, the data automatically displays
in the QRadar User Behavior
Analytics dashboards so that you
can visualize the risks to your network.
About this task
For a rule to be considered relevant to QRadar User Behavior
Analytics, the Dispatch new
event option must be selected in the Rule Response. You can also
associate any other rules to work with QRadar User Behavior
Analytics by editing them in the rule wizard
in QRadar Use Case
Manager.
Important: In QRadar User Behavior
Analytics, the
dashboard rule count is based on the total number of rules that QRadar User Behavior
Analytics detects, regardless of whether the
rules are installed or not. In QRadar Use Case
Manager, filtering is based on what
rules are installed.
Procedure
-
On the Use Case Explorer page, click the list icon, and pick one of the
following templates to use:
- All User Behavior Analytics rules
- Shows the risk score for all the installed and non-installed User Behavior Analytics rules.
- Installed User Behavior Analytics rules
- Shows the risk score for installed User Behavior Analytics rules.
-
Tip: To use filters that are similar to the Rules and Tuning page
in QRadar User Behavior
Analytics, select this template. To
view category information, add the Content category column. QRadar Use Case
Manager does not contain kill chain
information.
- Non-installed User Behavior Analytics rules
- For non-installed content extensions, this template shows the User Behavior Analytics rules that
are available when the extensions are installed.
- To modify the risk score for a predefined QRadar User Behavior
Analytics rule, click the name of the rule,
expand the User Behavior Analytics risk score section, and adjust the number.
The user risk score in QRadar User Behavior
Analytics
automatically updates.
A risk score is the summation of all risk events that are
detected by
QRadar User Behavior
Analytics rules. The higher
the risk score, the more likely an internal user is to be a security risk and warrants further
review of your user's network activity. The risk score reduces over time if no new events occur.
Rules that are integrated from the
QRadar User Behavior
Analytics app typically have a risk score in
the range of 5 - 25. You can display the risk score in any report by adding the
Rule
attributes: User Behavior Analytics risk column to your current template. For more
information, see
Configuring application settings.
- To add a risk score to a rule and associate it with QRadar User Behavior
Analytics, follow these steps:
- Open the selected rule in the rule wizard and expand the User Behavior
Analytics risk score section.
- If the Dispatch New Event option isn't selected in the
Rule response section, click Edit in rule wizard and
complete that step now.
- Assign a risk score to the rule.
The QRadar User Behavior
Analytics app
tracks any events that the rule generates, and considers the risk score in its
analysis.
- If you no longer want a rule to be associated with QRadar User Behavior
Analytics, follow these steps:
- Open the selected rule in the rule wizard and expand the User Behavior
Analytics risk score section.
- Follow the instructions in the tooltip to disconnect the rule from QRadar User Behavior
Analytics.
When you remove the references to the rule from the reference table in QRadar User Behavior
Analytics, any events that are triggered by
the rule stop contributing to the user's risk score.
What to do next
Review the relevant reports that include the User Behavior Analytics rules. The rules also
contribute to the tactic counts in the MITRE ATT&CK reports. You can also visualize rules on the
dashboards in the QRadar User Behavior
Analytics
app.