What's new in the QRadar User Behavior Analytics app

Learn about the new features and enhancements in the latest QRadar® User Behavior Analytics (UBA) app releases.

What's new in 4.1.16 (Released May 2024)

What's new in 4.1.15 (Released March 2024)

  • Fixed an issue so that the app works with QRadar 7.5.0 Update Package 8.

What's new in 4.1.14 (Released November 2023)

  • Improved UBA to use correct IP address when encrypted App Host is used in NAT environment
  • Enhanced Machine Learning to use correct IP address when the encrypted App Host is used in NAT environment.
  • Machine Learning model now recovers itself when model build fails with the "lost user Id lookup object" error.
  • Added the ability to gather additional files when using Machine Learning download logs function on the Help and Support page.
  • Fixed an issue that caused an unexpected error when viewing user details in the QRadar Suite SOAR App.
  • Fixed an issue that caused querying on custom machine learning model to fail validation when using with the character sequence $'.
  • Fixed an issue that caused UBAController process to fail when saving a configuration that already existed in zookeeper.
  • You can now select and delete multiple users at once on the Search Results page.
  • You can now see the tenant name in the UBA Overview page header when using multitenant configuration.
    Tenant name

What's new in 4.1.13 (Released August 2023)

What's new in 4.1.12 (Released June 2023)

What's new in 4.1.11 (Released March 2023)

What's new in 4.1.10 (Released February 2023)

  • Upgraded the LDAPv3 Python library to address parsing issue in UBA.
  • Upgraded jQuery UI to address a vulnerability in UBA.
  • Updated user imports to fix an issue that caused automatic reruns.
  • Increased the character limit for the LDAP filter to 1000.
  • Updated Machine Learning to fix an issue that caused models to be stuck in the building phase.
  • Fixed a security vulnerability. For more information, see the following security bulletin: CVE-2022-23491

What's new in 4.1.9 (Released September 2022)

What's new in 4.1.8 (Released August 2022)

Attention: Starting with UBA 4.1.8, support is limited to QRadar versions 7.4.3+.
  • Fixed an issue with dashboard views showing counts that also included deleted users.
  • Improved upgrade process for UBA and Machine Learning
  • Added Time to Live element to UBA : Dormant Account ref set.
  • Updated machine learning models to use the Bytes Sent and Bytes Received.
  • Updated API calls to support the newer versions of QRadar.
  • Fixed name display for HTTP Data model on the User profile page.
  • Fixed name display for Username on the UBA Dashboard page.
  • Because of a limitation with QRadar APIs, the following will no longer be monitored in UBA:
    • Usernames that have a leading . or $
    • Usernames that contain any of the following special characters: <>?*=+,|;:[]
  • Fixed some security vulnerabilities. For more information, see the following security bulletins:

What's new in 4.1.7 (Released March 2022)

  • Fixed an issue that caused incorrect navigation to QRadar from UBA on IBM Cloud Pack for Security.
  • Fixed a deadlocking issue that caused user import failures.
  • Fixed an issue that was preventing user imports from writing data to the reference table.
  • Fixed an issue that caused database migration failures when upgrading.
  • Fixed an issue with Machine Learning that showed the space available status as 0.
Known issue: Because of the changes implemented to fix issues with user imports in UBA 4.1.7, performance during coalescing might be slow. Consider decreasing the number of aliases to reduce performance impact.

What's new in 4.1.6 (Released 7 January 2022)

  • Updated the ncurses library to version 6.1.9.
  • Fixed a security vulnerability. For more information, see the following security bulletin: CVE-2021-45105.

What's new in 4.1.5 (Released 17 December 2021)

UBA 4.1.5 includes the following updates:
  • Addressed an issue with migrating an older version of PostgreSQL database during some upgrade scenarios.
  • Fixed some security vulnerabilities. For more information, see the following security bulletins:

What's new in 4.1.3 (Released 09 December 2021)

UBA 4.1.3 includes the following updates:
  • Improved User imports so that you can use more special characters for Custom attributes.
  • Improved the navigation with QRadar Analyst Workflow integration if QRadar Analyst Workflow is installed.

What's new in 4.1.2 (Released 30 July 2021)

UBA 4.1.2 includes the following updates:

What's new in 4.1.1 (Released 10 May 2021)

UBA 4.1.1 includes the following updates:
  • For QRadar on Cloud deployments, you can now install Machine Learning in application dense environments as the installation is no longer restricted to 10% of memory.
  • For QRadar on Cloud deployments, the Learned peer group model no longer requires an App Host.
  • Fixed an issue with User imports that caused duplicate users in UBA.
  • Fixed an issue that prevented PSQL migration when UBA data had been cleared. For more information, see QRadar: Upgrading to UBA 4.1.0 can lead to aspects of the app not functioning properly.
  • Fixed an issue where Ariel Searches were not deleted and the User Details Event Viewer showed “No results found for AQL query”.
  • Fixed issues where rule name and event name changes were breaking the Rules and Tuning page.
  • Added public API documentation. For more information, see Public API documentation for UBA.
  • Integration with QRadar Use Case Manager 3.2.0. UBA rules are now managed in QRadar Use Case Manager 3.2.0 and later. For more information, see Integration with Use Case Manager 3.2.0 and later.
  • Fixed some security vulnerabilities. For more information, see the following security bulletins:

What's new in 4.1.0 (Released 10 March 2021)

Attention: For the best experience, you should install 4.1.0 on the following QRadar versions:
  • 7.3.3 Fix Pack 6 or later
  • 7.4.2 Fix Pack 3 or later
  • 7.4.3 or later

For multitenancy, UBA version 4.1.0 is supported only on the following QRadar versions: 7.4.2 Fix Pack 3 or later and 7.4.3 or later.

Upgrade note: You should upgrade to UBA 4.0.1 (QRadar 7.3.3 or later) before you upgrade to UBA 4.1.0.

User details panel

You can click a username to open the User details panel that shows you details about the user including overall risk, display name, top 3 anomalies, watchlists, and aliases. To open the full User details page, click View user details.
Overview page with user details panel

Custom attributes in the User imports wizard

You can create custom attributes when you tune your user imports with the User imports wizard. For more information, see Tuning user import configurations.
Custom attributes screen for 4.1.0

Deleting a user from the user import configuration

When you delete a User import configuration, you now can choose to delete only an import configuration or you can choose to delete the users (and their data) who are associated with the selected user import configuration.

Note: If you selected the Synchronize reference table option when you configured the import, you will have the option to Delete the configuration, users, reference table, and map of sets.
Confirm delete action dialog box

Removing an alias when you tune a user import

On the User imports > Tuning page, you can click Edit to open the Edit: Aliases page in the User coalescing section. You can select the "x" to remove an alias to uncoalescence (separate combined users) that you have previously coalesced. When you remove an alias it then recoalesces. Note that when you delete an alias it takes effect only when the value of that alias is not shared with the deleted imports.

Edit: Aliases page

Remove users discovered from events

In the Administrative functions section on the Help and support page, you can remove only users that were discovered from events. You can click to see the users that were discovered from events and that will be removed. After confirming the user removal, the count on the overview page under Users discovered from events should decrease to zero.

Tip: You should enable the Monitor imported users only option on the UBA Settings page before removing event users if you don't want to discover users from events again.

Selecting Remove event users does not remove users that you imported.

Remove event users option

Integration with Use Case Manager 3.2.0 and later

When you upgrade to UBA 4.1.0 (and later) and Use Case Manager 3.2.0 and later, you manage rules in Use Case Manager and no longer manage rules in the UBA Rules and Tuning page. For more information, see QRadar Use Case Manager.

Updated Help and support page

The following image shows an example of the updated Help and Support page for 4.1.0.

Help and Support page for 4.1.0