What's new in the QRadar User Behavior Analytics app
Learn about the new features and enhancements in the latest QRadar® User Behavior Analytics (UBA) app releases.
What's new in 4.1.15 (Released March 2024)
- Fixed an issue so that the app works with QRadar 7.5.0 Update Package 8.
What's new in 4.1.14 (Released November 2023)
- Improved UBA to use correct IP address when encrypted App Host is used in NAT environment
- Enhanced Machine Learning to use correct IP address when the encrypted App Host is used in NAT environment.
- Machine Learning model now recovers itself when model build fails with the "lost user Id lookup object" error.
- Added the ability to gather additional files when using Machine Learning download logs function on the Help and Support page.
- Fixed an issue that caused an unexpected error when viewing user details in the QRadar Suite SOAR App.
- Fixed an issue that caused querying on custom machine learning model to fail validation when using with the character sequence $'.
- Fixed an issue that caused UBAController process to fail when saving a configuration that already existed in zookeeper.
- You can now select and delete multiple users at once on the Search Results page.
- You can now see the tenant name in the UBA Overview page header when using multitenant
configuration.
What's new in 4.1.13 (Released August 2023)
- Added the ability to disable risk score decay by setting the "Decay risk by this factor per hour" option to "0" on the application settings page. For more information, see Configuring application settings.
- Error messages that relate to installing or uninstalling Machine Learning are now displayed for 30 seconds on the installer page.
- Fixed an issue that prevented proper redirection to QRadar Use Case Manager when you view a tenant instance of QRadar User Behavior Analytics while you're logged in as an administrator.
- Fixed an issue where using the ‘View User Details’ link from QRadar to QRadar User Behavior Analytics caused the wildcard search to use ‘NULL’ as the username and incorrectly match users to the original QRadar log activity or offenses record.
- Fixed an issue that prevented failed Machine Learning models to self-correct after receiving corrupted data.
- Fixed security vulnerabilities. For more information, see the following security bulletin: CVE-2023-32697, CVE-2021-3803, CVE-2022-25883, CVE-2020-28498, CVE-2022-3517, CVE-2023-34104, CVE-2023-26920, CVE-2022-25858, CVE-2022-38900, CVE-2021-43803, CVE-2021-37699, CVE-2022-46175, CVE-2023-37920, CVE-2021-23440.
What's new in 4.1.12 (Released June 2023)
- Enhanced the machine learning installation process to allow for different size installations on QRadar 7.5.0 in multitenant deployments. For more information, see Installing and configuring Machine Learning in Multitenancy.
- Fixed an issue with viewing events from the graph of Machine Learning models "Data uploaded to remote networks and Data downloaded".
- Fixed an issue where the custom event property "UploadRatio" was undefined in QRadar 7.5.0.
- Adjusted right-click action on "View user details" to perform case-insensitive match for username.
- Fixed security vulnerabilities. For more information, see the following security bulletin: CVE-2022-3171, CVE-2022-41881, CVE-2022-40152, CVE-2022-31160, CVE-2017-7525, CVE-2022-25168, CVE-2022-3509, CVE-2022-41854, CVE-2022-38752, CVE-2022-1471, CVE-2021-37533, CVE-2022-42004, CVE-2022-42003
What's new in 4.1.11 (Released March 2023)
- Fixed an issue that caused TLS connection failures when using secure LDAP.
- Fixed security vulnerabilities. For more information, see the following security bulletin: CVE-2019-6283, CVE-2018-20821, CVE-2018-11698, CVE-2020-24025, CVE-2018-19838, CVE-2018-11694, CVE-2018-19827, CVE-2018-20190. CVE-2019-6286, CVE-2019-6284, CVE-2018-19839, CVE-2018-19797, CVE-2022-37601, CVE-2022-37603, CVE-2022-37598, CVE-2021-42581, CVE-2021-39227, CVE-2021-3765, CVE-2022-31129, CVE-2022-24785, CVE-2021-23343, CVE-2020-15366, CVE-2021-23382, CVE-2022-25927, CVE-2022-37599, CVE-2022-24999, CVE-2021-32803, CVE-2021-37712, CVE-2021-37701, CVE-2021-37713, CVE-2021-32804, CVE-2020-7764, CVE-2021-23364, CVE-2022-25758, CVE-2021-23362, CVE-2021-23368, CVE-2021-3918, CVE-2021-29060, CVE-2022-25901, CVE-2021-42740, CVE-2021-3807
What's new in 4.1.10 (Released February 2023)
- Upgraded the LDAPv3 Python library to address parsing issue in UBA.
- Upgraded jQuery UI to address a vulnerability in UBA.
- Updated user imports to fix an issue that caused automatic reruns.
- Increased the character limit for the LDAP filter to 1000.
- Updated Machine Learning to fix an issue that caused models to be stuck in the building phase.
- Fixed a security vulnerability. For more information, see the following security bulletin: CVE-2022-23491
What's new in 4.1.9 (Released September 2022)
- Updates to Ariel Query Language (AQL) to use new recommended constructs.
- Fixed security vulnerabilities. For more information, see the following security bulletins:
- CVE-2012-5783, CVE-2021-22569, CVE-2019-10202, CVE-2019-10172, CVE-2011-4969, CVE-2015-9251, CVE-2012-6708, CVE-2020-7656, CVE-2021-29425, CVE-2020-9492, CVE-2021-34538, CVE-2019-0205, CVE-2022-25647, CVE-2020-13936
- CVE-2022-36771
- CVE-2022-24785
- CVE-2022-2191, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823, CVE-2020-36518
- Updated the Rules and tuning for the UBA app topic and added a new topic for Machine learning analytic requirements.
What's new in 4.1.8 (Released August 2022)
Attention: Starting with UBA 4.1.8, support is limited to
QRadar versions
7.4.3+.
- Fixed an issue with dashboard views showing counts that also included deleted users.
- Improved upgrade process for UBA and Machine Learning
- Added Time to Live element to UBA : Dormant Account ref set.
- Updated machine learning models to use the Bytes Sent and Bytes Received.
- Updated API calls to support the newer versions of QRadar.
- Fixed name display for HTTP Data model on the User profile page.
- Fixed name display for Username on the UBA Dashboard page.
- Because of a limitation with QRadar APIs, the following will
no longer be monitored in UBA:
- Usernames that have a leading . or $
- Usernames that contain any of the following special characters: <>?*=+,|;:[]
- Fixed some security vulnerabilities. For more information, see the following security bulletins:
What's new in 4.1.7 (Released March 2022)
- Fixed an issue that caused incorrect navigation to QRadar from UBA on IBM Cloud Pack for Security.
- Fixed a deadlocking issue that caused user import failures.
- Fixed an issue that was preventing user imports from writing data to the reference table.
- Fixed an issue that caused database migration failures when upgrading.
- Fixed an issue with Machine Learning that showed the space available status as 0.
Known issue: Because of the changes implemented to fix issues with
user imports in UBA 4.1.7, performance during coalescing might be slow. Consider decreasing the
number of aliases to reduce performance impact.
What's new in 4.1.6 (Released 7 January 2022)
- Updated the ncurses library to version 6.1.9.
- Fixed a security vulnerability. For more information, see the following security bulletin: CVE-2021-45105.
What's new in 4.1.5 (Released 17 December 2021)
UBA 4.1.5 includes the
following updates:
- Addressed an issue with migrating an older version of PostgreSQL database during some upgrade scenarios.
- Fixed some security vulnerabilities. For more information, see the following security bulletins:
What's new in 4.1.3 (Released 09 December 2021)
UBA 4.1.3 includes the
following updates:
- Improved User imports so that you can use more special characters for Custom attributes.
- Improved the navigation with QRadar Analyst Workflow integration if QRadar Analyst Workflow is installed.
What's new in 4.1.2 (Released 30 July 2021)
UBA 4.1.2 includes the following updates:
- Improvements to coalescing
- Improvements to AQL filtering operations
- Updates to QRadar Use Case Manager integration
- Fixed a security vulnerability. For more information, see the following security bulletin: CVE-2021-29757.
- Added the following MaaS360 use cases:
- UBA : MaaS360 malicious URL accessed. For more information, see UBA : MaaS360 malicious URL accessed.
- UBA : MaaS360 malware application installed. For more information, see UBA : MaaS360 malware application installed.
- UBA : MaaS360 URL access blocked. For more information, see UBA : MaaS360 URL access blocked.
- UBA : MaaS360 malicious email received. For more information, see UBA : MaaS360 malicious email received.
- UBA : MaaS360 malicious SMS received. For more information, see UBA : MaaS360 malicious SMS received.
- UBA : MaaS360 device out of compliance due to OS version. For more information, see UBA : MaaS360 device out of compliance due to OS version.
- UBA : MaaS360 device out of compliance due to encryption level. For more information, seeUBA : MaaS360 device out of compliance due to encryption level.
- UBA : MaaS360 device out of compliance due to device being rooted. For more information, see UBA : MaaS360 device out of compliance due to device being rooted.
- UBA : Potential Access to Blocklist Domain. For more information, see UBA : Potential Access to Blocklist Domain.
- UBA : MaaS360 detected device with low encryption level. For more information, see UBA : MaaS360 detected device with low encryption level.
What's new in 4.1.1 (Released 10 May 2021)
UBA 4.1.1 includes the following updates:
- For QRadar on Cloud deployments, you can now install Machine Learning in application dense environments as the installation is no longer restricted to 10% of memory.
- For QRadar on Cloud deployments, the Learned peer group model no longer requires an App Host.
- Fixed an issue with User imports that caused duplicate users in UBA.
- Fixed an issue that prevented PSQL migration when UBA data had been cleared. For more information, see QRadar: Upgrading to UBA 4.1.0 can lead to aspects of the app not functioning properly.
- Fixed an issue where Ariel Searches were not deleted and the User Details Event Viewer showed “No results found for AQL query”.
- Fixed issues where rule name and event name changes were breaking the Rules and Tuning page.
- Added public API documentation. For more information, see Public API documentation for UBA.
- Integration with QRadar Use Case Manager 3.2.0. UBA rules are now managed in QRadar Use Case Manager 3.2.0 and later. For more information, see Integration with Use Case Manager 3.2.0 and later.
- Fixed some security vulnerabilities. For more information, see the following security bulletins:
What's new in 4.1.0 (Released 10 March 2021)
Attention: For the best experience, you should install 4.1.0 on the following QRadar versions:
- 7.3.3 Fix Pack 6 or later
- 7.4.2 Fix Pack 3 or later
- 7.4.3 or later
For multitenancy, UBA version 4.1.0 is supported only on the following QRadar versions: 7.4.2 Fix Pack 3 or later and 7.4.3 or later.
Upgrade note: You should upgrade to UBA 4.0.1 (QRadar 7.3.3 or later) before
you upgrade to UBA 4.1.0.
- Starting with 4.1.0, the Reference Data Import - LDAP (LDAP) app is no longer supported. You can import users with the User Imports wizard.
- Improved the Username display (under Monitored users) on the UBA Overview page and removed tooltips. You can now click a username and open the user details panel that contains the information that was previously in a tooltip. For more information, see User details panel.
- Added the ability to create custom attributes with the User Imports wizard. For more information, see Custom attributes in the User imports wizard.
- Added the ability to delete a user from the user import and not just the user import configuration. For more information, see Deleting a user from the user import configuration.
- Added the ability to remove users that were discovered from events. For more information, see Remove users discovered from events.
- Added the ability to remove an alias and then recoalesce in the . For more information, see Removing an alias when you tune a user import.
- Updated the Help and Support page. For more information, see Updated Help and support page.
- Added the following use cases:
- UBA : Executive only asset accessed by non-executive user from external network. For more information, see UBA : Executive only asset accessed by non-executive user from external network.
- UBA : Executive only asset accessed by non-executive user from internal network. (formerly called UBA : Executive Only Asset Accessed by Non-Executive User). For more information, see UBA : Executive only asset accessed by non-executive user from internal network.
- UBA : Multiple blocked file uploads followed by a successful upload. For more information, see UBA : Multiple blocked file uploads followed by a successful upload.
- UBA : Large number of denied access events towards external domain. For more information, see UBA : Large number of denied access events towards external domain.
- UBA : Remote access hole in corporate firewall. For more information, see UBA : Remote access hole in corporate firewall.
User details panel
You can click a username to open the User details panel that shows you details about the user
including overall risk, display name, top 3 anomalies, watchlists, and aliases. To open the full
User details page, click View user details.
Custom attributes in the User imports wizard
You can create custom attributes when you tune your user imports with the User imports wizard.
For more information, see Tuning user import configurations.
Deleting a user from the user import configuration
When you delete a User import configuration, you now can choose to delete only an import configuration or you can choose to delete the users (and their data) who are associated with the selected user import configuration.
Note: If you selected the Synchronize reference table option when you
configured the import, you will have the option to Delete the configuration, users,
reference table, and map of sets.
Removing an alias when you tune a user import
On the page, you can click Edit to open the Edit: Aliases page in the User coalescing section. You can select the "x" to remove an alias to uncoalescence (separate combined users) that you have previously coalesced. When you remove an alias it then recoalesces. Note that when you delete an alias it takes effect only when the value of that alias is not shared with the deleted imports.
Remove users discovered from events
In the Administrative functions section on the Help and support page, you can remove only users that were discovered from events. You can click to see the users that were discovered from events and that will be removed. After confirming the user removal, the count on the overview page under Users discovered from events should decrease to zero.
Tip: You should enable the Monitor imported users only option on the UBA Settings page before removing event users if you don't want to discover users from events again.
Selecting Remove event users does not remove users that you imported.
Integration with Use Case Manager 3.2.0 and later
When you upgrade to UBA 4.1.0 (and later) and Use Case Manager 3.2.0 and later, you manage rules in Use Case Manager and no longer manage rules in the UBA Rules and Tuning page. For more information, see QRadar Use Case Manager.
Updated Help and support page
The following image shows an example of the updated Help and Support page for 4.1.0.
