Configuring application settings
To view information in the IBM® QRadar® User Behavior Analytics (UBA) app, you must configure UBA application settings.
- On the navigation menu ( ), click Admin.
- Click the UBA Settings icon. ( ).
In the Application Settings section, configure the following settings:
Option Description Monitor imported users only
By selecting the Monitor imported users only setting, the UBA app will not monitor new users that are discovered from events. UBA will monitor only users that you imported.
Indicates how high a user's risk score should get before an offense is triggered against that user. A risk score is the summation of all risk events that UBA rules detect.Select one of the following options:
Tip: Consider setting up UBA and leaving the default value. Allow the settings to run for at least a day to see the type of scores that are returned. After a few days, review the results on the dashboard to determine a pattern. You can then adjust the threshold. For example, if you see one or two people with scores in the 500s but most are in the 100s then consider setting the threshold to 200 or 300. So "normal" for your environment might be 100 or so, and any score above that might require your attention.
- Dynamic: The default value is 4.0. The higher the value is, the higher
the dynamic threshold will be, resulting in fewer offenses. Turn off Generate an offense
for high risk users until the settings have run for at least a day. The dynamic
threshold value is updated hourly based on risk score distribution in the system. You can determine
whether you want to enable the setting based on the number of offenses that might be triggered. See
the Tip for more information.
Note: If there is not enough variety in their scores, the risk score is set to +10 of the highest risk user. It stays that way to prevent many offenses from being generated unnecessarily.
- Static: The default value is 100,000. The value is set to a high value by default to avoid triggering offenses before the environment is analyzed. You can turn on Generate an offense for high risk users to open an offense with a username type for users above the risk threshold. You can determine whether you want to enable the setting based on the number of offenses that might be triggered.
Decay risk by this factor per hourRisk decay is the percentage that the risk score is reduced by every hour. The default value is 0.5.Tip: The higher the number, the faster the risk score decays; the lower the number, the slower the risk score decays. A value of zero will disable the feature.
Date range for user detail graphs
The date range that is displayed for the user details graphs on the User Details page. The default value is 1.
Duration of investigation status
The number of hours (1 - 10,000) that is assigned for an investigation to be completed.
User inactivity interval
The User Details page shows a timeline with activity grouped by sessions. If a user is inactive for the amount of time entered in the User inactivity interval field, the session ends. The default value is 15 minutes.
Dormant account threshold
The number of days that users are inactive before they are considered dormant. The default value is 14 days. For more information, see Dormant accounts.
Maximum risk score
Enter a value to set the limit for the maximum risk score on the Rules and Tuning page. Current risk scores are not affected by changes to this setting. Note: Rules that are delivered with the UBA app typically have a risk score in the range of 5 - 25.
Search assets for username, when username is not available for event or flow dataSelect the checkbox to search for user names in the asset table. The UBA app uses assets to lookup a user for an IP address when no user is listed in an event.Important: This feature might cause performance issues in the UBA app and your QRadar system.Important: Enabling the Search assets for username, when username is not available for event or flow data checkbox on the UBA Settings page can cause the User Details page to not load. Review the Rules pages to determine whether the enabled rules require this setting. It should be disabled if it is not needed.Tip: If the query timeout threshold is exceeded, the app does not return any data. If you receive an error message on the UBA Dashboard, clear the checkbox and click Refresh.
Display country/region flags for IP addresses
Clear the checkbox if you do not want to display country and region flags for IP addresses.
- Dynamic: The default value is 4.0. The higher the value is, the higher the dynamic threshold will be, resulting in fewer offenses. Turn off Generate an offense for high risk users until the settings have run for at least a day. The dynamic threshold value is updated hourly based on risk score distribution in the system. You can determine whether you want to enable the setting based on the number of offenses that might be triggered. See the Tip for more information.
What to do next
You can import users from the User import wizard. For more information, see Importing users.