Installing the User Behavior Analytics app

Use the IBM® QRadar® Extension Management tool to upload and install your app archive directly to your QRadar Console.

Before you begin

Complete the Prerequisites for installing the User Behavior Analytics app.

Before you install the app, ensure that IBM QRadar meets the minimum memory (RAM) requirements. The UBA app requires 1 GB of free memory from the application pool of memory. The UBA app will fail to install if the application pool does not have enough free memory.

If UBA fails to install, then your application pool does not have enough free memory to run the IBM QRadar UBA app. Consider adding an app host to your QRadar deployment. Because of the size of UBA with Machine Learning, you should install or upgrade to a medium deployment environment at a minimum.

QRadar uses an App Host, which is a managed host, that is dedicated to running apps. App Hosts provide extra storage, memory, and CPU resources for your apps without impacting the processing capacity of your QRadar Console. For more information, see App Host.

Important:

If you are having performance issues on any of your Event Processors, fix the issues before you install UBA as installing UBA could add additional processing load.

About this task

UBA-specific content packages, which contain rules for triggering offenses, are now installed as separate extensions. Content packages are installed by default. If you choose to create your own custom rules to trigger offenses in UBA, you can change the Install and upgrade content packages setting when you configure UBA Settings.
Attention: After the app is installed, you must:
  • Enable indexes
  • Deploy the full configuration.
  • Clear your browser cache and refresh the browser window.
  • Set up permissions for users that require access to view the User Analytics tab. The following permissions must be assigned to each user role that requires access to the app:
    • User Analytics
    • Offenses
    • Log Activity

Procedure

  1. Choose one of the following methods to download your app:
    • If the IBM QRadar Assistant app is configured on QRadar, use the following instructions to install User Behavior Analytics: QRadar Assistant app (https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.apps.doc/t_qradar_adm_assistant_download.html).
    • If the QRadar Assistant app is not configured, download the User Behavior Analytics app archive from the IBM Security App Exchange (https://apps.xforce.ibmcloud.com/) onto your local computer. You must have an IBM ID to access the App Exchange.
  2. If you downloaded the app from the App Exchange, complete the following steps:
    1. On the QRadar Console, click Admin > Extensions Management.
    2. In the Extension Management window, click Add and select the UBA app archive that you want to upload to the console.
    3. Select the Install immediately checkbox.
      Important: You might have to wait several minutes before your app becomes active.
    4. To preview the contents of an app after it is added and before it is installed, select it from the list of extensions, and click More Details. Expand the folders to view the individual content items in each group.
    If the app installed successfully, you see it listed as 'Installed' on the Extensions Management page of the Admin tab. If the app didn't install correctly, see QRadar apps troubleshooting.
  3. From the Admin settings, click System Configuration > Index Management and then enable the following indexes:
    • High Level Category
    • Low Level Category
    • Username
    • senseValue
  4. From the Admin settings, click Advanced > Deploy Full Configuration.
    Note: Content packages are installed after the UBA installation completes and UBA is configured. For more information, see UBA content pack summary.

What to do next

  • When the installation is complete, clear your browser cache and refresh the browser window before you use the app.
  • Manage permissions for UBA app user roles.