Process overview

The UBA app works with your QRadar® system to collect data about the users inside your network.

How UBA works

Logs send data to QRadar.
UBA specific rules look for certain events (depending on which UBA rules are enabled) and trigger a new sense event that is read by the UBA app.
The UBA rules require the events to have a username and other tests (review the rules to see what they are looking for).
UBA pulls the senseValue from a reference table and the username from the sense event and then increases that user's risk score by the senseValue amount.
When a user's risk score exceeds the threshold that you set in the UBA Settings page, UBA sends an event which triggers the "UBA : Create Offense" rule and an offense is created for that user.

Risk score

A risk score is the summation of all risk events that are detected by UBA rules. The higher the risk score, the more likely an internal user is to be a security risk and warrants further review of the user's network activity. The risk score reduces over time if no new events occur. The amount of the reduction is controlled from the value in Decay risk by this factor per hour on the UBA Settings page.

How senseValues are used to create user risk scores

Each rule and analytic has a value assigned to it that indicates the severity of the issue found. Each time a user's actions causes a rule to trigger, the user gets this value added to the score. The more the user "violates" a rule, the higher the score will be.

Rules and sense events

Rules, when triggered, generate sense events that are used to determine the user's risk score.

You can update existing rules in QRadar to produce sense events. For more information, see Integrating new or existing QRadar content with the UBA app.

Machine Learning Analytics and sense events

You can install the Machine Learning Analytics app and enable machine learning analytics to identify anomalous user behavior. The analytics, when triggered, will generate sense events that also raise a user's risk score.