Integrating new or existing QRadar content with the UBA app
To meet your specific needs, you can use the capabilities that are built into QRadar® by integrating your existing QRadar rules with the UBA app.
Before you begin
The following lists the three types of content that work with UBA:
- Content that is created by UBA and installed with a risk score.
- Content that is not created by UBA but has a risk score and works with UBA by default. For more information, see Supported QRadar content.
- All other content in QRadar that can be modified to work with UBA.
UBA uses a QRadar reference table ("UBA: Rule Data") to determine the score to give the events that are sent by the rules that work with UBA. When UBA is installed, the table is initially populated with all content that works with UBA by default. A task runs every hour that pulls any rules that have been modified to include a sense value in the description into the Rule Data table.
Restriction: The sense value in the event description should not be modified. The risk score should be modified in either the UBA Rules and Tuning page or the QRadar Use Case Manager.
Note: When rules are added to the reference table, they cannot be removed. To stop the rules from sending a risk score to UBA, you can either disable the rule or set the risk score to zero. For more information, see Rules and tuning for the UBA app.
About this task
Restriction: Do not customize your rules to use the UBA and Machine Learning reference sets. Attempting to use the reference sets in custom rules can lead to failures within the UBA app.
If the rule works on flow data, you must enable the Search assets for username, when username is not available for event or flow data option so that events with no usernames can attempt a lookup for user mapping.
The risk score maximum limit is configured in the Application Settings section on the UBA Settings page. For more information, Configuring application settings.
Integrating content without QRadar Use Case Manager (or QRadar Use Case Manager 3.1.0 or earlier)
Complete the procedure if any one of the scenarios applies:
About this task
- You are not using any version of QRadar Use Case Manager.
- You are using an older version of QRadar Use Case Manager (3.1.0 or earlier).
- You are on an unsupported version of UBA (more than two versions back from the current released version).
- Create a copy of the existing rule. Making a copy of an existing rule prevents updates to the base rule from affecting the edits that are made to the new rule.
- Open the rule in the Rule Wizard and then go to the Rule Response section.
- Enable or edit the Dispatch New Event option by making sure that the Event Description text is formatted in the following way: senseValue=#
- Click Finish to save the changes.
Integrating content with Use Case Manager 3.2.0 or later
Complete the procedure if both of the following conditions apply:
About this task
- You are using QRadar Use Case Manager 3.2.0 or later.
- You are using a supported version of UBA.
Attention: When you upgrade to UBA 4.1.0 or later and QRadar Use Case Manager 3.2.0 or later, you manage rules in QRadar Use Case Manager, and no longer manage rules in the UBA Rules and Tuning page. For more information, see QRadar Use Case Manager.
- Create a duplicate of the existing rule. Making a duplicate of an existing rule prevents updates to the base rule from affecting the edits that are made to the new rule.
- Select the rule to open the details page and then select User Behavior Analytics risk score.
- Enter the score and wait for it to save.