Connecting to User Behavior Analytics

Edit online

IBM® QRadar® User Behavior Analytics is a tool for detecting insider threats in your organization. User Behavior Analytics, used in conjunction with the existing data in your QRadar system, can help you generate new insights around users and user risk.

Important: Your administrator must configure QRadar Proxy for your account and you need a valid authentication token so that you can connect to the QRadar Console. For more information, see Setting up the connection to QRadar from QRadar Proxy.

The User Behavior Analytics dashboard shows you the overall risk data for users in your network and details for the selected user.

You can view the following User Behavior Analytics dashboard widgets (My applications > Dashboard > User Behavior Analytics):

  • Monitored users
  • Recent offenses
  • System score
  • Risk category breakdown
  • Active investigations
Important:
  • Explicit permissions are no longer used for User Behavior Analytics. All users either have access or do not have access. After you upgrade, you should revisit user permissions.
  • The QRadar admin must configure User Behavior Analytics 4.0.0 or later including User Behavior Analytics settings, machine learning, rules, and user import in the QRadar Console. There is no configuration for User Behavior Analytics in the IBM Security QRadar Suite product.
  • Links to the QRadar Console (log activity, assets, offenses) from User Behavior Analytics will launch a new QRadar browser window or tab that opens QRadar. You must log in to QRadar if a session is not already active.
  • IBM Resilient® QRadar Integration app 4.0.0 and QRadar 7.4.3 or later are required for integration with Cases when User Behavior Analytics is displayed in the dashboards. For more information, see IBM SOAR QRadar Plugin.
To view User Behavior Analytics dashboards in QRadar Suite, you must complete the following steps.
  • Ensure that an administrator has setup and configured QRadar and the User Behavior Analytics app 4.0.0 or later. For more information, see User Behavior Analytics for QRadar.
  • Configure the QRadar Proxy app. For more information, see Setting up the connection to QRadar from QRadar Proxy.
  • Install IBM Resilient QRadar Integration app 4.0.0 or later and QRadar 7.4.3 or later to integrate with Cases when User Behavior Analytics is displayed in QRadar Suite. For more information, see IBM Resilient QRadar Integration.
  • In IBM QRadar on Cloud environments, a separate tab or browser will open outside of the QRadar Suite environment.
    Note: Usernames and passwords are not required for the QRadar Proxy in a QRadar on Cloud environment.

For more information about downloading, installing, and using User Behavior Analytics, see User Behavior Analytics for QRadar documentation.