Overview

These IBM Security QRadar add-ons enhance the capabilities of your Security Information and Event Management (SIEM) solution by giving you greater insight and a more proactive role in your organization's IT security.

IBM QRadar User Behavior Analytics

IBM QRadar Advisor with Watson

IBM QRadar Incident Forensics

IBM QRadar Data Store

IBM QRadar Data Synchronization App

Client stories

Frequently asked questions

How is Data Store configured to separate data for storage from data for analysis?

Data Store is configured using a simple collection filter in QRadar. By selecting the data source or the event criteria from the data source, you can easily define which data is sent directly to Data Store. This filter can be changed at any time and immediately pushed into production.

Do the apps I install from the App Exchange use Data Store data?

Some do and some do not. Because Data Store data does not go through analysis or correlation, analytics-driven apps may not be able to fully use data collected using Data Store. All other capabilities, such as reporting, parsing, custom properties and dashboards, should work as expected.

What version of QRadar is necessary to use Data Store?

Customers must be using QRadar 7.3.1 or higher.

What types of appliances support the Data Store capability?

Data Store is a QRadar licensing overlay that uses existing storage and processing capacity on event processors and data nodes to collect, process and store data identified for Data Store. No new appliances are required, but additional data nodes may be purchased to support data storage needs.

What capabilities of QRadar will work with Data Store collected data?

Data Store is primarily used for log management, so its data is excluded from correlation and advanced security analytics capabilities. However, Data Store data can be used by most other capabilities, such as searching, reporting and visualization, as well as with custom applications built using the QRadar App Framework.

Can data collected using Data Store be converted and used later for security use cases?

Data Store data cannot be used for historical correlation. However, the filtering policy that separates Data Store data from SIEM data can easily be changed. As soon as the policy is updated, all future data collected will be included in all analytics and correlation processes within QRadar.

Are there prerequisites to installing User Behavior Analytics (UBA)?

Yes. If running on a QRadar console, the UBA app requires a minimum of 64 GB or up to 128 GB of memory. Additionally, consider the deployment of an app host to access the full benefits of running the UBA app with the machine learning app enabled.

How do I get my organization's data into UBA?

UBA integrates directly into the QRadar Security Analytics solution, leveraging the existing QRadar user interface and database. All enterprise-wide security data can remain in one central location and analysts can tune rules, generate reports and connect data without having to learn a new system.

Does UBA integrate with my other tools?

Since UBA shares the same underlying database as QRadar, any data source that is ingested in QRadar can be surfaced and leveraged for UBA.

What is the UBA architecture?

UBA is packaged as a collection of 3 apps, 1 LDAP app that helps ingest and coalesce users' identity information, 1 UBA app that helps visualize data and analytics and 1 machine learning app that provides a library of machine learning algorithms used to create behavioral models of users' activities.

What is anomaly detection?

Anomaly detection is a technique used to identify unusual patterns that do not conform to expected behavior and differ significantly from the majority of the data.

What is a risk score?

A risk score is the numeric measure of the potential harmfulness of a user's activity. Each anomalous behavior that is detected by UBA impacts an individual user's risk score.

How long does it take for the machine learning models to train?

Machine learning algorithms ingest the past 4 weeks of data from the shared QRadar database and typically take anywhere from 3 to 24 hours to build the models of normal behavior.

Can UBA be deployed in QRadar on cloud?

The UBA app can be deployed in on-premises QRadar, in QRadar on cloud, or in any IaaS or hybrid deployments.

How much does the UBA app cost?

The UBA app is offered to QRadar clients at no additional cost.

Where can I go for help with UBA?

IBM Support has dedicated resources who can help with high priority issues. The UBA app includes a help and support section for using the LDAP, UBA and machine learning analytics apps.

How does IBM secure user information in UBA?

As with all QRadar applications and modules, the data is encrypted at rest.