Cybercrime is everywhere — and increasingly, the attacks are coming from within your own organization. In fact, insiders were responsible for 60 percent of all attacks in 2015, up from 55 percent in 2014.¹ Although many people associate insider threats with disgruntled employees or dishonest contractors, unintentional mistakes by privileged users can also wreak havoc.

Meanwhile, the detection of these insider threats — from fraud, theft and data exfiltration, to the use of compromised credentials or access anomalies — is a struggle for organizations worldwide. Many security operations center (SOC) analysts are limited by manual, error-prone processes and disparate point solutions. They lack a comprehensive way to monitor user activity across different systems and devices so that they can intelligently identify risks, quantify them and take corrective action.

The IBM® QRadar® UBA app addresses this problem. It installs quickly and easily within QRadar, providing SOC analysts with a new behavioral analysis dashboard and investigative workflow for mitigating insider threats. The solution helps reduce risks and eliminate threats by aggregating security data and suspect incidents with ongoing user behaviors. With a few clicks, this analysis capability can recall all supporting log events, network flows, threat intelligence input, and associated asset vulnerabilities.

IBM QRadar UBA helps make security teams more productive. A new dashboard quickly pinpoints suspicious insider behaviors and potentially fraudulent activities that might be less prominent within the daily list of offense conditions. IBM QRadar UBA provides at-a-glance views of both the top all-time suspicious users and a rolling list of the highest scoring recent activities. Security teams can add free-form notes and comments to these records explaining known circumstances, add or remove users from a watchlist, or take action by sending details to an incident response solution such as IBM Resilient Incident Response Platform.


Detect insider threats faster, easier and more efficiently using IBM QRadar Security Intelligence Platform with the IBM QRadar User Behavior Analytics (UBA) app.

Leverage a user-centric view to identify at-risk users, create watchlists and calculate user risk scores — all from a dedicated dashboard.

Monitor privileged users and high-priority assets to detect unusual or anomalous behavior that can indicate an insider threat.

Enhance IBM QRadar security data using new behavioral rules and user information pulled from enterprise directories.Enhance IBM QRadar security data using new behavioral rules and user information pulled from enterprise directories.

Download the app from the IBM Security App Exchange and obtain insights within hours

Stay ahead of insider threats

With insider threats on the rise, security teams need to monitor users and quickly investigate suspicious activity — wherever it occurs. IBM QRadar Security Intelligence Platform, the only security solution powered by IBM Sense Analytics Engine™, provides this part of the security puzzle. Sense Analytics can find clear signals within the noise to detect abnormal behavior and correlate it with logs, network flows, application usage and data activity — to help with remediation efforts to minimize any potential damage.

And now, security teams can strengthen their defenses even further with the IBM QRadar UBA app. Developed by IBM and available from the IBM Security App Exchange, this app provides a comprehensive way to monitor all user activity across heterogeneous systems and devices to intelligently identify risks. Deployed with IBM QRadar Security Intelligence Platform, it adds new out-of-the-box rules and user behavior analytics, so SOC analysts can become more productive and quickly detect and prevent insider threats — whether from rogue insiders, cybercriminals using compromised credentials, machine/malware control or employees unintentionally engaged in risky behavior.

New dashboard for user behavior analytics

The IBM QRadar UBA app is designed to help security teams quickly:

  • Discover risky user behaviors (sense events) and fraudulent activity
  • Identify at-risk users, calculate user risk scores and place users on a watchlist
  • Monitor and manage privileged user activities
  • Monitor intellectual property access and usage
  • Understand the risk profile of the environment and the total of all user scores (system score) as a particular time
  • Drill down into potential threats and gain insights for taking corrective action

IBM QRadar UBA deploys quickly and easily within IBM QRadar SIEM v7.2.6 or later — outside official product release cycles. The app helps improve the productivity and effectiveness of SOC analysts by providing them with a new IBM QRadar dashboard tab with views by user, workflows focused on user behavior, and a user model to store context and risk data. Security executives can use the app for a high-level view of risk profiles and trends to help keep the focus on the highest priority threats.

Analyze abnormal behavior

The IBM QRadar UBA app helps analyze threats by correlating alerts from across the environment with new behavioral rules. It supports on-premises, cloud and hybrid deployments. And it can scale to support a wide range of data sources, including security information and event management (SIEM) systems, Lightweight Directory Access Protocol (LDAP) directories and internal company directories, as well as system logs, network flows and social media, among others. Once installed, the easy-to-use analytics engine can be extended with new data sources and analytics models.

Let’s say an organization wants to get a handle on its privileged user activities. IBM QRadar UBA can monitor for anomalous access by privileged users — such as the first time they access a high-value system; access during unusual times or from unusual locations; or access from a canceled, suspended or closed account. The app can prioritize the alert on the dashboard and notify the SOC analyst assigned for remediation.

Security teams can also use new, out-of-the-box behavioral rules to assign point values to user actions defined to be risky, such as when someone visits a malicious website. These points are then combined into a composite risk score. The IBM QRadar dashboard also reveals details such as the top five highest scoring users and a scrolling list of the most recent suspicious activities. By clicking on these elements, SOC analysts can drill down to get more information — such as a time-series graph of all activity — so they can substantiate their observations or add the person to a specific watchlist.

Prioritize users and assets

The IBM QRadar UBA app can prioritize both users and assets with a higher risk profile, so security teams can respond quickly to the most critical issues. Risk scores are assigned based on customized parameters. The app supports behavioral rules based on human-defined policies, such as segregation-of-duties and user access. It can also identify unknown threats by using machine-learning rules and probability models.

For example, organizations need to be able to detect and prevent the use of stolen credentials, particularly the credentials of privileged users. IBM QRadar UBA can monitor for abnormal changes in account usage — such as multiple login failures; access using rarely used privileges; time-space disagreements (logging in from two different locations at the same time, for example); or account usage deviating from peer group behavior (such as making large data transfers during off-business hours, for example). In these cases, the app can prioritize the alert on the dashboard and notify a SOC analyst for remediation.

Respond quickly against threats

The IBM QRadar UBA app empowers security teams to respond quickly against insider threats with detailed insights about users, entities and assets. The app streamlines the volume of high-priority alerts, helping reduce the time (and staff) needed to investigate incidents. From the customizable user interface, SOC analysts can access user-level, event-level and asset-level information. They can drill down into the associated logs for potential threats, and learn in granular detail about the associated risks.

IBM QRadar UBA leverages the data collection resources and power of the QRadar platform. It can provide security teams with insights into user behaviors in as little as a day adding a new view into the existing data specifically for monitoring behavior by user, detecting anomalies and managing insider threats. IBM QRadar can detect incidents in a matter of seconds after they occur—not hours, day or weeks. It also helps security teams forward all the related data to IBM Resilient Incident Response Platform as part of an integrated workflow.

Integrated approach to stop insider threats


IBM QRadar User Behavior

Analytics app


Risk users


At-risk assets


IBM Resilient Incident

Response Platform


IBM QRadar User Behavior Analytics app

• Detects and records notable user behavior event

• Uses correlation rules engine anomaly detection engine and reference data

• New tab and dashboard item to research "users"

• New user model to hold context and risk data about users

• Rink engine calculates user risk score from notable user behavior events

IBM Resilient Incident Response Platform
People > Process > Technology

• External communication       • Custom portal
• SIEM                                           • Email
• Sandbox                                     • Ticketing
• Asset database                        • Intelligence feeds
• Configuration management                           
• Forensics

What's more, QRadar integrates with multiple IBM and many hundreds of third-party solutions to improve visibility and lead to faster remediation. The app adds another layer of protection against insider threats, and improves the speed, efficiency and productivity of SOC analyzing user behavior with QRadar.

Why IBM?

IBM Security solutions help detect, address and prevent security breaches through integrated hardware and software solutions. Powered by deep analytics and trusted IBM Security expertise, the robust IBM portfolio of comprehensive, scalable, industry-leading tools delivers unparalleled security intelligence with reduced complexity and lower maintenance costs.

In fact, IBM QRadar Security Intelligence Platform deploys rapidly regardless of a network’s scale and begins delivering results in mere hours. Its Sense Analytics capabilities and stored intelligence can associate related attacks emanating from the same source or corresponding to the same targeted data. QRadar delivers these actionable insights to meet both current and future needs — from advanced threat detection to insider threat monitoring, fraud detection, risk and vulnerability management, forensics investigations, compliance reporting and incident response.

In addition, IBM QRadar Security Intelligence Platform has an open framework that enables easy integration with solutions posted on the IBM Security App Exchange (which is where the IBM QRadar UBA app is available for download). The IBM Security App Exchange allows partners to share apps, security app extensions and enhancements to IBM Security products. All code is reviewed by IBM against set criteria before it appears on the site. Security teams can download and install the solutions at their own convenience. This way, they can apply new security use cases without adding unnecessary solution complexity.

For more information

To learn more about IBM QRadar, please contact your IBM representative or IBM Business Partner, or visit:

To download the IBM QRadar User Behavior Analytics app from the IBM Security App Exchange, visit:

About IBM Security Solutions

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force® research and development, provides security intelligence to help organizations hollistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world's broadest security research, development and delivery organizations, monitors 20 billion security events per day in more than 130 countires, and holds more than 3,000 security patents.

Additionally, IBM Global Financing provides numerous payment options to help you acquire the technology you need to grow your business. We provide full lifecycle management of IT products and services, from aqcuisition to disposition.

© Copyright IBM Corporation 2016 
IBM Security Route 100 Somers, NY 10589 
Produced in the United States of America June 2016 

IBM, the IBM logo,, QRadar, Sense Analytics Engine, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at 
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. 
The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. 
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

1. “Reviewing a year of serious data breaches, major attacks and new vulnerabilities,” IBM X-Force Research: 2016 Cyber Security Intelligence Index, April 2016.