IBM Support

Integration between the QRadar User Behavior Analytics (UBA) app and IBM Security Verify Governance

News


Abstract

The IBM Security QRadar User Behavior Analytics (UBA) app provides an efficient means for detecting anomalous or malicious behaviors that occur on your network. This document provides information about integrating UBA with IBM Security Verify Governance.

Content

Integration overview

The IBM Security Verify Governance integration with QRadar User Behavior Analytics app enables organizations to suspend user accounts in IGI to neutralize a network threat whenever a given user's email and AccountID have a matching UserName and email in UBA. Once a match has been identified, the IGI user is suspended.

The integration is initiated by Verify Governance. A task that is running in Verify Governance will read events captured in the UBA. The task schedule and the UBA events history timeline is configured in Verify Governance.

This integration supports the following UBA events:
  • UBA : Orphaned or Revoked or Suspended Account Used
  • UBA : Login Anomaly
  • UBA : User Anomalous Geography
  • UBA : High Risk Geography
  • UBA : User Attempt to Use a Suspended Account

Prerequisites

This integration is supported with the following software versions:
  • IBM Security Verify Governance V10.0 and later
  • QRadar User Behavior Analytics App V4.0.1 and later

Configuration steps
    1. Download the QRadar certificate.
    2. Import the QRadar certificate into Verify Governance.
    3. Generate the QRadar authentication token (or use an existing token).
    4. Set up the Verify Governance Job communication to UBA.
    5. Set up the Verify Governance scheduler, and start the UBA integration task.

Download the QRadar certificate

Note: The steps below are executed using a Firefox browser. If you use a different browser, the steps might vary.
  • From the QRadar login console page, click the "lock" icon on the URL.
image 8721
 
  • Click More Information.
image 8723
  • Click View Certificate.
image 8731
  • Select the Details tab, and then click PEM cert.
image 8736
  • Select the type as PEM, and save the certificate file with the .pem extension (for example, QRadar-cert.pem).

Import the QRadar certificate into Verify Governance
  • Log in to the Verify Governance VA console.
  • Navigate to Configure > Certificates > Select IBM Security Verify Governance key store > Edit > Signer > Upload.
  • Upload the certificate by specifying the downloaded QRadar certificate location and label (for example, QRadar-cert.pem).
  • From the Verify Governance VA Home page, restart the IBM Security Verify Governance server.

Generate the QRadar authentication token (or use an existing token)
  • Log in to the QRadar console, and navigate to Admin > User Management > Authorized Services.
 
image 8737
  • Copy the Authentication Token from any existing Service Name, or create a new Service.
image 8738
  • To create a new Service, click Add Authorization Service.
  • Specify the Service Name, Admin User Role, and Admin Security Profile. Click Create Service.
image 8741
  • Use the Authentication Token from an existing service or the newly created service.
image 8742
 
  • Save the Authentication Token value. It will be needed to configure the Verify Governance Job.


Set up the Verify Governance Job communication to UBA

The IGI-to-UBA integration is performed by the SuspendAccount job that is defined in the Verify Governance Task Planner. To set up the communication to UBA, complete these steps:
  • Log in to the Verify Governance Administration Console.
  • From the Task Planner, navigate to Manage > Jobs.
  • Select the SuspendAccount job.
  • Enter the mandatory job parameters:
    • Data Capture Interval: Minutes - Look at the QRadar event that occurred in the last minutes specified (see Known Issues section)
    • QRadar Console IO: QRadar console IP address
    • QRadar Authentication Token: The Authentication token
  • Click Save.

image 8701

Set up the Verify Governance scheduler and start the UBA integration task

Note: Before you perform this step, you must Set up the Verify Governance Job communication to UBA as defined above.
  • Log in to the Verify Governance Administration Console.
  • From the Task Planner, navigate to Manage > Tasks.
  • Select the SuspendAccountJob task.
  • On the right pane, select the Scheduling tab.
  • Set up the task schedule to meet your business need. An ideal setting is to have the task run at the same time interval as the Data Capture Interval that is defined in the SuspendAccount job.
  • Set up the schedule, and click Save.
  • You must start the task after saving the schedule.
  • Select the SuspendAccountJob task.
  • From the Action menu, select Start.
image 8716

Troubleshooting

You can view the log files from the IBM Security Verify Governance Virtual Appliance Dashboard. See "Retrieving logs" in the Identity Governance and Intelligence Knowledge Center:
https://www.ibm.com/support/knowledgecenter/SSGHJR_10.0.0/com.ibm.igi.doc/installing/tsk/t_retrieving_logs.html

Known Issues
  • The default value of the Data Capture Interval parameter on the SuspendAccount job configuration is set to 15 (minutes). Changing this value does not have any effect. The SuspendAccount job will continue to use the 15 minutes default value.

Limitations
None

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBM27","label":"IBM Security Verify Governance"},"ARM Category":[{"code":"a8m0z000000boPAAAY","label":"Appliance"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
18 March 2021

UID

ibm16426821

Page Feedback