IBM Support

UBA: Common Event Filters building block requires an update to filter for trusted log sources

Troubleshooting


Problem

The User Behavior Analytics app building block UBA: Common Event Filters that is intended to bypass events from trusted UBA log sources. A user or an administrator can update BB:UBA: Common Event Filters to include 'and NOT when events were detected by one or more UBA : Trusted Log Source Group'. After the building block is updated, trusted UBA log sources will not contribute to rules that contain BB:UBA Common Event Filters.

Resolving The Problem

To resolve this issue, a user or an administrators can manually update the UBA: Common Event Filters building block. Users who want to edit a rule are required to have the permission Maintain Custom Rules enabled for your QRadar user account. 

Procedure

  1. Log in to the QRadar Console.
  2. Click the Log Activity tab.
  3. From the Rules menu, select Rules to open the Rule Wizard.
  4. From the Display list, select Building Blocks.
  5. From the Group list, select User Behavior Analytics.
  6. In the search bar, type Common and click the search icon.
    image-20180720155955-1
  7. Double-click on BB:UBA: Common Event Filters to edit this building block.
  8. Review the building block. If it states User Behavior Analytics as the final rule test, then a change to the building block is required.
    Example of the incorrect building block:
    image-20180720160727-2
  9. Click the filter for User Behavior Analytics.
  10. Select User Behavior Analytics and click Remove -.
    image-20180720161216-3
  11. From the Log Source Group list, select UBA: Trusted Log Source Group.
  12. Click Add +.
  13. Click Submit.
  14. Click Finish.

    Results
    The building block is updated to filter out events from the UBA: Trusted Log Source Group. This ensures that rules and risk scores are not adjusted for log sources that are trusted by the User Behavior Analytics app.
    image-20180720161712-5

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"UBA","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.8.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 March 2020

UID

ibm10718353