Feature spotlights

Detects insider threats based on user behavioral anomalies

User behavior analysis and fine-grained machine learning algorithms can detect when users deviate from normal activity patterns or behave differently from their peers. QRadar UBA creates a baseline of normal activity and detects significant deviations to expose both malicious insiders and users whose credentials have been compromised by cyber criminals.

Integrate seamlessly with IBM QRadar

QRadar UBA integrates directly into the QRadar Security Intelligence Platform, leveraging the existing QRadar user interface and database. All enterprise-wide security data can remain in one central location, and analysts can tune rules, generate reports and integrate with complementary Identity and Access Management (IAM) solutions – all without having to learn a new system or build a new integration.

Generates detailed risk scores for individual users

Risk scores dynamically change based on user activity, and high-risk users can be added to a watch list. Security analysts can easily drill down to view the actions, offenses, logs and flow data that contributed to a person’s risk score. This helps shorten the investigation and response times associated with insider threats.

Available from the IBM Security App Exchange

QRadar UBA is packaged as a downloadable app that is independent of the platform’s formal release cycles. All current QRadar clients can add this app to QRadar version 7.2.8 or higher to begin seeing a user-centric view of activity within their networks.

IDC Lab Validation Brief: IBM QRadar with UBA

Customer case studies

Preview image of ATEA Sverige AB case study

IBM QRadar SIEM helps to meet heightened EU security regulations

ATEA Sverige AB

How customers use it

  • Gain visibility into insider threats


    Detecting cyberattacks, prioritizing security incidents, and effectively responding to insider threats.


    Uncover anomalous behaviors to more quickly and effectively identify rogue insiders and cyber criminals using compromised credentials.

  • Watson Investigations screenshot

    Extend QRadar platform capabilities


    Monitoring potentially malicious activity for individual users is manual and requires many disconnected tools.


    The UBA dashboard is an integrated part of the QRadar console and helps extend existing capabilities to better identify high-risk users. Investigate any user's anomalous behavior from the individual user details page of the UBA app.

  • Screenshot of dashboard displaying recent offenses

    Monitor user risk across the enterprise


    Determining the overall health of your environment and the risks that user pose in it.


    Apply machine learning to generate users’ risk scores, identify high-risk users and only raise alerts on the riskiest activities to provide early warning of a threat without overwhelming analysts.

Technical details

Software requirements

For the best experience, upgrade your QRadar system to QRadar 7.2.8 Patch 13 (or later) or QRadar 7.3.1 Patch 6 (or later).

  • QRadar version 7.2.8 or higher
  • Mozilla Firefox 45.2 Extended Support Release
  • Google Chrome (Latest)

Hardware requirements

  • The UBA app requires 1.2 GB of free memory from the application pool of memory.
  • The maximum number of monitored users by any ML model is 40,000 per 5 GB up to 160,000 users total.

You may also be interested in


IBM QRadar SIEM consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network.

IBM QRadar Advisor with Watson

Applies AI to investigate IOCs and provide context into threats.

IBM QRadar Network Insights

Inspects network traffic in real-time to expose hidden threats.

IBM QRadar on Cloud

Provides a SaaS version of QRadar SIEM, hosted in the IBM Cloud.