User Behavior Analytics (UBA)
Getting Started with QRadar User Behavior Analytics
The total time required to complete this roadmap is 4h 29m.
Overview
Setup
Investigation
Insider threats account for 60 percent of cyber attacks, and they are incredibly difficult to detect. In fact, most cases go unnoticed for months or years. Regardless of whether the insider is a malicious employee or a contractor whose credentials have been compromised, security teams need the ability to quickly and accurately detect, investigate and respond to these potentially damaging attacks.
QRadar User Behavior Analytics (UBA) analyzes user activity to detect malicious insiders and determine if a user’s credentials have been compromised. Security analysts can see risky users, view their anomalous activities, and drill down into the underlying log and flow data that contributed to a user’s risk score. As an integrated component of the QRadar Security Intelligence Platform, UBA leverages out of the box behavioral rules and machine learning (ML) models to adds user context to network, log, vulnerability and threat data to more quickly and accurately detect attacks.
In this lab, you learn how to use the User Behavior Analytics for QRadar (UBA) application to detect anomalous or malicious behavior. The lab comes with UBA already installed and configured. You learn to use the QRadar UBA Dashboard and how the application can help you detect malicious user behavior. The lab also walks you through the investigation process and demonstrates the integration with QRadar Advisor with Watson. The QRadar Advisor with Watson app is also already installed and configured in the lab. To learn more about QRadar Advisor with Watson, visit the dedicated section in the Security Learning Academy, where you can run the lab that is focused on QRadar Advisor with Watson. Finally, the lab walks you through tuning the rules for user risky behavior by configuring the senseValue parameter.
Based on real-world best practice experience, Jose Bravo explains several tuning approaches to IBM Security QRadar User Behavior Analytics deployments, covering the following aspects:
- Importing users the right way
- Indexing properly
- What log sources to use
- Utilizing asset information
- Risk threshold and other app settings
- Enabling and tuning rules
This video series explains the installation and configuration of IBM Security QRadar User Behavior Analytics (UBA), as well as the User Import tool and Machine Learning apps. The last video covers the TLS setup between the User Import tool and the LDAP Directory Server.
In this QRadar Open Mic you learn about the User Behavior Analytics (UBA) application. This Open Mic covers the following topics:
- About insider threats and suspicious behavior
- What does UBA do?
- Setting up UBA
- Importing LDAP/AD data
- Installing Machine Learning
- Advanced tuning
- Watchlists
- New Timeline
- Watson Advisor with UBA
The User Behavior Analytics (UBA) app starting version 3.6.0 supports multitenant environments in IBM Security QRadar 7.4.0 Fix Pack 1 and later. Multitenant environments allow Managed Security Service Providers (MSSPs) and multidivisional organizations to provide security services to multiple client organizations from a single, shared QRadar deployment. You don't need to deploy a unique QRadar instance for each customer. With QRadar 7.4.0 Fix Pack 1 or later and UBA 3.6.0, you can create multiple tenants from a single deployment instead of managing multiple deployments. The course walks you through all concepts that are needed to set up the UBA app in a multitenant environment such as log sources, tenants, domains, security profiles, UBA users, and roles.
The General Data Protection Regulation requires organizations to provide transparency about stored user data and to adhere to requests to remove all user data from their IT systems.
This video shows how QRadar UBA version 2.7 and later addresses these GDPR compliance requirements. We examine what user data is collected, and we demonstrate how to remove individual user data from UBA and stop tracking that user.
In this video, you will learn to tune the User Behavior Analytics (UBA) settings to improve the UBA application behavior and performance.
This video explains how to customize UBA rules when integrating an additional log source.
This video series depicts the following specific UBA use cases:
- QRadar Custom Offenses contributing to UBA Risk Score
- UBA discovers the launching of restricted programs
This course provides an overview of the IBM Security QRadar UBA application architecture. You learn about UBA concepts, such as the senseValue variable, risk scores, and the IBM Sense DSM. The video also shows how QRadar rules are connected to UBA, its support of multitenancy, and how to access the UBA docker container and application logs.