User Behavior Analytics (UBA)

Click roadmap title to expand/collapse roadmap

Getting Started with QRadar User Behavior Analytics

The total time required to complete this roadmap is 4h 29m.

This roadmap outlines fundamental courses intended for someone who works with IBM QRadar User Behavior Analytics (UBA). These courses describe UBA architecture, review installation, and help you to deploy and use the UBA application.


Review the following courses to learn about UBA concepts and architecture, and become familiar with the user interface.


Study the following courses to become familiar with the UBA installation and how to start using the application.


In the following courses you learn about various use cases and how a Security Analyst can use UBA for user behavior investigations.

Investigating user behavior with QRadar Security Intelligence

In this lab, you learn how to use the User Behavior Analytics for QRadar (UBA) application to detect anomalous or malicious behavior. The lab comes with UBA already installed and configured. You learn to use the QRadar UBA Dashboard and how the application can help you detect malicious user behavior.  The lab also walks you through the investigation process and demonstrates the integration with QRadar Advisor with Watson. The QRadar Advisor with Watson app is also already installed and configured in the lab. To learn more about QRadar Advisor with Watson, visit the dedicated section in the Security Learning Academy, where you can run the lab that is focused on QRadar Advisor with Watson. Finally, the lab walks you through tuning the rules for user risky behavior by configuring the senseValue parameter.

QRadar UBA - multitenant environment setup lab

The IBM Security User Behavior Analytics (UBA) app 3.6.0 supports multi-tenant environments in IBM Security QRadar 7.4.0 Fix Pack 1 and later. 

Multi-tenant environments allow Managed Security Service Providers (MSSPs) and multidivisional organizations to provide security services to multiple client organizations from a single, shared QRadar deployment. You don't need to deploy a unique QRadar instance for each customer. 

With QRadar 7.4.0 Fix Pack 1 or later and UBA 3.6.0, you can create multiple tenants from a single deployment instead of managing multiple deployments. 

This virtual lab walks you through all concepts that are needed to set up the UBA app in a multi-tenant environment such as log sources, tenants, domains, security profiles, UBA users, and roles.