User Guide: Ibm Qradar User Behavior Analytics (Uba) App

IBM QRadar User Behavior Analytics (UBA)
app
Version 3.7.0
User Guide
IBM
Note
Before you use this information and the product that it supports, read the information in “Notices” on
page 281.
Product information
This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unless
superseded by an updated version of this document.
© Copyright International Business Machines Corporation 2016, 2020.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Contents
Chapter 1. User Behavior Analytics for QRadar....................................................... 1

What's new in the User Behavior Analytics app..........................................................................................2
Known issues............................................................................................................................................... 4
Process overview......................................................................................................................................... 5
Video demonstrations and tutorials............................................................................................................ 6
UBA dashboard and user details................................................................................................................. 6
Managing the UBA dashboard views.........................................................................................................11
Investigating users in QRadar Advisor with Watson.................................................................................12
Prerequisites for installing the User Behavior Analytics app................................................................... 12
Log source types relevant to the UBA app................................................................................................ 13
Chapter 2. Installing and uninstalling...................................................................15

Installing the User Behavior Analytics app............................................................................................... 15
Uninstalling the UBA app...........................................................................................................................16
Chapter 3. Upgrading the User Behavior Analytics app..........................................19
Chapter 4. Configuring the User Behavior Analytics app........................................21

Configuring the Reference Data Import LDAP app................................................................................... 21
Configuring UBA settings........................................................................................................................... 25
Configuring the authorization token in QRadar settings..................................................................... 25
Configuring content package settings................................................................................................. 26
Configuring application settings.......................................................................................................... 27
Configure user import................................................................................................................................ 29
Importing users.................................................................................................................................... 30
Importing users with LDAP or Active Directory...................................................................................32
Importing users from a reference table.............................................................................................. 34
Importing users from a CSV file........................................................................................................... 36
Tuning user import configurations.......................................................................................................37
Chapter 5. Administering..................................................................................... 41
Assigning user capabilities for the QRadar UBA app................................................................................ 41
Creating watchlists.................................................................................................................................... 41
Viewing the allowlist for trusted users......................................................................................................43
Managing network monitoring tools..........................................................................................................43
Managing restricted programs.................................................................................................................. 44
Adding log sources to the trusted log source group................................................................................. 44
New accounts.............................................................................................................................................44
Dormant accounts......................................................................................................................................45
Chapter 6. Tuning................................................................................................ 49
Enabling indexes to improve performance............................................................................................... 49
Integrating new or existing QRadar content with the UBA app............................................................... 50
Integrate dynamic content in V3.5.0 and later................................................................................... 50
Integrate content into UBA V3.4.0 and earlier....................................................................................51
Reference sets........................................................................................................................................... 52
Chapter 7. Multitenancy in UBA............................................................................55

QRadar configurations for setting up multitenancy in UBA......................................................................57
iii
Installing and configuring UBA instances to support multitenancy.........................................................60
Installing and configuring Machine Learning in Multitenancy.................................................................. 61
UBA user roles for multitenancy............................................................................................................... 62
Rules and tuning for multitenancy in UBA................................................................................................ 64
Chapter 8. Rules and tuning for the UBA app........................................................ 67

UBA content pack summary...................................................................................................................... 68
Access and authentication........................................................................................................................ 68
UBA : Bruteforce Authentication Attempts......................................................................................... 68
UBA : Detected Activity from a Locked Machine................................................................................. 70
UBA : Executive Only Asset Accessed by Non-Executive User...........................................................70
UBA : High Risk User Access to Critical Asset..................................................................................... 72
UBA : Multiple VPN Accounts Failed Login From Single IP................................................................. 73
UBA : Multiple VPN Accounts Logged In From Single IP.................................................................... 74
UBA : Repeat Unauthorized Access..................................................................................................... 74
UBA : Terminated User Activity............................................................................................................75
UBA : Unauthorized Access..................................................................................................................76
UBA : Unix/Linux System Accessed With Service or Machine Account.............................................. 77
UBA : User Access - Failed Access to Critical Assets..........................................................................78
UBA : User Access - First Access to Critical Assets............................................................................ 79
UBA : User Access from Multiple Hosts...............................................................................................81
UBA : User Access to Internal Server From Jump Server .................................................................. 82
UBA : User Access Login Anomaly....................................................................................................... 83
UBA : User Accessing Account from Anonymous Source................................................................... 84
UBA : User Time, Access at Unusual Times.........................................................................................85
UBA : VPN Access By Service or Machine Account............................................................................. 87
UBA : VPN Certificate Sharing.............................................................................................................. 87
UBA : Windows Access with Service or Machine Account.................................................................. 88
Accounts and privileges.............................................................................................................................89
UBA : Account or Group or Privileges Added.......................................................................................89
UBA : Account or Group or Privileges Modified................................................................................... 91
UBA : DoS Attack by Account Deletion................................................................................................ 92
UBA : User Account Created and Deleted in a Short Period of Time.................................................. 96
UBA : Dormant Account Used.............................................................................................................. 97
UBA : Dormant Account Use Attempted..............................................................................................98
UBA : Expired Account Used..............................................................................................................100
UBA : First Privilege Escalation..........................................................................................................102
UBA : New Account Use Detected..................................................................................................... 104
UBA : Suspicious Privileged Activity (First Observed Privilege Use)................................................ 105
UBA : Suspicious Privileged Activity (Rarely Used Privilege)............................................................107
UBA : User Attempt to Use Disabled Account...................................................................................109
UBA : User Attempt to Use a Suspended Account............................................................................ 111
Browsing behavior................................................................................................................................... 112
UBA : Browsed to Business/Service Website....................................................................................112
UBA : Browsed to Communications Website.................................................................................... 113
UBA : Browsed to Education Website................................................................................................115
UBA : Browsed to Entertainment Website........................................................................................ 116
UBA : Browsed to Gambling Website................................................................................................ 118
UBA : Browsed to Government Website............................................................................................119
UBA : Browsed to Information Technology Website........................................................................ 121
UBA : Browsed to Job Search Website..............................................................................................122
UBA : Browsed to LifeStyle Website..................................................................................................124
UBA : Browsed to Malicious Website.................................................................................................125
UBA : Browsed to Mixed Content/Potentially Adult Website........................................................... 127
UBA : Browsed to Phishing Website.................................................................................................. 128
UBA : Browsed to Pornography Website........................................................................................... 130
UBA : Browsed to Religious Website................................................................................................. 131
iv
UBA : Browsed to Scam/Questionable/Illegal Website....................................................................133
UBA : Browsed to Social Networking Website.................................................................................. 134
UBA : Browsed to Uncategorized Website........................................................................................ 136
UBA: User Accessing Risky URL.........................................................................................................137
Cloud........................................................................................................................................................ 139
UBA : Anonymous User Accessed a Resource.................................................................................. 139
UBA : AWS Console Accessed by Unauthorized User....................................................................... 139
UBA : External User Failed Mailbox Login..........................................................................................140
UBA : Failed to Set Mailbox Audit Logging Bypass............................................................................140
UBA : Inbox Set to Forward to External Inbox.................................................................................. 141
UBA : Internal User Failed Mailbox Login Followed by Success.......................................................141
UBA : Mailbox Permission Added and Deleted in a Short Period of Time........................................ 142
UBA : Non-Standard User Accessing AWS Resources...................................................................... 142
UBA : Sharing Link Sent to Guest.......................................................................................................143
UBA : Sharing Policy Changed or Shared External (SharePoint/OneDrive)...................................... 143
UBA : User Added to a Group on SharePoint or OneDrive by Site Admin.........................................144
UBA : User Failed to be Added to Role.............................................................................................. 144
Domain controller.................................................................................................................................... 144
UBA : DPAPI Backup Master Key Recovery Attempted.................................................................... 144
UBA : Kerberos Account Enumeration Detected...............................................................................145
UBA : Multiple Kerberos Authentication Failures from Same User.................................................. 145
UBA : Non-Admin Access to Domain Controller............................................................................... 146
UBA : Pass the Hash...........................................................................................................................147
UBA : Possible Directory Services Enumeration............................................................................... 148
UBA : Possible SMB Session Enumeration on a Domain Controller................................................. 148
UBA : Possible TGT Forgery............................................................................................................... 149
UBA : Possible TGT PAC Forgery........................................................................................................149
UBA : Replication Request from a Non-Domain Controller.............................................................. 150
UBA : TGT Ticket Used by Multiple Hosts......................................................................................... 150
Endpoint...................................................................................................................................................151
UBA : Detect Insecure Or Non-Standard Protocol............................................................................ 151
UBA : Detect Persistent SSH session................................................................................................ 152
UBA : Internet Settings Modified....................................................................................................... 154
UBA : Malware Activity - Registry Modified In Bulk.......................................................................... 156
UBA : Netcat Process Detection (Linux)............................................................................................ 157
UBA : Netcat Process Detection (Windows)......................................................................................158
UBA : Process Executed Outside Gold Disk Whitelist (Linux)........................................................... 159
UBA : Process Executed Outside Gold Disk Whitelist (Windows).....................................................161
UBA : Ransomware Behavior Detected............................................................................................. 162
UBA : Restricted Program Usage....................................................................................................... 163
UBA : User Installing Suspicious Application....................................................................................164
UBA : User Running New Process......................................................................................................166
UBA : Volume Shadow Copy Created................................................................................................ 167
Exfiltration................................................................................................................................................168
UBA : Data Exfiltration by Cloud Services......................................................................................... 168
UBA : Data Exfiltration by Print.......................................................................................................... 169
UBA : Data Exfiltration by Removable Media.................................................................................... 169
UBA : Data Loss Possible................................................................................................................... 170
UBA : Initial Access Followed by Suspicious Activity....................................................................... 171
UBA : Large Outbound Transfer by High Risk User........................................................................... 172
UBA : Multiple Blocked File Transfers Followed by a File Transfer..................................................172
UBA : Potentially Compromised Account.......................................................................................... 174
UBA : Suspicious Access Followed by Data Exfiltration....................................................................174
UBA : Suspicious Activity Followed by Exfiltration........................................................................... 175
UBA : User Potentially Phished..........................................................................................................176
Geography................................................................................................................................................177
UBA : Anomalous Account Created From New Location.................................................................. 177
UBA : Anomalous Cloud Account Created From New Location........................................................ 180
v
UBA : User Access from Multiple Locations...................................................................................... 181
UBA : User Access from Prohibited Location.................................................................................... 183
UBA : User Access from Restricted Location.................................................................................... 185
UBA : User Geography Change.......................................................................................................... 186
UBA : User Geography, Access from Unusual Locations.................................................................. 188
Network traffic and attacks..................................................................................................................... 190
UBA : D/DoS Attack Detected............................................................................................................ 190
UBA : Honeytoken Activity................................................................................................................. 191
UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage..................................... 192
QRadar DNS Analyzer.............................................................................................................................. 193
UBA : Potential Access to Blacklist Domain...................................................................................... 193
UBA : Potential Access to DGA Domain.............................................................................................193
UBA : Potential Access to Squatting Domain.................................................................................... 194
UBA : Potential Access to Tunneling Domain....................................................................................195
Threat intelligence...................................................................................................................................195
UBA : Detect IOCs For Locky............................................................................................................. 195
UBA : Detect IOCs for WannaCry....................................................................................................... 196
UBA : Multiple Sessions to Monitored Log Sources (NIS Directive)................................................. 196
UBA : ShellBags Modified By Ransomware....................................................................................... 197
UBA : User Accessing Risky IP, Anonymization.................................................................................197
UBA : User Accessing Risky IP, Botnet.............................................................................................. 198
UBA : User Accessing Risky IP, Dynamic...........................................................................................198
UBA : User Accessing Risky IP, Malware........................................................................................... 199
UBA : User Accessing Risky IP, Spam................................................................................................199
Supported QRadar content......................................................................................................................200
Unsupported UBA rules...........................................................................................................................202
Rules enabled by default in 3.5.0........................................................................................................... 204
Chapter 9. Machine Learning Analytics app........................................................ 207

Known issues for Machine Learning Analytics........................................................................................207
Prerequisites for installing the Machine Learning Analytics app........................................................... 207
Installing the Machine Learning Analytics app....................................................................................... 208
UBA dashboard with Machine Learning.................................................................................................. 209
Enabling user models.............................................................................................................................. 214
Access Activity.................................................................................................................................... 215
Activity Distribution............................................................................................................................ 219
Aggregated Activity.............................................................................................................................222
Authentication Activity....................................................................................................................... 225
Data Downloaded............................................................................................................................... 229
Data Uploaded to Remote Networks.................................................................................................. 232
Defined Peer Group.............................................................................................................................235
Learned Peer Group............................................................................................................................ 238
Outbound Transfer Attempts.............................................................................................................. 241
Risk Posture........................................................................................................................................ 244
Suspicious Activity..............................................................................................................................247
Creating a custom model....................................................................................................................251
Uninstalling the Machine Learning Analytics app................................................................................... 257
Chapter 10. Reference Data Import - LDAP app.................................................. 259

Known issues for the LDAP app.............................................................................................................. 259
Importing user data from a CSV file........................................................................................................260
Creating an authorized service token..................................................................................................... 260
Adding a private root certificate authority ............................................................................................. 261
Adding an LDAP configuration.................................................................................................................261
Selecting attributes................................................................................................................................. 262
Adding LDAP attribute mappings............................................................................................................ 262
Adding a reference data configuration....................................................................................................263
vi
Configuring polling...................................................................................................................................264
Checking that data is added to the reference data collection................................................................265
Creating a rule that responds to LDAP data updates............................................................................. 265
Chapter 11. Troubleshooting and support...........................................................269

Help and support page for UBA...............................................................................................................269
Service requests...................................................................................................................................... 269
Machine Learning app status shows warning on dashboard..................................................................270
Machine Learning app status shows no progress for data ingestion..................................................... 270
ML app status is in an error state............................................................................................................ 270
Extracting UBA and Machine Learning logs............................................................................................ 272
Chapter 12. APIs for UBA...................................................................................275

User import.............................................................................................................................................. 275
Notices..............................................................................................................281
Trademarks..............................................................................................................................................282
Terms and conditions for product documentation................................................................................. 282
IBM Online Privacy Statement................................................................................................................ 283
General Data Protection Regulation........................................................................................................283
vii
viii
Chapter 1. User Behavior Analytics for QRadar
The User Behavior Analytics for QRadar app helps you to determine the risk profiles of users inside your
network and to take action when the app alerts you to threatening behavior.
Attention: You must install IBM QRadar 7.3.2 Fix Pack 1 or later before you install QRadar UBA
3.6.0 or later.
The User Behavior Analytics for QRadar (UBA) app is a tool for detecting insider threats in your
organization. It is built on top of the app framework to use existing data in your QRadar to generate new
insights around users and risk. UBA adds two major functions to QRadar: risk profiling and unified user
identities.
Risk profiling is done by assigning risk to different security use cases. Examples might include simple
rules and checks such as bad websites, or more advanced stateful analytics that use machine learning.
Risk is assigned to each one depending on the severity and reliability of the incident detected. UBA uses
existing event and flow data in your QRadar system to generate these insights and profile risks of users.
UBA uses three types of traffic that enrich UBA and enable more use cases to profile risk. The three types
are as follows:
1. Traffic around access, authentication, and account changes.
2. User behavior on the network, so devices such as: proxies, firewalls, IPS, and VPNs.
3. Endpoint and application logs, such as from Windows or Linux®, and SaaS applications.
Unifying user identities is accomplished by combining disparate accounts for a user in QRadar. By
importing data from an Active Directory, an LDAP server, Reference table, or CSV file, UBA can be taught
what accounts belong to a user identity. This helps combine risk and traffic across the different user
names in UBA.
Machine Learning (ML) is an add-on tool that augments the UBA app. It enables more rich and in-depth
use cases that perform time series profiling and clustering. It is installed from within the UBA app, on the
Machine Learning settings page. ML adds visualizations to the existing UBA app that show learned
behavior (models), current behavior, and alerts. With 3.3.0 and later, the models can use more than four
weeks of historical data in QRadar to make the predictive models and baselines of what is normal for a
user.
For more information about using the ML app, see Chapter 9, “Machine Learning Analytics app,” on page
207.
Importing users and user data

In 3.6.0 and later, you can import users and user data with the User import wizard. The User import
wizard helps you to import users from an LDAP server, an Active Directory server, from reference tables,
and CSV files.
Important: The User import wizard allows you to import users and user data directly from the UBA app.
You can use the wizard or you can continue to import user data with the separate Reference Data Import -
LDAP app. In 3.5.0 or earlier, you must use the Reference Data Import - LDAP app to import users from a
CSV file.
For more information about importing user data with the User import wizard, see “Configure user import”
on page 29.
Multitenancy support
UBA 3.6.0 (and later) and QRadar 7.4.0 Fix Pack 1 (and later) support multitenancy. For more information,
see Chapter 7, “Multitenancy in UBA,” on page 55.
© Copyright IBM Corp. 2016, 2020 1

Browser conformance
UBA is supported on Google Chrome and Mozilla Firefox.
Note: To maximize your experience with UBA, you should do one of the following:
• Disable the pop-up blocker for your browser
• Configure your browser to allow exceptions for pop-ups coming from the QRadar Console IP address
Related concepts
“Rules and tuning for the UBA app” on page 67
The IBM QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain
behavioral anomalies.
“Configuring the User Behavior Analytics app” on page 21
Before you can use the IBM QRadar User Behavior Analytics (UBA) app, you must configure additional
settings.
“Machine Learning Analytics app” on page 207
The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar
User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine
Learning Analytics models, you can gain additional insight into user behavior with predictive modeling.
The ML app helps your system to learn the expected behavior of the users in your network.
Related tasks
“Installing the User Behavior Analytics app” on page 15
Use the IBM QRadar Extension Management tool to upload and install your app archive directly to your
QRadar Console.
“Upgrading the User Behavior Analytics app” on page 19
To take advantage of new capabilities, defect fixes, and updated workflows, upgrade to new versions of
UBA. Use the Extensions Management tool in IBM QRadar to upgrade your app, or use the QRadar
Assistant app to upgrade. You must be an administrator to upgrade to new versions of the app.
What's new in the User Behavior Analytics app

Learn about the new features in each User Behavior Analytics (UBA) app release.
What's new in 3.7.0

• Increased peer group model capacity to 10,000 monitored users from previous 1,000 monitored users.
• Improved dashboard graphs for Machine Learning peer group models. For more information, see “UBA
dashboard with Machine Learning” on page 209.
• Added the following IBM QRadar Cloud Apps configuration options: 1000 users, 10,000 users, 20,000
users and 40,000 users.
• Added watchlist groupings and lists for top anomalies to Dashboard tooltips.
• Added use case UBA : User Attempt to Use Disabled Account. For more information, see “UBA : User
Attempt to Use Disabled Account” on page 109.
• Updated use case UBA : User Attempt to Use a Suspended Account to focus on suspended account
events only (disabled account event monitored by new rule). For more information, see “UBA : User
Attempt to Use a Suspended Account” on page 111.
• Updated use case UBA : Expired Account Used to include Kerberos events. For more information, see
“UBA : Expired Account Used” on page 100.
What's new in 3.6.0

Starting with the 3.6.0 version of the UBA app, the Reference Data Import - LDAP (LDAP) app is no longer
included with the UBA app. However, you can still use the LDAP app and download it from the IBM App
Exchange.
2 IBM QRadar User Behavior Analytics (UBA) app: UBA app User Guide
In 3.6.0, all of the rules are disabled by default except for the following 3 rules: UBA : Unauthorized
Access, UBA : Dormant Account Used, and UBA : New Account Use Detected. For the list of rules that
were previously enabled by default in 3.5.0 or earlier, see “Rules enabled by default in 3.5.0” on page
204. If you made modifications to rules in 3.5.0 or earlier (such as enabling or disabling a rule), they are
not changed to the new default value in 3.6.0 after you upgrade.
Attention: Rules that were not modified in 3.5.0 or earlier, will be disabled by default after
upgrading.
• Added support for QRadar (7.4.0FP1 or later) multitenancy. For more information, see Chapter 7,
“Multitenancy in UBA,” on page 55.
• Added the ability to import users from a CSV file with the User import wizard. With 3.6.0 and later, you
no longer have to use the separate LDAP app to import users from a CSV file. For more information, see
“Importing users from a CSV file” on page 36.
• Added the ability to customize UBA Dashboard views (by domain or geography). For more information,
see “Managing the UBA dashboard views” on page 11.
• Added use case UBA : Failed to Set Mailbox Audit Logging Bypass. For more information, see “UBA :
Failed to Set Mailbox Audit Logging Bypass” on page 140.
• Added use case UBA : User Failed to be Added to Role. For more information, see “UBA : User Failed to
be Added to Role” on page 144.
• Added use case UBA : Sharing Policy Changed or Shared External (SharePoint/OneDrive). For more
information, see “UBA : Sharing Policy Changed or Shared External (SharePoint/OneDrive)” on page
143.
What's new in 3.5.0

Note: When you upgrade to 3.5.0, a one-time task runs that disables all unsupported UBA rules (use
cases) found on the system. If any of the rules are enabled at a later time, they will not be disabled again
by the application. For the complete list of rules that are no longer supported, see “Unsupported UBA
rules” on page 202.
• Added the ability to set and reset risk scores from the UBA Rules and Tuning page. For more
information, see Chapter 8, “Rules and tuning for the UBA app,” on page 67.
• Added the ability to manage any QRadar rules that dispatch Sense events from the UBA Rules and
Tuning page.
• Rule editing privileges are required to enable and disable rules from the UBA Rules and Tuning page.
• Added the ability to configure whether to monitor only imported users and ignore users that are
discovered in events. For more information, see “Configuring application settings” on page 27.
• Fixed an issue where users were being added to UBA for any action, whether a potential threat or not,
by a rule that monitored every event for a user that was never seen before. These users were added to
the "UBA : User Accounts, Successful, Observed" reference set and had to remain so they would not be
counted as new again. When you upgrade to V3.5.0, the rules that were populating the "UBA : User
Accounts, Successful, Observed" reference set are disabled. On a new installation of 3.5.0, these rules
and reference sets have been removed.
• Removed ADE and flow rules status from the UBA Dashboard.
• Added use case UBA : User Added to a Group on SharePoint or OneDrive by Site Admin. For more
information, see “UBA : User Added to a Group on SharePoint or OneDrive by Site Admin” on page 144.
• Added use case UBA : Sharing Link Sent to Guest. For more information, see “UBA : Sharing Link Sent to
Guest” on page 143.
• Added use case UBA : User Potentially Phished. For more information, see “UBA : User Potentially
Phished” on page 176.
• Added use case UBA : Initial Access Followed by Suspicious Activity. For more information, see “UBA :
Initial Access Followed by Suspicious Activity” on page 171.
Chapter 1. User Behavior Analytics for QRadar 3

• Added use case UBA : Suspicious Activity Followed by Exfiltration. For more information, see “UBA :
Suspicious Activity Followed by Exfiltration” on page 175.
• Added use case UBA : Potentially Compromised Account. For more information, see “UBA : Potentially
Compromised Account” on page 174.
• Added use case UBA : Detected Activity from a Locked Machine. For more information, see “UBA :
Detected Activity from a Locked Machine” on page 70.
• Added use case UBA : Multiple Sessions to Monitored Log Sources (NIS Directive). For more
information, see “UBA : Multiple Sessions to Monitored Log Sources (NIS Directive)” on page 196.
What's new in 3.4.0

Attention: Memory requirements have increased from 1 GB to 1.2 GB.
Important: UBA 3.4.0 introduces the User Import wizard. The User Import wizard allows you to import
users and user data directly from the UBA app. You can use the new wizard or you can continue to import
user data with the Reference Data Import - LDAP app. To import users from a CSV file, you must use the
Reference Data Import - LDAP app.
• Added the User Import wizard so that you can configure LDAP and Active Directory data retrieval and
import LDAP/AD data directly into the UBA app. For more information, see “Importing users” on page
30.
• Added the ability to configure LDAP/AD imports using APIs. For more information, see “User import” on
page 275.
• Added the ability to view domain, manager, and peer information for user profiles on the User Details
page. For more information, see “UBA dashboard and user details” on page 6.
• Added use case UBA : Anonymous User Accessed a Resource. For more information, see “UBA :
Anonymous User Accessed a Resource” on page 139.
• Added use case UBA : Browsed to Social Networking Website “UBA : Browsed to Social Networking
Website” on page 134.
• Added use case UBA : External User Failed Mailbox Login. For more information, see “UBA : External
User Failed Mailbox Login” on page 140.
• Added use case UBA : Inbox Set to Forward to External Inbox. For more information, see “UBA : Inbox
Set to Forward to External Inbox” on page 141.
• Added use case UBA : Internal User Failed Mailbox Login Followed by Success. For more information,
see “UBA : Internal User Failed Mailbox Login Followed by Success” on page 141.
• Added use case UBA : Mailbox Permission Added and Deleted in a Short Period of Time. For more
information, see “UBA : Mailbox Permission Added and Deleted in a Short Period of Time” on page 142.
• Added use case UBA : Terminated User Activity. For more information, see “UBA : Terminated User
Activity” on page 75.
Known issues
The User Behavior Analytics app has required information for upgrading and known issues.
Known issues for 3.7.0

The User Behavior Analytics app has the following known issues:
• Enabling Search assets for username, when username is not available for event or flow data on the
UBA Settings page can cause the User Details page to not load. Review the Rules pages to determine if
the enabled rules require this setting. It should be disabled if it is not needed.
• In previous releases, new users were designated to UBA in a way that used the "UBA : User Accounts,
Successful, Observed" reference set. This reference set is no longer used. If you are experiencing
performance issues because of the reference set after upgrading to V3.5.0 or later, you should consider
deleting the data from the reference set. Also, if you previously edited the "UBA : New Account Use
Detected" rule, you should consider reverting it back to the default setting to get the newer version.
• If you updated and saved a value for the Advanced Search Filter field on the ML Configuration page,
when the page loads the value displays as 0 and the ML Configuration page does not save. To save the
ML Configuration page, you can clear the field or enter the previously saved value. To see the previously
saved value, you can change the uri path of the ML Configuration path from /console/plugins/<app
id>/app_proxy/ml/config_page to console/plugins/<app id>/app_proxy/ml/
analytics. The values is at the key dataset importer > parameters > userfilter.
• If you are upgrading the UBA app and you receive a QRadar Notification exception error stating that a
rule set has failed to load, you can ignore it and continue. If the error persists, contact IBM Customer
Support.
• After you upgrade UBA, the Machine Learning Activity Distribution graph on the User Details page can
take up to one day to display.
Process overview
The User Behavior Analytics app works with your QRadar system to collect data about the users inside
your network.
How UBA works
1. Logs send data to QRadar.

2. UBA specific rules look for certain events (depending on which UBA rules are enabled) and trigger a
new sense event that is read by the UBA app.
3. The UBA rules require the events to have a username and other tests (review the rules to see what
they are looking for).
4. UBA pulls the senseValue and username from the sense event and then increases that user's risk score
by the senseValue amount.
5. When a user's risk score exceeds the threshold that you set in the UBA Settings page, UBA sends an
event which triggers the "UBA : Create Offense" rule and an offense is created for that user.

Risk score
A risk score is the summation of all risk events that are detected by UBA rules. The higher the risk score,
the more likely an internal user is to be a security risk and warrants further review of the user's network
activity. The risk score reduces over time if no new events occur. The amount of the reduction is
controlled from the value in Decay risk by this factor per hour on the UBA Settings page.
How senseValues are used to create user risk scores

Each rule and analytic has a value assigned to it that indicates the severity of the issue found. Each time a
user's actions causes a rule to trigger, the user gets this value added to the score. The more the user
"violates" a rule, the higher the score will be.
Rules and sense events

Rules, when triggered, generate sense events that are used to determine the user's risk score.
You can update existing rules in QRadar to produce sense events. For more information, see “Integrating
new or existing QRadar content with the UBA app” on page 50.
Machine Learning Analytics and sense events

You can install the Machine Learning Analytics app and enable machine learning analytics to identify
anomalous user behavior. The analytics, when triggered, will generate sense events that also raise a
user's risk score.
Video demonstrations and tutorials

Learn more about the IBM QRadar User Behavior Analytics (UBA) app, the Reference Data Import - LDAP
app, and the Machine Learning Analytics (ML) app.
IBM Security Learning Academy

Enroll in the User Behavior Analytics (UBA) courses on the IBM Security Learning Academy website.
Tip: You must have an IBM ID account to enroll and watch the videos.
Video tutorials on YouTube

Demonstration of the User Behavior Analytics app with Machine Learning V2.0.0: https://
www.youtube.com/watch?v=RgF1RztR1yg.
Demonstration for configuring the Reference Data Import - LDAP app: https://www.youtube.com/watch?
v=ER-wYxS6wFk.
General overview of the User Behavior Analytics app:
• https://www.youtube.com/watch?v=bf_DODl8Ehs
• https://www.youtube.com/watch?v=ARVsuQaSF9E
UBA dashboard and user details

The IBM QRadar User Behavior Analytics (UBA) app shows you the overall risk data for users in your
network.
Dashboard
After you install and configure the UBA app, click the User Analytics tab to open the Dashboard.
Note: The supported number of users that the UBA app can monitor is 400,000 users.
In the Viewing: All users field (3.6.0 and later), you can create and select views to customize your
Dashboard view. For more information, see “Managing the UBA dashboard views” on page 11.
In the Search for User field, you can search for users by name, email address, user name. As you enter a
name, the app shows you the top five results.
The Dashboard is automatically refreshed every minute and shows you the following risk data:
Monitored Users Displays the total number of users that the UBA app is actively monitoring.
High Risk Users Displays the number of users who are currently exceeding the risk score. The
value for determining the risk score is set in the "Risk threshold to trigger
offenses" in UBA Settings.
Users Discovered from Displays the number of users that are discovered from events, excluding
Events imported users.
Users Imported from Displays the number of users that were imported from reference tables.
Directory
Active Analytics • Rules: Indicates the status of the rules content and how many rules are
active. A green status indicates that the rules are installed and active. Gray
indicates that the rules are disabled. Yellow indicates that the installation
is in progress. Click to open the Rules and Tuning page. Note: In a
multitenant environment, only an Admin user can see the rules installation
status for either admin or tenant UBA. Tenant admin and tenant user
always see a green status of rules on the dashboard.
• Machine Learning: Indicates the status of Machine Learning and how many
models are active. A green status indicates that the Machine Learning
Analytics app is installed. Gray indicates that the Machine Learning
Analytics app is not installed. Click to install or configure Machine Learning.
Note: In a multitenant environment, the status is always Green.
Monitored Users Displays the top 10 riskiest users. The first column lists the display name and
the job title and city if available.
• Recent risk: Shows the accumulated risk for the respective user for the last
5 minutes.
• Risk score: Shows a graph that illustrates the user's overall risk score trend
for the last hour and the current risk score. The color of the graph indicates
the overall riskiness.
• Watchlist icon: Add the user to a watchlist or create a watchlist. The
number indicates how many watchlists the user is a member of.
• You can view all the tracked users on the Search page.
Recent Offenses Displays last five most recent offenses that are sorted by the time the
offense was last updated.
[User] Watchlist Watchlists that you created. You can create as many watchlists as you want
and they display on the Dashboard. You can view all the tracked users in the
custom watchlist that you created on the Search page.
Tip: To add a user to a watchlist, click the Watchlist icon.

The number indicates how many watchlists the user is a member of.
System Score Overall accumulated risk score for all users at a specified point in time. Click
the Calendar icon to specify a date range for longer than one day. The
maximum duration that you can select is 30 days any time during the last
year. Note: If you are viewing a custom dashboard view, the System Score
graph is not shown.

Risk Category High-level risk categories over the last hour. Click the graph to see
Breakdown subcategories and then click to see a display of events. Note: If you are
viewing a custom dashboard view, the Risk Category Breakdown graph is not
shown.
Users with Dormant Watchlist of users that are flagged as having dormant accounts. The Users
Accounts with Dormant Accounts is automatically generated. Available in V3.2.0 and
later.
Active Investigations Users that are currently under investigation. Select the My investigations
checkbox to show only those investigations that you started.
Status of Machine Status of the Machine Learning Analytics is visible if the Machine Learning
Learning Models app is installed. For more information, see “UBA dashboard with Machine
Learning” on page 209.
User details page

You can click a user name from anywhere in the app to see details for the selected user.
You can learn more about the user's activities with the event viewer pane. The event viewer pane shows
information about a selected activity or point in time. Clicking an event in the event viewer pane reveals
more details such as syslog events and payload information. The event viewer pane is available for all
donut and line graphs and activities in the Risky Activity Timeline on the User details page.
The User Details page includes the following user information:
• Shows the name and aliases of the selected user and any additional details from attributes (including
domain, manager, and peer information) that are imported from LDAP.
• Shows the status (dormant, active, never used) of all the accounts that are found to be associated with
the user.
• If you have QRadar Advisor with Watson V1.13.0 or later installed, you can search for information that is
related to the user. You must have QRadar administrator privileges. Click the Search Watson icon.
• To initiate an investigation on the user, click the Start Investigation icon. When your investigation
is complete, click the End Investigation icon.
• To add the user to a watchlist or create a watchlist, click the Watchlist icon.
The Advanced Actions list includes the following actions:
Add Custom Alert You can set a custom alert that is displayed by the user name. Click Add
Custom Alert, enter an alert message, and then click Set. To remove the
custom alert for the selected user, click Remove Custom Alert.
Add to Whitelist You must have QRadar administrator privileges. You can add the selected
user to the allowlist so that the user does not generate risk scores and
offenses. To remove the selected user from the list, click Whitelisted. To
review the complete list of users who were added to the whitelist, see
“Viewing the allowlist for trusted users” on page 43.
Generate GDPR You can generate a General Data Protection Regulation (GDPR) compliance
compliant report for report for the user.
user
Important: Generate the report before you click Delete and stop tracking
user.
Delete and stop You must have QRadar administrator privileges. You can click Delete and
tracking user stop tracking user to comply with General Data Protection Regulation
(GDPR). Select Yes to permanently delete and stop tracking the user. To
begin tracking the user again, delete the user's aliases from the UBA : Users
Not Tracked reference set. To view all the user's aliases, download the GDPR
report before you delete the user.
For more information about the UBA : Users Not Tracked reference set, see
“Reference sets” on page 52.
Always track with You must have QRadar administrator privileges. You can click Always track
Machine Learning with Machine Learning to add the user to the UBA: ML Always Tracked
Watchlist reference set. Adding the user to the reference set provides the
highest likelihood that the user is included in a machine learning model. For
more information about reference sets in UBA, see “Reference sets” on page
52. To remove the selected user from the reference set, click Tracked with
Machine Learning.
Note: Available in V2.8.0 or later and only if Machine Learning is installed and
you have QRadar Admin privileges.
You can view the following information about the selected user:
Overall Risk Score The overall risk score shows the risk trends for the user.
Timeline The timeline graph shows Risky Events and User Events. Risky events are risk
events that contribute to risk score. User events are non-risk events. The Y-
axis is event count and X-axis is time. You can click any activity in the
timeline to open the event viewer pane that lists supporting log events that
are associated with the user's activity. Click an event to view more details
such as syslog events and payload information.
• In V3.0.0 and later, timeline activity is grouped by sessions and days.
Sessions are defined in the Application Settings section of the UBA
Settings page. The colors represent the overall riskiness of a session. Click
the Calendar icon to specify the date range (1 - 14 days).
• In 3.1.0 and later, you can customize the metric settings that display for
the timeline by clicking the Metric Settings icon. You can add and remove
the categories that you want to see. The data shown in the Example
metrics section of the Metric Settings screen does not represent real
values.
Note: “Risky Events” and “Use cases” will show the same data where
“Risky Events” is the total number of events for the given use cases. “URL
Categories” and “URLs” will show the same data where “URLs” is the total
number of events for the given “URL Categories”. “Event IDs” and “Events”

will show the same data where “Events” is the total number of events for
the given Event IDs.
Recent Offenses Shows any user type offense, where the user name matched any of the
selected user's aliases. The last five offenses are displayed. Click an offense
to open the Offenses tab in QRadar.
Risk Category Shows the risk categories of the selected user during the last hour.
Breakdown
Add Notes
Click the Add icon to add notes for the selected user. The notes are
automatically deleted after the 30-day retention period.
Tip: To save the note indefinitely, mark the note as important by clicking the
Flag icon.
The following graphs are displayed on the User Details page if the Machine Learning app is installed and
the specified model is enabled. For more information, see “UBA dashboard with Machine Learning” on
page 209.
• Access Activity
• Activity Distribution
• Aggregated Activity
• Authentication Activity
• Data Downloaded
• Data Uploaded to Remote Networks
• Defined Peer Group
• Learned Peer Group
• Outbound Transfer Attempts
• Risk Posture
• Suspicious Activity
• Custom Models (User-defined custom models)
To return to the main Dashboard, click Dashboard.
Related concepts
“UBA dashboard with Machine Learning” on page 209
The IBM QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the
Machine Learning model status and additional details for the selected user.
“Dormant accounts” on page 45
You can see users in your system that have dormant accounts, active accounts, or accounts that have
never been used.
Related tasks
“Creating watchlists” on page 41
You can add a user to a new watchlist or an existing watchlist.
“Viewing the allowlist for trusted users” on page 43
You can view the list of trusted users in the reference set management list.
“Adding log sources to the trusted log source group” on page 44
If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA :
Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them.
“Installing the Machine Learning Analytics app” on page 208
As a QRadar Admin, you can install the Machine Learning Analytics (ML) app after you have installed the
UBA app from the Extension Manager.
“Investigating users in QRadar Advisor with Watson” on page 12
You can select users from the User Behavior Analytics (UBA) app to send to QRadar Advisor with Watson
for investigation.
Managing the UBA dashboard views

With 3.6.0, you can customize UBA dashboard views and filter on attributes that include domain, city,
country, or state from a user Import.
Before you begin

You must install, configure, and import users into the UBA app that contain location or domain data.
About this task

You must have Admin permissions to manage the dashboard views. The dashboard views are not
available if there are no imported users that contain location or domain data.
Procedure
1. Select the User Analytics tab.
2. On the Dashboard, from the filter box, click Viewing: All users
3. Click Manage dashboard views.
4. On the Manage dashboard views screen, create or edit views to filter the users that are displayed on
the Dashboard.
5. For each view you want to create, enter the following information:
• View name: Enter a descriptive name for each view. For example, "US employees".
• Attribute: Select from domain, state, country, or city.
• Value: Select one or multiple values based on the attribute selection.
6. Click Save.
7. To create another view, click Create new view. Note that you can create up to 30 views.
The views that you create are available from the Dashboard filter box in step 2.

Investigating users in QRadar Advisor with Watson
You can select users from the User Behavior Analytics (UBA) app to send to QRadar Advisor with Watson
for investigation.
Before you begin

• You must have User Behavior Analytics (UBA) app 2.7.0 or later installed and configured with user data.
• You must have Admin privileges.
• You must have QRadar Advisor with Watson 1.13.0 or later installed.
Note: In a multitenant environment, you must install QRadar Advisor with Watson 2.5.2 and later.
For more information, see https://developer.ibm.com/qradar/advisor.
Procedure
1. Click the User Analytics tab to open the UBA Dashboard.
2. Select a user or search for a user to open the User Details page.
3. Click the Search Watson icon.
When the icon stops spinning, you can review your results in the QRadar Advisor with Watson app.
4. From the Watson tab, on the Incident Overview page, select the user investigation. User
investigations are indicated with the Investigation initiated from UBA icon.
Prerequisites for installing the User Behavior Analytics app

Before you install the User Behavior Analytics (UBA) app, ensure that you meet the requirements.
• Verify that you have IBM Security QRadar 7.3.2 or later installed.
• Add the IBM Sense DSM for the User Behavior Analytics (UBA) app.
Installing the IBM Sense DSM manually

The User Behavior Analytics (UBA) app uses the IBM Sense DSM to add user risk scores and offenses into
QRadar. You can install the DSM through auto-updates or you can upload to QRadar and install it
manually.
Note: If your system is disconnected from the internet, you might need to install the DSM RPM manually.
Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar.
1. Download the DSM RPM file from the IBM support website:
• For QRadar 7.3.2 and later: DSM-IBMSense-7.3-20190423195729.noarch.rpm
2. Copy the RPM file to your QRadar Console.
3. Use SSH to log in to the QRadar host as the root user.
4. Go to the directory that includes the downloaded file.
5. Type the following command:
rpm -Uvh <rpm_filename>
6. From the Admin settings, click Deploy Changes.
7. From the Admin settings, select Advanced > Restart Web Services.
Log source types relevant to the UBA app
The User Behavior Analytics (UBA) app and the ML app can accept and analyze events from certain log
sources.
In general, the UBA app and the ML app require log sources that supply a username. For UBA, if there is
no username, enable the Search assets for username, when username is not available for event or
flow data checkbox in UBA Settings so that UBA can attempt to look up the user from the asset table. If
no user can be determined, UBA does not process the event.
For more details about specific use cases and the corresponding log source types, see Chapter 8, “Rules
and tuning for the UBA app,” on page 67.
Related tasks
“Configuring UBA settings” on page 25
To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure UBA
application settings.

Chapter 2. Installing and uninstalling
Installing the User Behavior Analytics app

QRadar Console.
Before you begin

Complete the “Prerequisites for installing the User Behavior Analytics app” on page 12.
Before you install the app, ensure that IBM QRadar meets the minimum memory (RAM) requirements.
The UBA app requires 1 GB of free memory from the application pool of memory. The UBA app will fail to
install if the application pool does not have enough free memory.
If UBA fails to install, then your application pool does not have enough free memory to run the IBM
QRadar UBA app. Consider adding an app node or an app host to your QRadar deployment.
QRadar V7.3.2 and later uses an App Host, which is a managed host, that is dedicated to running apps.
App Hosts provide extra storage, memory, and CPU resources for your apps without impacting the
processing capacity of your QRadar Console. For more information, see App Host.
Important:
If you are having performance issues on any of your Event Processors, fix the issues before you install
UBA as installing UBA could add additional processing load.
About this task

UBA-specific content packages, which contain rules for triggering offenses, are now installed as separate
extensions. Content packages are installed by default. If you choose to create your own custom rules to
trigger offenses in UBA, you can change the Install and upgrade content packages setting when you
configure UBA Settings.
Attention: After the app is installed, you must:
• Enable indexes
• Deploy the full configuration.
• Clear your browser cache and refresh the browser window.
• Set up permissions for users that require access to view the User Analytics tab. The following
permissions must be assigned to each user role that requires access to the app:
– User Analytics
– Offenses
– Log Activity
Procedure
1. Choose one of the following methods to download your app:
• If the IBM QRadar Assistant app is configured on QRadar, use the following instructions to install
User Behavior Analytics: QRadar Assistant app (https://www.ibm.com/support/knowledgecenter/
SS42VS_latest/com.ibm.apps.doc/c_qradar_adm_assist_app.html).
• If the QRadar Assistant app is not configured, download the User Behavior Analytics app archive
from the IBM Security App Exchange (https://apps.xforce.ibmcloud.com/) onto your local
computer. You must have an IBM ID to access the App Exchange.
2. If you downloaded the app from the App Exchange, complete the following steps:

a) On the QRadar Console, click Admin > Extensions Management.
b) In the Extension Management window, click Add and select the UBA app archive that you want to
upload to the console.
c) Select the Install immediately checkbox.
Important: You might have to wait several minutes before your app becomes active.
d) To preview the contents of an app after it is added and before it is installed, select it from the list of
extensions, and click More Details. Expand the folders to view the individual content items in each
group.
3. From the Admin settings, click System Configuration > Index Management and then enable the
following indexes:
• High Level Category
• Low Level Category
• Username
• senseValue
4. From the Admin settings, click Advanced > Deploy Full Configuration.
Note: Content packages are installed after the UBA installation completes and UBA is configured. For
more information, see “UBA content pack summary” on page 68.
What to do next
• When the installation is complete, clear your browser cache and refresh the browser window before you
use the app.
• Manage permissions for UBA app user roles.
Related tasks
“Enabling indexes to improve performance” on page 49
To improve the performance of your IBM QRadar User Behavior Analytics (UBA) app, enable indexes in
IBM QRadar.
“Assigning user capabilities for the QRadar UBA app” on page 41
Administrators use the User Role Management feature in IBM QRadar to configure and manage user
accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity
permissions for each user role that is permitted to use the QRadar UBA app.
Uninstalling the UBA app

Use the IBM QRadar Extension Management tool to uninstall your application from your QRadar Console.
Before you begin

If you have the Machine Learning Analytics (ML) app installed, you must uninstall the ML app from the
Machine Learning Settings page before uninstalling the UBA app from the Extension Management
window.
If you do not remove the ML app before you uninstall UBA, you must remove it using the interactive API
documentation interface.
Procedure
1. On the QRadar Console, click Admin > Extensions Management.
2. On the INSTALLED tab of the Extension Management window, select User Behavior Analytics app
and click Uninstall.
When you uninstall an app, it is removed from the system.
3. The following content packages are installed when you configure the UBA app. You must uninstall
each content package to completely remove the app.
• User Behavior Analytics Access and Authentication Content
• User Behavior Analytics Accounts and Privileges Content
• User Behavior Analytics Browsing Behavior Content
• User Behavior Analytics Cloud Content
• User Behavior Analytics DNS Analyzer Content
• User Behavior Analytics Domain Controller Content
• User Behavior Analytics Endpoint Content
• User Behavior Analytics Exfiltration Content
• User Behavior Analytics Geography Content
• User Behavior Analytics Network Traffic and Attacks Content
• User Behavior Analytics Threat Intelligence Content
Chapter 2. Installing and uninstalling 17

Chapter 3. Upgrading the User Behavior Analytics
app
To take advantage of new capabilities, defect fixes, and updated workflows, upgrade to new versions of
UBA. Use the Extensions Management tool in IBM QRadar to upgrade your app, or use the QRadar
Assistant app to upgrade. You must be an administrator to upgrade to new versions of the app.
Before you begin

Important: Before you upgrade the app, ensure that IBM QRadar meets the minimum memory (RAM)
requirements. The UBA app requires 1 GB of free memory from the application pool of memory. The UBA
app will fail to upgrade if the application pool does not have enough free memory.
If you modified a rule (for example, enabled or disabled a rule) in 3.5.0 or an earlier version, and then
upgrade to 3.6.0, the rule maintains the previous state and will not take the new default state. For the list
of rules that were previously enabled by default in 3.5.0, see “Rules enabled by default in 3.5.0” on page
204.
Procedure
1. Choose one of the following methods to download your app:
User Behavior Analytics: QRadar Assistant app.
• If the QRadar Assistant app is not configured, download the User Behavior Analytics app archive
from the IBM Security App Exchange (https://apps.xforce.ibmcloud.com/) onto your local
computer. You must have an IBM ID to access the App Exchange.
2. If you downloaded the app from the App Exchange, complete the following steps:
a) On the QRadar Console, click Admin > Extensions Management.
b) In the Extension Management window, click Add and select the app archive that you want to
upload to the console.
c) Select the Install immediately checkbox.
Important: You might have to wait several minutes before your app becomes active.
d) To preview the contents of an app after it is added and before it is installed, select it from the list of
extensions, and click More Details. Expand the folders to view the individual content items in each
group.
3. Upgrade the UBA app.
the UBA app: QRadar Assistant app.
• If the QRadar Assistant app is not configured, download the UBA app archive from the IBM Security
App Exchange onto your local computer. You must have an IBM ID to access the App Exchange.
4. In the window that prompts you to update the current app version, leave the Replace existing items
option selected and click Install. All of your existing app data remains intact.
Important: You might have to wait several minutes before your app becomes active. After the UBA
app is upgraded, the content packages are upgraded in the background. The content might not be
visible in QRadar immediately after the app is upgraded.
Note: After the UBA upgrade completes, content packages are upgraded automatically if the Install
and upgrade UBA content packages setting is enabled on the “Configuring content package settings”
on page 26 page. For more information about content packages, see “UBA content pack summary”
on page 68.
5. If Machine Learning is installed, the UBA app automatically upgrades the ML version.

What to do next
When the upgrade is complete, clear your browser cache and refresh the browser window before you use
the app.
Related concepts
“What's new in the User Behavior Analytics app” on page 2
Learn about the new features in each User Behavior Analytics (UBA) app release.
Chapter 4. Configuring the User Behavior Analytics
app
Before you can use the IBM QRadar User Behavior Analytics (UBA) app, you must configure additional
settings.
With 3.6.0 and later, you can import users directly into the UBA app from an LDAP server, Active Directory
server, CSV file, and reference table with the User import wizard.
In 3.5.0 or earlier, you can import user data from a CSV file with the CSV import feature available in the
Reference Data Import LDAP (LDAP) app that is also installed. If you choose to use the LDAP app, you
must configure the LDAP app before you set up the UBA app. The data that the UBA app uses comes from
an LDAP query. The LDAP query retrieves the list of users that is used to populates the UBA app.
Both the UBA app and the LDAP app require separate authorization tokens. You can create the
authorization tokens when you configure each app.
Complete the following setup procedures:
• If you are using LDAP, configure the Reference Data Import LDAP app. Note: Starting with UBA 3.6.0,
the LDAP app is no longer included with the UBA app.
• Configure UBA settings for the UBA app
• Configure user imports
Related tasks
“Importing user data from a CSV file” on page 260
You can upload a CSV file that contains user data with the Reference Data Import - LDAP app
Configuring the Reference Data Import LDAP app

When you install the IBM® QRadar® User Behavior Analytics (UBA) app, the Reference Data Import LDAP
app is also installed (3.5.0 or earlier). You can use the LDAP app to import user data from an LDAP/AD
server or CSV file into a QRadar reference table. The reference table is then consumed by the UBA app or
can be used for QRadar searches or rules.
Before you begin

Attention:
Starting with 3.6.0, the Reference Data Import - LDAP app is no longer installed with the UBA app.
However, you can still use the LDAP app.
About this task

Note: Make sure that you note the reference table name and if you give a custom alias to any of the
attributes. When you set up the UBA app, select the reference table that you created in the Reference
Data Import LDAP app.
For more information about the Reference Data Import LDAP app, see the following section of the IBM
Knowledge Center: http://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.apps.doc/
c_Qapps_LDAP_intro.html
Procedure
1. On the navigation menu ( ), click Admin to open the admin tab.

2. Click the Reference Data Import - LDAP icon. (Apps > Reference Data Import - LDAP > Reference
Data Import - LDAP).

3. Click Configure to create an authorized service token for LDAP. The Configure Authorized Service
Token box opens.
a) Click the Manage Authorized Services link and then click Add Authorized Service.
b) In the Service Name field, type LDAP. This is the user that API requests from the LDAP app are
executed as.
c) From the User Role list, select the Admin user role.
d) From the Security Profile list, select the security profile that you want to assign to this authorized
service. The security profile determines the networks and log sources that this service can access
on the QRadar user interface.
e) In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not
necessary, select No Expiry.
f) Click Create Service.
g) Click the row that contains the LDAP service you created and then select and copy the token string
from the Selected Token field in the menu bar.
h) In the Configure Authorized Service Token box, paste the authorized service token string into
the Token field.
4. Optional: To add a private root certificate authority file, click Browse files, open a supported file,
click Open and then click Upload. The following file type is supported: .pem.
5. Click OK.
6. On the Reference Data Import (LDAP) app main window, click Add Import. The Add a New LDAP
Configuration dialog box opens.
7. On the LDAP Configuration tab, add connection information for the LDAP server. The Filter field is
automatically populated from your Active Directory attributes.
a) Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field.
b) Enter the point in the LDAP directory tree from where the server must search for users in the Base
DN field. For example, if your LDAP server was on the domain example.com, you might use:
dc=example,dc=com.
c) Enter the attribute or attributes you want to use to sort the data that is imported into the
reference table in the Filter field. For example, cn=*; uid=*; sn=*. The following default
values work with Active Directory: (&(sAMAccountName=*)(samAccountType=805306368)).
d) Enter the user name that is used to authenticate the LDAP server in the Username field.
e) Enter the password for the LDAP server in the Password field.
8. Click Test Connection or Next to confirm that IBM QRadar can connect to the LDAP server. If your
connection attempt is successful, information from your LDAP server is displayed on the LDAP
Configuration tab.
9. On the Select Attributes tab, select the attributes you want to extract from the LDAP server. The
following default values will work with Active Directory:
userPrincipalName,cn,sn,telephoneNumber,l,co,department,displayName,mail,ti
tle.
10. On the Attribute Mapping tab, set the key for the reference table.
Tip: You can create new LDAP fields by clicking Add and combining two attributes. For example, you
can use the following syntax: "Last: {ln}, First: {fn}".
Chapter 4. Configuring the User Behavior Analytics app 23

Tip: If you want to merge LDAP data from multiple sources in the same reference table, you can use
custom aliases to differentiate LDAP attributes with the same name in different sources.
11. On the Reference Configuration tab, create a new reference map of maps or designate an existing
reference map of maps to which you want to add LDAP data.
a) In the Reference table field, enter the name for a new reference table. Alternatively, add the
name of an existing reference table to which you want to append the LDAP data from the list.
b) The Generate map of sets checkbox is disabled by default. If you enable the checkbox, it sends
data to a reference set format to improve QRadar searching, however, it might impact
performance.
c) In the Time to live section, define how long you want the data to persist in the reference map of
maps. By default, the data you add never expires. When the time-to-live period is exceeded, a
ReferenceDataExpiry event is triggered.
Note: If you append data to an existing reference map of maps, the app uses the original time-to-
live parameters. These parameters cannot be overridden on the Reference Configuration tab.
12. On the Polling tab, define how often you want the app to poll your LDAP server for data.
a) In the Polling interval in minutes field, define in minutes how often you want the app to poll your
LDAP server for data.
Note: The minimum polling interval value is 120. You can also enter a polling interval of zero. If
you enter a polling interval of zero, you must poll the app manually with the poll option that is
displayed in the feed.
b) In the Record retrieval limit field, enter a value for the number of records you want the poll to
return.
By default, 100,000 records are returned. The maximum number of records that can be returned
is 200,000.
c) Optional: The Paged results checkbox is selected by default to avoid limiting the number of
records the LDAP server returns for each poll.
Note: Paged results are not supported by all LDAP servers.
13. Click Save.
Configuring UBA settings

Configuring the authorization token in QRadar settings

To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure a UBA
authorization token in UBA Settings.
About this task

QRadar on Cloud administrators can learn how to add and manage authorized service tokens by reading
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/
c_qrocss_manageauthservices.html.
You must complete the following steps to create an authorization token. Do not save the configuration
until have you configured all of the UBA Settings.
Procedure

2. Click the UBA Settings icon. (Apps > User Analytics > UBA Settings).
3. In the QRadar Settings section, click the Manage Authorized Services link.

4. Click Add Authorized Service
5. In the Service Name field, type UBA.
6. From the User Role list, select the Admin user role.
7. From the Security Profile list, select the security profile that you want to assign to this authorized
service. The security profile determines the networks and log sources that this service can access on
the QRadar user interface.
8. In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not
9. Click Create Service.
10. Click the row that contains the UBA service you created and then select and copy the token string
from the Selected Token field in the menu bar.
11. Return to the QRadar Settings section and paste the authorized service token string into the Token
field.
What to do next
“Configuring content package settings” on page 26
Configuring content package settings

To view information in the IBM QRadar User Behavior Analytics (UBA) app, you must configure content
package settings.
Procedure

3. In the Content Package Settings section, the Install and upgrade UBA content packages checkbox is
enabled by default. If you do not want to install the UBA content packages, clear the checkbox and
save the configuration. If you decide not to install UBA content packages, you must create your own
rules to trigger sense events that send events to UBA.
Note: If you clear the Install and upgrade UBA content packages checkbox and save the
configuration and then return to the UBA Settings page and decide to select the checkbox and save
the configuration, the content will be installed and upgraded.
What to do next
“Configuring application settings” on page 27
Configuring application settings
Procedure

3. In the Application Settings section, configure the following settings:
Option Description
Monitor By selecting the Monitor imported users only setting, the UBA app will not monitor
imported new users that are discovered from events. UBA will only monitor users that you
users only imported.
Risk threshold Indicates how high a user's risk score should get before an offense is triggered
against that user. A risk score is the summation of all risk events that are detected
by UBA rules.
Select one of the following options:
• Dynamic: The default value is 4.0. The higher the value is, the higher the dynamic
threshold will be, resulting in less offenses. You should turn off Generate an
offense for high risk users until the settings have run for at least a day. The
dynamic threshold value is updated hourly based on risk score distribution in the
system. You can determine if you want to enable the setting based on the number
of offenses that could be triggered. See the Tip for more information.
Note: If there is not enough variety in their scores, the risk score is set to +10 of
the highest risk user. it stays that way to prevent a large number of offenses from
being generated unnecessarily.
• Static: The default value is 100,000. The value is set to a high value by default to
avoid triggering offenses before the environment is analyzed. You can turn on
Generate an offense for high risk users to open an offense with a username type
for users above the risk threshold. You can determine if you want to enable the
setting based on the number of offenses that could be triggered.
Tip: Consider setting up UBA and leaving the default value. Allow the settings to run
for at least a day to see the type of scores that are returned. After a few days,
review the results on the dashboard to determine a pattern. You can then adjust the
threshold. For example, if you see one or two people with scores in the 500s but
most are in the 100s then consider setting the threshold to 200 or 300. So "normal"
for your environment might be 100 or so, and any score above that might require
your attention.
Decay risk by Risk decay is the percentage that the risk score is reduced by every hour. The
this factor per default value is 0.5.
hour
Note: The higher the number, the faster the risk score decays; the lower the
number, the slower the risk score decays.
Date range for The date range that is displayed for the user details graphs on the User Details
user detail page. The default value is 1.
graphs
Duration of The number of hours (1 - 10,000) that is assigned for an investigation to be

investigation completed.
status

Option Description
User inactivity The User Details page shows a timeline with activity grouped by sessions. If a user
interval is inactive for the amount of time entered in the User inactivity interval field, the
session ends. The default value is 15 minutes.
Dormant The number of days that users are inactive before they are considered dormant. The
account default value is 14 days. For more information, see “Dormant accounts” on page
threshold 45.
(Available in V3.2.0 and later.)
Maximum risk Enter a value to set the limit for the maximum risk score on the Rules and Tuning
score page. Current risk scores are not affected by changes to this setting. Note: Rules
that are delivered with the UBA app typically have a risk score in the range of 5 - 25.
Search assets Select the checkbox to search for user names in the asset table. The UBA app uses
for username, assets to lookup a user for an IP address when no user is listed in an event.
when
Important: This feature might cause performance issues in the UBA app and your
username is
QRadar system.
not available
for event or Important: Enabling the Search assets for username, when username is not
flow data available for event or flow data check box on the UBA Settings page can cause
the User Details page to not load. Review the Rules pages to determine if the
enabled rules require this setting. It should be disabled if it is not needed.
Tip: If the query timeout threshold is exceeded, the app does not return any data. If
you receive an error message on the UBA Dashboard, clear the checkbox and click
Refresh.
Display Clear the checkbox if you do not want to display country and region flags for IP
country/ addresses.
region flags
for IP
addresses
What to do next
For UBA V3.4.0 or later, you can import users from the User import wizard. For more information, see
“Importing users” on page 30.
Configure user import

You can import users with the User Import wizard. The User Import wizard helps you to import users from
an LDAP server, an Active Directory server, from reference tables, and CSV files (3.6.0 and later) directly
into UBA.
Tip: With the User Import wizard, you can import users and user data directly from within the UBA app.
You can use the wizard or you can continue to import user data with the separate Reference Data Import -
LDAP app.
• With 3.6.0 and later, you can import users from a CSV file with the User Import wizard. For more
information, see “Importing users from a CSV file” on page 36.

• If you are using UBA 3.5.0 or earlier, you must use the Reference Data Import - LDAP app to import
users from a CSV file. For more information, see “Importing user data from a CSV file” on page 260.
• In 3.4.0 and later, you can import both LDAP and reference table data into the UBA app. Unlike previous
releases where only external data could be imported from a reference table in QRadar.
Importing users
You can import users from within the UBA app. The User Import wizard helps you to import users from an
LDAP server, an Active Directory server, from reference tables, and CSV files.
Before you begin

You must configure the UBA authorization token and admin permissions before adding import
configurations. For more information, see “Configuring the authorization token in QRadar settings” on
page 25.
Important: The User Import wizard allows you to import users and user data directly from the UBA app.
You can use the wizard or you can continue to import user data with the Reference Data Import - LDAP
app.
• With 3.6.0 and later, you can import users from a CSV file with the User Import wizard. For more
information, see “Importing users from a CSV file” on page 36.
• If you are using UBA 3.5.0 or earlier, you must use the Reference Data Import - LDAP app to import
users from a CSV file. For more information, see “Importing user data from a CSV file” on page 260.
About this task

Note: The key names should always be in English. That means the attributes in reference tables and LDAP
servers should also be in English.
In 3.4.0 and later, you can access the User imports wizard from the following locations:
• The Admin Settings page (Admin Settings > User Analytics > User Import).
• The User Import icon in the top menu bar on the UBA dashboard.
• The Import User Data section on the UBA Settings page.
Procedure
1. On the User Imports window, click Add.
2. From the following options, select the source that you want to use to import user data:
• LDAP/AD
• Reference Table
• CSV file
The following example shows User Import wizard for 3.6.0 and later:
3. After you add an import, you can view the status information for each configuration.
• Retrieval limit: The maximum number of users to poll per poll.
• Polling interval: The time in hours after the last successful poll.
• Last edited: The last time the configured changed.
• Users extracted: The total number of users in the current import configuration.
Note: The number of users extracted in each poll might be limited by a particular LDAP server. For
example, when Paged results is not selected, an Active Director Server could only return up to
1000 records.
• Last poll date: The last time a poll was attempted.
• Last poll status: The status of the last poll (Failed, Idle, Warning, Running, Coalescing, Succeeded).
You can edit or delete the configuration. Clicking the Delete icon removes the entry but does not
remove the users from UBA. You can also select the Import data now icon to poll the server for data
at any time.
Tip: To improve performance, you should delete import configurations that you no longer use.
What to do next
Configure the import from your LDAP/AD server or a reference table.

Related tasks
Importing users with LDAP or Active Directory
You can import user data, directly into the UBA app, from an LDAP or Active Directory server.
Importing users from a reference table
You can import user data, directly into the UBA app, from a reference table.
Importing users from a CSV file
You can import user data, directly into the UBA app, from a CSV file.
Tuning user import configurations
After completing the import configurations, you can tune the configurations by selecting attributes to
define valid usernames that combine users and enrich data that is displayed in UBA by defining attributes
for display data.

Before you begin

You can import users with the User import wizard. For more information, see “Importing users” on page
30
About this task

This feature is available in 3.4.0 and later.
Tip:
After an import is configured and the task has run to completion at least once, you should go to the Tuning
page and make any necessary adjustments to the attributes.
Procedure
1. On the User Imports window, click Add and then click LDAP/AD.
2. In the Protocol field, select ldap:// or ldaps:// for TLS.
3. In the LDAP Server Host field, enter an IP address or hostname. For example, 10.10.10.10 or
sample.ldap.server.
4. In the Port field, enter the port for the LDAP server.
5. In the Username (Bind DN) field, enter the user name that is used to authenticate the LDAP server
and enter the password in the Password field.
6. Click Advanced Settings. Note: You can change the Base DN; otherwise, when you click Test
Connection the system determines the default values that are most applicable and populates the
Base DN.
7. In the Base DN field, the field is auto-populated or you can enter the point in the LDAP directory tree
from where the server must search for users. For example, if your LDAP server was on the domain
example.com, you might use: dc=example,dc=com.
8. In the Filter field, enter the attribute or attributes you want to use to identify the users in a search
request. For example: cn=*; uid=*; sn=*. The following default values will work with Active
Directory: (&(sAMAccountName=*)(samAccountType=805306368)). For more information, see
https://ldap.com/ldap-filters/.
9. In the Certificate field, click the Upload icon to add a root certificate authority (PEM) file.
10. The Paged results checkbox is selected by default to avoid limiting the number of records the LDAP
server returns for each poll. Paged results are not supported by all LDAP servers.
11. Click Test Connection to confirm that UBA can connect to the LDAP server.
12. Click Next.
13. On the Other import settings screen, in the Configuration name field, enter a name to represent the
configuration.
14. In the Polling interval field, define how often you want the app to poll your LDAP server for data. You
can enter a polling interval of zero to manually poll. If you enter a polling interval of zero, you must
poll the app manually with the poll option that is displayed in the feed.
15. In the Retrieval limit field, enter a value for the number of records you want the poll to return.
The maximum number of records that can be returned is 500,000.

16. Click Next to review the summary of the configuration and then click Save.
What to do next
You can add more import configurations or continue tuning your existing import configurations.
Related tasks
Importing users
for display data.

Before you begin

You can access the User import wizard. For more information, see “Importing users” on page 30
About this task

You can import user data, directly into the UBA app, from a reference table. For more information about
reference data in QRadar, see Using reference data in QRadar.
Procedure
1. On the User Imports window, click Add and then click Reference table.
2. From the Reference table name list, select a reference table.
Note: The fields will populate based on the information in the selected reference table.
3. Click Next.
4. In the Polling interval field, define how often you want the app to poll for data from the reference
table. You can enter a polling interval of zero to manually poll. If you enter a polling interval of zero,
you must poll the app manually with the poll option that is displayed in the feed.
5. In the Retrieval limit field, enter a value for the number of records you want the poll to return.
The maximum number of records that can be returned is 500,000.
What to do next
Related tasks
Importing users

for display data.

Before you begin

You can access the User import wizard. For more information, see “Importing users” on page 30
About this task

This feature is available in 3.6.0 and later. Note: If you are using UBA 3.5.0 or earlier, you must use the
Reference Data Import - LDAP app to import users from a CSV file.
You can import user data, directly into the UBA app, from a CSV file. The data is automatically loaded after
you upload the file. You cannot reimport the same file and you cannot edit or repoll. If you delete the file,
the data remains.
Procedure
1. On the User Imports window, click Add and then click CSV File.
2. Upload a CSV file. You can drag or click browse to open the file.
Important: The CSV file must be in UTF-8 format must not be greater than 10 MB. It must contain a
header that has column names, use commas to delimit, and must contain at least one column with
unique data.
What to do next
Related tasks
Importing users
for display data.

for display data.
Before you begin

You can access the User import wizard. For more information, see “Importing users” on page 30.
Note: If you are connecting to an Active Directory, you do not have to configure the Tuning page. The
default values for the tuning are optimized for Microsoft Active Directory.
About this task

Note: With 3.4.0 and later, all LDAP attributes on the remote LDAP server are saved. By saving the LDAP
attributes, it is possible to use all the values in the LDAP schema, even in the case of attributes that are
not uniform to every LDAP record.
Note: In 3.5.0 and later, when you remove aliases or display fields they are removed from your import
configurations and future import tasks. You must manually add them back if you removed them.
Procedure
1. On the User Imports window, click Tuning.
2. In the User Coalescing section, click Edit.
3. On the Edit: User Coalescing pane, select at least one attribute from the current imports, which UBA
can use to identify and combine activity from the different user names of each user.
Note:
Attributes added in the user coalesing section should be unique to an individual. Attributes that
contain usernames for various accounts used throughout the enterprise should be selected, such as
'samaccountname' or 'distinguished name'. Selecting values that are shared among many users,

results in UBA combining the users together. Values such as "department" and "country" should not be
selected.
4. In the Display Fields section, click Edit to customize the attributes that you want to display on the
User Details page. You can also click Add to select attributes for the selected display field.
Note:
The order that the attributes are shown, determines the order that UBA gets the value for the
attributes to be displayed on the User Details page. For example, if the order of the attributes is
“displayname” followed by “cn”, then when user coalescing, if “displayname” has a value for that
user, that value is used, and will not find the value of “cn”. If “displayname” has no value, it will go to
find the next attributes for “cn”. If “cn” has no value, it will go to find the next attribute and so on.
Important: The Custom group display attribute is a special attribute that is used to define a grouping
attribute that can be selected as the grouping mechanism for the Defined Peer Group Machine
Learning analytic. This attribute is not displayed on the user profile page like the other display
attributes. An attribute from the configured LDAP, reference table, or CSV file user import can be
selected. The selected attribute should be one that allows for clustering of the user population.
Examples of Active Directory attributes that might be useful for such grouping are
"physicalDeliveryOfficeName", "memberOf " and "divison". Attributes that are unique per individual
should not be selected. Do not use Custom group for any other purposes.
5. Click Save.
Note: After you click Save, the data that is imported from all sources is reprocessed based on the new
selections of coalescing aliases and display keys.
Results
Tip:
If you chose the wrong attribute for user coalescing and encounter issues, you can make adjustments on
the Tuning page and then clear UBA data from the Help and Support page.
Related tasks
Importing users

Chapter 5. Administering
Assigning user capabilities for the QRadar UBA app

Administrators use the User Role Management feature in IBM QRadar to configure and manage user
accounts. As an administrator, you must enable the User Analytics, Offenses, and Log Activity
permissions for each user role that is permitted to use the QRadar UBA app.
About this task

After you install UBA, it is displayed as a capability in User Roles on the Admin tab. To use the app, a
QRadar administrator must assign the app, and any other capabilities that it requires, to a user role.
Security profiles are different than user roles. Security profiles define which networks, log sources, and
domains that a user can access. For more information, see the Security Profiles section in the IBM QRadar
Administration Guide. Security profiles or user roles that are overly restrictive can result in data not
appearing.
Note: If you are deploying UBA for use in a multitenant environment, see “UBA user roles for
multitenancy” on page 62.
Procedure

2. In the System Configuration section, click User Management, and then click the User Roles icon.
3. Select an existing user role or create a new role.
4. Select the following checkboxes to add the permissions to the role.
• User Analytics
• Offenses
• Log Activity
5. Click Save.
Creating watchlists
About this task

You can add a user to a new watchlist or an existing watchlist from the UBA Dashboard, the User Details
page, or the Search Results page. A single user can be a member of multiple watchlists.
Procedure
1. From the UBA Dashboard or the User Details page, click the Watchlist icon.
2. From the menu, select Create new watchlist. To add a user to an existing watchlist, click Add to
your watchlist.
3. On the General Settings tab, enter a watchlist name.
4. You can artificially increase or decrease the user's risk score by changing the value in the Scale risk
by factor field. The default factor of '1' leaves the risk score unchanged.
Note: If a user is in more than one watchlist, the largest scale factor is applied.
5. In the Machine Learning tracking priority section, select the priority for how users are tracked by
the Machine Learning analytics.

• High - Users are always tracked up to the maximum users per Machine Learning analytic.
• Normal - Users are tracked by highest risk after all the high users are included.
• Never - Users are not tracked by Machine Learning.
6. Click Next.
7. On the Membership Settings tab, you can automatically populate the watchlist with users from a
reference set, a regular expression, or both.
8. In the Import from QRadar reference set field, search for a reference set or click to select a
reference set from the list to import all entries from the reference set. Note: The list might contain
reference sets that do not have user names. After you select a reference set, click the link to review.
9. In the Add from Monitored Users with regex filter field, you can select a user property and enter a
valid Python regular expression to select users who are already found in the UBA database.
10. In the Refresh interval field, enter the number of hours for how often you want the user list to be
updated.
For example, if you enter 10, the user list is updated every 10 hours.
If the Refresh interval is set to a value of 0 (zero), you can manually update the watchlist by clicking
Refresh.
11. Click Save.
Viewing the allowlist for trusted users
You can view the list of trusted users in the reference set management list.
Procedure

2. In the System Configuration section, click Reference Set Management.
3. On the Reference Set Management window, select the UBA : Trusted Usernames reference set.
4. Click View Contents.
Managing network monitoring tools

You can manage network monitoring tools for the IBM QRadar User Behavior Analytics (UBA) app.
About this task

If you want to monitor the use of network capture, monitoring or analysis program usage, make sure the
programs are listed in the UBA : Network Capture, Monitoring and Analysis Program Filenames reference
set. You must then enable the UBA : Network Capture, Monitoring and Analysis Program Filenames
rule.
Procedure
Chapter 5. Administering 43
3. On the Reference Set Management window, select the UBA : Network Capture, Monitoring and
Analysis Program Filenames reference set.
5. To add an application to manage, click Add and enter the values in the box.
6. To remove an application, select an application and click Delete.
What to do next
Enable the UBA : Network Capture, Monitoring and Analysis Program Filenames rule.
Managing restricted programs

You can manage restricted programs for the IBM QRadar User Behavior Analytics (UBA) app.
About this task

If there are any applications that you want to monitor for usage, go to the UBA : Restricted Program
Filenames reference set and enter the applications that you want to monitor. You must then enable the
UBA : Restricted Program Filenames rule.
Procedure

3. On the Reference Set Management window, select the UBA : Restricted Program Filenames
reference set.
5. To add an application to manage, click Add and enter the values in the box.
6. To remove an application, select an application and click Delete.
What to do next
Enable the UBA : Restricted Program Filenames rule.
Adding log sources to the trusted log source group

If you do not want the UBA app to monitor and report certain log sources, you can add them to the UBA :
Trusted Log Source Group. Adding log sources to the group stops the UBA app from monitoring them.
Procedure

2. Click the Log Sources icon.
3. Click Add.
4. Configure the common parameters for your log source.
5. Configure the protocol-specific parameters for your log source.
6. Select the UBA : Trusted Log Source Group checkbox.
7. Click Save.
8. On the Admin tab, click Deploy Changes.
New accounts
A user can have several accounts (aliases) associated to them. This association is achieved by configuring
coalescing when you tune your Import Configurations for User Imports. Accounts that are owned by a
user are added to UBA by using three methods:
• Importing attributes from an LDAP source.
• Adding users from a QRadar reference set from a watchlist that is created within UBA. 3
• Discovering users from a sense event. This can be limited to the first two methods by setting the
Monitor imported users only in the Application settings section on UBA Settings page.
An account added to UBA from LDAP or watchlist will not have a score until they are seen on any event
consumed by QRadar. An account added from a sense event will have a score, immediately, from the
sense event that detected it.
Responses to new accounts

New accounts are set to active after being seen on an event. For more information on account status, see
Dormant Accounts. The "UBA : New Account Use Detected" rule is also triggered by the one-time event
sent by the app. Custom responses can be created by using the event: "New Account Use Detected (QID
104000014)".
Related concepts
“Configure user import” on page 29
You can import users with the User Import wizard. The User Import wizard helps you to import users from
an LDAP server, an Active Directory server, from reference tables, and CSV files (3.6.0 and later) directly
into UBA.
Related tasks
“Tuning user import configurations” on page 37
for display data.
Dormant accounts
You can see users in your system that have dormant accounts, active accounts, or accounts that have
never been used.
Viewing dormant accounts on the User Details page

You can see the status of the accounts that are associated with the selected user on the User Details
page.
User Account Status Description

Active An account that UBA has seen events from a QRadar log source within the
configured dormant account threshold time period.
Dormant An account that UBA has seen at least one event from in the past but has not
seen any new events during the dormant account threshold time period.
Never Used An account for which UBA has never seen an event with that user name in a
QRadar log source.
Accounts identified as "Never Used" can be caused by the following activities:
• Accounts that have never been logged by a QRadar log source for the
associated user name account.
• The event occurred before UBA V3.2.0 was installed. Note: When you first
install the UBA app, only events that occurred in the last hour are analyzed to
User Account Status Description
determine when an account was last accessed. After the initial analysis, the
UBA app queries events that occurred between executions of the background
task that watches for account usage.
Note: Accounts that are categorized as "Never Used" were likely imported from
the LDAP app.
Users with Dormant Accounts watchlist

The Users with Dormant Accounts watchlist is automatically generated as the UBA app pulls in user data.
You can view the Users with Dormant Accounts watchlist on the UBA Dashboard.
If you delete the watchlist, it is not automatically re-created. If you need to create it again, select the
UBA : Dormant Accounts reference set on the Membership Settings tab on the Create a watchlist
screen.
Configuring the dormant accounts threshold

The default value for the dormant accounts threshold is 14 days. You can change the number of days that
users are inactive before they are considered dormant in the Application Settings section on the UBA
Settings page (Admin Settings > User Analytics > UBA Settings).
Responses to dormant accounts or users

You can generate responses for dormant accounts from the provided rules. You can also create custom
responses by using the events that are triggered from the app.
To use the provided rules so that a user's score is increased when an account that was dormant is used or
is attempted to be used, make sure that the following rules are enabled:
• “UBA : Dormant Account Use Attempted” on page 98
• “UBA : Dormant Account Used” on page 97
To create custom responses, you can use the following generated events in a rule or query:
• Dormant Account Found (QID 104000012)
• Dormant Account Used (QID 104000013)
Related concepts
“UBA dashboard and user details” on page 6
The IBM QRadar User Behavior Analytics (UBA) app shows you the overall risk data for users in your
network.
Related tasks
“Creating watchlists” on page 41
Chapter 6. Tuning
Enabling indexes to improve performance

To improve the performance of your IBM QRadar User Behavior Analytics (UBA) app, enable indexes in
IBM QRadar.
About this task

To improve the speed of searches in IBM QRadar and the UBA app, narrow the overall data by adding the
following indexed fields to your search query:
• High Level Category
• Low Level Category
• senseValue
• senseOverallScore
• Username
For more information about indexing, see Index management.
Procedure

2. In the System Configuration section, click the Index Management icon.
3. On the Index Management page, in the search box, enter High Level Category.
4. Select High Level Category and then click Enable Index.
5. Click Save.
6. Select Low Level Category and then click Enable Index.
7. Click Save.
8. On the Index Management page, in the search box, enter sense.

9. Select senseValue and senseOverallScore and then click Enable Index.
10. Click Save.

11. On the Index Management page, in the search box, enter username.
12. Select Username and then click Enable Index.
13. Click Save.
Integrating new or existing QRadar content with the UBA app
About this task

To meet your specific needs, you can use the capabilities built into QRadar by integrating your existing
QRadar rules with the UBA app.
Restriction: Do not customize your rules to use the UBA and Machine Learning reference sets. Attempting
to use the reference sets in custom rules can lead to failures within the UBA app.
Integrate dynamic content in V3.5.0 and later

Integrate non-UBA content so that you can manage it on the UBA Rules and Tuning page.
About this task

Starting with V3.5.0, QRadar content, other than UBA provided content, can now be managed on the
Rules and Tuning page. Other content is configured to work with UBA by default and is shown on the page
after UBA is installed. For more information, see “Prerequisites for installing the User Behavior Analytics
app” on page 12. User-specified content can be added by appending the details to the "UBA : Rule Data"
reference table by using an API call.
Note: When rules are added to the reference table, they cannot be removed. To stop the rules from
sending a risk score to UBA, you can either disable the rule or set the risk score to zero. For more
information, see Chapter 8, “Rules and tuning for the UBA app,” on page 67.
On QRadar V7.3.2 and later, a task runs every hour that pulls any rules that have been edited to include a
sense value in the description into the Rule Data table to be managed in the Rules and Tuning page. For
more information, see “Integrate content into UBA V3.4.0 and earlier” on page 51.
Restriction: When you start managing the rules from the Rules and Tuning page, the risk score can be
changed only from the Rules and Tuning page.
Procedure
Add eventname and details to the reference table by using the API doc or command line.
data schema: {"eventName": {"ruleName": "string", "risk": integer, "category":
"string", "desc": "string"}, "eventName": {...}}
Option Description
eventName (required) The exact string that appears in the new event section of the Rule Wizard
ruleName (required) The exact string that appears in the Rule Wizard
risk (required) An integer >= 0
category (optional) An existing UBA category or custom category name. If omitted, rules will
appear in the "Custom Rule Integration" category.
desc (optional) A short description of the event/rule
API Doc Method example:

API: POST - /reference_data/tables/bulk_load/{name}
Parameters
name UBA : Rule Data

data {"Event Name 1":{"ruleName":"Test Rule Name 1","risk":5,"category":"Exfiltration","desc":"Event
1 Description"}, "Event Name 2":{"ruleName":"Test Rule Name 2","risk":5,"category":"My
Company Rules","desc":"Event 2 Description"}, "Event Name 3":{"ruleName":"Test Rule Name
3","risk":5,"desc":"Event 3 Description"}}
'https://your_qradar_console/api/reference_data/tables/bulk_load/UBA%2520%253A
%2520Rule%2520Data’
Commandline Method example:

curl -s -X POST -u admin –H 'Content-Type: application/json' -H 'Accept:
application/json' --data-binary '{"Event Name 1":{"ruleName":"Test Rule Name
1","risk":5,"category":"Exfiltration","desc":"Event 1 Description"}, "Event
Name 2":{"ruleName":"Test Rule Name 2","risk":5,"category":"My Company
Rules","desc":"Event 2 Description"}, "Event Name 3":{"ruleName":"Test Rule
Name 3","risk":5,"desc":"Event 3 Description"}}' 'https://
your_qradar_console/api/reference_data/tables/bulk_load/UBA%2520%253A%2520Rule
%2520Data’
Integrate content into UBA V3.4.0 and earlier
About this task

Use the Rules Wizard in QRadar to integrate existing or custom QRadar rules with the UBA app V3.4.0 and
earlier.
Chapter 6. Tuning 51
Procedure
1. Create a copy of the existing rule. This prevents updates to the base rule from affecting the edits made
to the new rule.
2. Open the rule in the Rule Wizard and then navigate to the Rule Response section.
3. Enable or edit the Dispatch New Event option by making sure the Event Description text is formatted
in the following way: senseValue=#
4. Click Finish to save the changes.
Note: If the rule works on flow data, you must enable the Search assets for username, when
username is not available for event or flow data option so that events with no usernames can
attempt a lookup for user mapping.
Reference sets
The User Behavior Analytics app and the Machine Learning app use reference sets for storing user
information. Some reference sets are reserved for app use only and you should not modify them or use
them in creating custom rules.
Reference sets you can customize
Reference set Description

UBA : High Risk Users The UBA : High Risk Users reference set is built from the Risk threshold to
trigger offenses value on the UBA Settings page. The maximum number of
users is 10,000 and the reference set is rebuilt every 5 minutes
UBA : Trusted You can add user names to the UBA : Trusted Usernames reference set but do
Usernames not use for rules or reports. No offenses are generated for the users in the
UBA : Trusted Usernames reference set.
UBA : Users Not The purpose of the UBA : Users Not Tracked reference set is to store the list of
Tracked user's aliases that no longer require tracking because of GDPR regulations.
When you choose to stop tracking users and click Delete and Stop Tracking
User on the user details page, the user name or alias is added to this reference
set.
Important: Do not manually add users to or modify the UBA : Users Not
Tracked reference set.
Note: If you need to start tracking a user after the name has been added to the
reference set, you can delete the user's aliases from the reference set. Use the
Reference Set Management page to delete users. For more information, see
Deleting elements from a reference set.
UBA : ML Always The UBA : ML Always Tracked Watchlist reference set is built from the users
Tracked Watchlist you select to Track with Machine Learning in the Advanced Settings section
on the User Details page. You can add user names to the UBA : ML Always
Tracked Watchlist reference set but do not use for rules or reports.
Reference sets you cannot customize

Restriction: Do not modify or use the following reference sets for custom rule creation.
• UBA - Current ML Tracked Users
• UBA - Previous ML Tracked Users
• UBA - Current Abridged ML Tracked Users
• UBA - Previous Abridged ML Tracked Users
• UBA - Current Peer Group ML Tracked Users
• UBA - Previous Peer Group ML Tracked Users
Chapter 6. Tuning 53
Chapter 7. Multitenancy in UBA
The User Behavior Analytics (UBA) app 3.6.0 and later supports multitenant environments in QRadar
7.4.0 Fix Pack 1 and later.
Multitenant environments allow Managed Security Service Providers (MSSPs) and multi-divisional
organizations to provide security services to multiple client organizations from a single, shared IBM®
QRadar® deployment. You don't have to deploy a unique QRadar instance for each customer.
With QRadar 7.4.0 Fix Pack 1 or later and UBA 3.6.0 and later, you can create multiple tenants from a
single deployment instead of managing multiple deployments. For example, as an MSSP partner, you
could host 20 clients on a single instance of QRadar with each client managing approximately 1000
employees.
Overview
Multitenancy in UBA requires the QRadar Administrator or an MSSP Administrator (QRadar Admin) to
complete several setup procedures that include specific configuration tasks in QRadar 7.4.0 Fix Pack 1.
The QRadar Admin must use the QRadar Assistant app 3.0 or later to install and configure the first or
"admin" UBA instance and the additional non-admin or tenant instances. After the non-admin instances
are established, the QRadar Admin must also assign user roles and specific permissions. The user roles
for the non-admin instances include "UBA tenant admin" and "UBA tenant" users.
Deployment guidance
The number of UBA instances supported is directly related to the QRadar environment. In general,
tenants should be added one at a time and after each addition, you should verify that QRadar is healthy
and the remaining apps are also performing as expected.
QRadar system performance was confirmed on 3 different environments differing in number of users and
Events Per Second (EPS). Each environment contained a QRadar Console with 128 GB RAM and 56 Cores,
Event Processor with 128 GB RAM and 56 Cores, and an App Host with 372 GB RAM and 72 Cores.

• The first system successfully ran 30 instances of UBA with 5000 users on each instance with an EPS of
800.
• The second system successfully ran 8 instances of UBA with 40000 users on each instance with an EPS
of 1500.
• The third system successfully ran 6 instances of UBA with 100000 users on each instance with an EPS
of 2500.
These guidelines ensure the proper functioning of your QRadar system and UBA. If errors are
encountered within your QR environment, consider increasing RAM or adding an Event Processor.
QRadar Admin or MSSP Admin role

Important: The QRadar Admin must set up the first or "admin" instance of UBA. After the admin instance
of UBA is established with an admin token, more UBA instances can then be created. When running
multiple instances of UBA, the admin instance is used solely to upgrade ML and install content but it does
not process data or perform any other functions.
Security profiles
UBA 3.6.0 and later does not support multiple domains under one security profile. A security profile can
only have one domain assigned to it for UBA to work as expected.
Dashboard
On the Dashboard, only the QRadar Admin can see the rules installation status for the UBA tenant admin
user and the UBA tenant user. The UBA tenant admin user and the UBA tenant user always see a green
status of rules on the dashboard.
If you have Machine Learning installed, the status for Machine Learning on the Dashboard is always
shown as green. If you do not have ML installed, the status that is shown is always gray.
Integration with QRadar Advisor with Watson

QRadar Advisor with Watson 2.5.2 and later is required to work with UBA in a multitenant environment.
Reference Data Import - LDAP app

You should not use the LDAP app in a multitenant environment because the LDAP app is not multi-domain
or multitenant aware so any user will see any import.
Upgrading
If you are upgrading from a previous version of UBA, you will not be able to keep using the existing UBA
instance and also run multitenancy. As soon as a second instance of UBA is seen in QRadar, the upgraded
UBA instance will change into a limited-functionality instance. Note that the data is not removed but it no
longer gets updated.
For the best experience with MT, do not upgrade from 3.4 or 3.5. Instead, consider installing 3.6.0 (or
later) and not upgrading. You do not need to uninstall UBA but you need to uninstall ML.
Warnings
You must set up your multitenant environment as specified or you could experience problems with UBA
and Machine Learning. Consider the following warnings:
• Ensure any edits to reference sets in QRadar are domain specific, otherwise users might show up in
unintended tenant instances.
• The admin instance of UBA is only responsible for upgrading ML and Rules.
• The admin instance of UBA will not ingest user data.
• Each instance can only have a single tenant and each tenant can only have a single domain.
• Tenants cannot be provided an admin authorized service token.
• Do not install Machine Learning on the admin instance of UBA.
• The QRadar Admin should not allowlist or remove users because it will also allowlist and remove users
for all tenant instances.
QRadar configurations for setting up multitenancy in UBA

You must configure your QRadar system to support UBA 3.6.0 and later in a multitenant environment.
You must have QRadar administrator privileges to set up your multitenant environment. For more
information, see QRadar administration.
For more information about multitenancy in QRadar, see Multitenant management.
Table 1. QRadar configurations to support UBA multitenancy. The following table outlines the process
that is required to complete before you begin to configure your UBA instances.
Step More information
1 Define IBM Sense log source for each Each domain requires it's own IBM Sense log source for
domain. each UBA instance to function properly. When the log
source is defined, take note of each unique identifier for
use when configuring the tenant UBA instance.
Domains and log sources in multitenant environments
2 Determine data provisioning. You can assign specific log sources, log source groups,
or event collectors to provide data for each domain. You
can create the log source groups. Assign the IBM Sense
from step one to the specific group if one is created.
3 Define a set of tenants in the Tenant Provisioning a new tenant

Management
4 Define a set of domains in Domain Associate the IBM Sense log source from step 1 (if log
Management source groups are not used), and log source groups, logs
sources, or event collectors from step 2. Add a tenant
from step 3. Each domain must have a unique tenant
and log source or log source group.
Creating domains
5 Optional: Define networks in Network Note: This is only necessary if you want each tenant to
Hierarchy have specific network hierarchy
Network hierarchy updates in a multitenant deployment
6 Create a profile for each domain in Associate the previously defined domain, log source, or
Security Profiles log source group, and network.
Security profiles
Chapter 7. Multitenancy in UBA 57

Table 1. QRadar configurations to support UBA multitenancy. The following table outlines the process
that is required to complete before you begin to configure your UBA instances. (continued)
Step More information
7 Create roles in User Roles QRadar admin/MSSP admin: Install and configure each
UBA and Machine Learning instance. See “QRadar
admin/MSSP admin” on page 62 for details.
Tenant admin: UBA Admin role for administering a UBA
and Machine Learning instance. See “UBA tenant
admin” on page 62 for details.
Tenant user: UBA Analyst role for reviewing data in UBA.
See “UBA tenant user” on page 63 for details.
Note: User Analytics, Machine Learning, and QRadar
Advisor with Watson might not be available at this point.
User roles
8 Create service tokens in Authorized Associate to profile from step 5 and role from step 6.
Services Each tenant admin requires an authorization service
token.
Configure the authorization token in QRadar settings
9 Create users in Users Create tenant admin and tenant users. Associate each
to the specific role, profile, and tenant.
Creating a user account
10 Deploy changes. On the Admin tab, click Deploy changes.
The following diagram illustrates the configuration steps:
Related concepts
UBA user roles for multitenancy
7.4.0 Fix Pack 1 or later.
Rules and tuning for multitenancy in UBA
The rules are enabled or disabled by default for every UBA instance to support multitenancy in User
Behavior Analytics (UBA) app 3.6.0 and later. If you require changes to rules for a subsets of instances,
you need to manually change the rule behavior.
Related tasks
Installing and configuring UBA instances to support multitenancy
With 3.6.0 and later, you can set up UBA to work in a multitenant environment in QRadar 7.4.0 Fix Pack 1
or later.
Installing and configuring Machine Learning in Multitenancy

With 3.6.0 and later, you can install and configure Machine Learning to work in a multitenant environment
in QRadar 7.4.0 Fix Pack 1 or later.

or later.
Before you begin

You must complete the steps that are outlined in the table on the “QRadar configurations for setting up
multitenancy in UBA” on page 57 page on a system with QRadar 7.4.0 Fix Pack 1 or later.
Before you attempt to configure any UBA instance, make sure you have an Admin instance of UBA
installed by completing the following steps Installing the UBA app.
Note: Installing instances requires QRadar Assistant app 3.0.0 or later. For more information, see QRadar
Assistant app.
About this task

The following procedure must be completed by the QRadar Admin or the MSSP admin.
Procedure
1. Find the User Behavior Analytics extension in the QRadar Assistant app.
2. Select Options > Create new instance.

3. Choose the security profile for the instance and click Next.
Note: If there are no instances created, create an Admin instance first. If there is an Admin or Shared
instance, create the first tenant instance. If the tenant security profile is not listed, ensure that you
have created a security profile and deployed changes.
4. Associate the app to any other roles that are listed and click Next.
5. Review the summary and click Confirm and Create.
6. After the instance is created, select the instance and then click Options > Configure Instance > UBA
Settings.
7. On the UBA Settings page, add the service token for the tenant admin that is responsible for the
instance of UBA. Note: Make sure to choose the correct token.
8. Enter the identifier set for the IBM Sense log source for this instance's domain. For more information,
see step 1 of QRadar configurations for setting up multitenancy in UBA.
9. Save the configuration.
10. Optional: If this instance of UBA will also host Machine Learning, see the following topic “Installing
and configuring Machine Learning in Multitenancy” on page 61.
What to do next
Repeat these steps for all instances of UBA that you want.
Related concepts
Related tasks

Before you begin

You must complete the steps outlined in the table on the “QRadar configurations for setting up
multitenancy in UBA” on page 57 page on a system with QRadar 7.4.0 Fix Pack 1 or later.
Before attempting to install and configure any Machine Learning instance be sure you have an Admin
instance of UBA installed by completing the following steps Installing the UBA app.
About this task

Important: The container size and the amount of memory you select for the first Machine Learning
instance that you configure will apply to all tenant instances. To change the container size, you would
need to remove all running ML instances and install again to be able to configure a different container
size.
Procedure
1. Find the User Behavior Analytics extension in the QRadar Assistant app.
2. Select the UBA instance that you want to install Machine Learning on.
3. Select Option > Configure Instance > Machine Learning Settings.
4. Configure the appropriate size for the Machine Learning instance. Note: The size of the Machine
Learning instance must be the same for every instance. For example, if instance A uses a 5 GB
Machine Learning instance, instances B and C must either use no Machine Learning or 5 GB.
5. Select Install ML App.
The instance is now ready for the tenant admin and tenant users to access.
What to do next
Repeat these steps for instances of UBA that you want to install Machine Learning on.
Related concepts

Related tasks
or later.

In a multitenant deployment, you ensure that customers see only their data by creating domains that are
based on their QRadar input sources. By creating security profiles and user roles, you can manage
privileges for large groups of users within the domain. User roles ensure that users have access to only
the information that they are authorized to see.
Note: UBA 3.6.0 (and later) does not support multiple domains under one security profile. A security
profile can only have one domain assigned to it in order for UBA to work as expected.
For UBA to work with QRadar, the QRadar Admin can create user roles that designate a "UBA tenant
admin" and any non-admin users or "UBA tenant". Each role has distinct responsibilities and associated
activities.
QRadar admin/MSSP admin

The QRadar Admin/MSSP admin owns and manages the first or "admin" instance of UBA. The QRadar
admin is responsible for completing the following tasks:
• Setting up the first "admin" instance and the other non-admin UBA instances.
• Configuring non-admin instances with the appropriate tenant_admin token and instance identifiers
• Determining the size and installing Machine Learning for any instance that requires it. Note: The size of
the Machine Learning instance must be the same for every instance. For example: If instance A uses a 5
GB Machine Learning instance, instances B and C must either use no Machine Learning or also 5 GB.
• Upgrading all apps or systems.
• Managing all system settings and rule configurations. Note: Rules are shared for every instance.
UBA tenant admin

The UBA tenant admin is responsible for the following tasks:
• Configuring UBA Settings (specifically Application Settings)
• Configuring Machine Learning settings.
• Allowlisting and deleting users.
• Setting the Machine Learning priority.
• Investigating users with QRadar Advisor with Watson.
• Configuring user imports.
• Creating domain filters.
• Creating and enabling custom machine learning models.
• Creating GDPR reports.
Complete the following procedure to create a role for the tenant admin user.

3. Create a new role for the tenant admin user. For example, tenantAdmin.
4. Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
5. Click Save.
UBA tenant user

The UBA tenant user has limited ability to manage the UBA instance but can do the following:
• View and analyze user data in UBA.
• Add notes.
• Create custom alerts.
• Create watchlists.
• Internally investigate users.
Complete the following procedure to create a role for the UBA tenant user.

3. Create a new role for a tenant user. For example, tenant_user.
4. Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
5. Click Save.

Related concepts
Related tasks
or later.

By default, all rules are either enabled or disabled for every instance of UBA. If you have a need to make
any rule function for a subset of the instances, you will need to edit the rule as follows:
1. Make a copy of the rule and rename the rule and event to fit the situation. For example, if Domain1
wants the rule "UBA : Terminated User Activity" enabled while the others do not, copy the rule and
rename it "UBA : Terminated User Activity Domain1". Rename the event the same.
2. In the new rule, add the test "when the domain is one of the following" and select the domains it
should apply to. Move the test to the top of the list.
3. If the rule is one that writes out to some reference data, change the setting from Shared Data to
Domain Specific.
4. Make sure the new rule is enabled.
5. Save the rule.
6. Make sure the original rule is disabled.
Known issue
In QRadar 7.4.0 Fix Pack 1, there is no way to make the rule limiter domain aware. Each rule that applies
to more than a single domain will be limited across domains. For example, if Domain1 and Domain2 both
have a "John Doe" that triggers the same rule within the limitation time frame, only one of the users will
be flagged by the rule.
Related concepts
Related tasks
or later.

Chapter 8. Rules and tuning for the UBA app
The IBM QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain
behavioral anomalies.
The User Behavior Analytics (UBA) app includes use cases that are based on custom rules. These rules
are used to generate data for the UBA app dashboard. You can view, filter, and tune rules within the UBA
app.
Notes:
• In 3.6.0 and later, all of the rules are disabled by default except for the following 3 rules: UBA :
Unauthorized Access, UBA : Dormant Account Used, and UBA : New Account Use Detected.
• One or more of the log sources should provide information for the specific UBA rule. The log sources are
not prioritized in any particular order.
• 3.5.0 and later supports standard QRadar rules.
Restriction: Do not customize your rules to use the UBA and Machine Learning reference sets. Attempting
to use the reference sets in custom rules can lead to failures within the UBA app. For more information,
see “Reference sets” on page 52.
For more information about working with rules in QRadar, see Rules.
For more information about enabling Machine Learning user models, see “Enabling user models” on page
214.
Rules and tuning page

The Rules and Tuning page (Admin Settings > User Analytics > Rules and Tuning) includes a list of all
the rules that are included with the installed version of the UBA app. The Rules and Tuning page also
shows the current enabled status and the corresponding reference sets.
On the Rules and Tuning page, you can:
• Enable or disable UBA rules and other QRadar rules. Note: To enable and disable rules from the UBA
Rules and Tuning page, you must have rule editing privileges.
• Set the risk score and reset the risk score to default values. (3.5.0 and later)
• Quickly access the QRadar Rules Wizard to review or edit rules.
• Quickly access reference sets to review or edit their content.
• Filter the rules table by category, status, default risk score, reference sets required, and content
dependencies.
• Sort the rules table by rule name, reference set, or status.
• Search items in the table or words that are found in the rule description tooltip.
• Access the help documentation for individual rules.
Setting the risk score

In 3.5.0 and later, you can set and modify the risk score for UBA and other non-UBA QRadar rules on the
Rules and Tuning page.
Important: When you start managing the rules from the Rules and Tuning page, the risk score can be
changed only from the Rules and Tuning page. Setting the score to 0 (zero) will stop the event from
increasing the user's score without the need to disable the rule.
Note: The risk score maximum limit is configured in the Application Settings section on the UBA Settings
page. For more information, “Configuring application settings” on page 27.

Note: During the upgrade to 3.5.0, a risk score mapping for the System Monitoring, Reconnaissance, and
QRadar Network Insight rules occurs. If the score has been edited on the UBA version of these rules, that
score will be set on the corresponding rules that are now monitored directly by UBA.
UBA content pack summary

When you install the UBA app, content packages that contain UBA-specific rules are also installed. The
content packages and the count details are listed.
UBA-specific content packages, which contain rules for sending sense events, are installed as separate
extensions. Content packages are installed by default. If you choose to create your own custom rules that
send sense events to UBA, you can change the Install and upgrade content packages setting when you
configure UBA Settings.
Note: Not all content in each package is unique. The counts for custom rules will not match the number of
rules seen on the Rules and Tuning page. These counts include building blocks and other helper rules.
Content Pack Custom Rules Reference Custom Property QID Records

Data Properties Expressions
Access and 37 15 4 9 22
Authentication
Accounts and 32 5 2 9 12
Privileges
Browsing 20 0 2 14 19
Behavior
Cloud 16 2 5 6 12
DNS Analyzer 5 0 0 0 4
Domain 15 5 13 26 11
Controller
Endpoint 24 7 10 17 13
Exfiltration 24 1 3 17 11
Geography 12 4 0 0 7
Network Traffic 3 2 1 3 3
Threat 19 6 7 17 14
Intelligence
Access and authentication

UBA : Bruteforce Authentication Attempts
The QRadar User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral
anomalies.
UBA : Bruteforce Authentication Attempts
Enabled by default
False
Default senseValue
5
Description
Detects authentication failure brute force attack (Horizontal and Vertical).
Support rules
• BB:UBA : Common Event Filters
• BB:CategoryDefinition: Authentication Failures
• BB:UBA : Detecting Authentication Bruteforce Attempts (Horizontal)
• BB:UBA : Detecting Authentication Bruteforce Attempts (Vertical)
Log source types

3Com 8800 Series Switch, APC UPS, AhnLab Policy Center APC, Application Security DbProtect, Arpeggio
SIFT-IT,Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility
Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security
Platform,Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA
ACF2, CA SiteMinder, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server
Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco
Aironet,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center,
Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion
Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN
3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix
Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter,
CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, CyberGuard
TSP Firewall/VPN, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, ESET Remote
Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-
Security.com SF-Sherlock, Epic SIEM,Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon
Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating
System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-
IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate
Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP
Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust
CloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM
Guardium, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar
Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for
Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance,
IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business,
IBM WebSphere Application Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio Adaptive
Security Platform, Imperva SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform,
Juniper Junos WebApp Secure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion
Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper Steel-Belted
Radius, Juniper WirelessLAN, Lieberman Random Password Manager, LightCyber Magna, Linux OS, Mac
OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS
Appliance, McAfee ePolicy Orchestrator, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft
Office 365, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security
Event Log, Motorola SymbolAP, Netskope Active, Nortel Application Switch, Nortel Contivity VPN
Switch,Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel
Ethernet Routing Switch 8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch
(SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC, Okta,
Open LDAP Software, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic,
Oracle Database Listener, Oracle Enterprise Manager,Oracle RDBMS Audit Record, Oracle RDBMS OS
Audit Record, PGP Universal Server, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint
Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure,RSA Authentication
Manager, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler Audit, SSH
CryptoAuditor, STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security
Monitoring, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM, Solaris
Operating System Authentication Messages, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid
Chapter 8. Rules and tuning for the UBA app 69

Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec
Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances,
Top Layer IPS, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise,
Tropos Control, Universal DSM, VMware vCloud Director, Venustech Venusense Security Platform,
Vormetric Data Security, WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI
UBA : Detected Activity from a Locked Machine

anomalies.
UBA : Detected Activity from a Locked Machine
Enabled by default
False
Default senseValue
10
Description
Detects activity from a locked machine.
Support rules
BB:UBA : Common Event Filters
BB:UBA : Windows Process Created
BB:UBA : Workstation Locked
BB:UBA : Workstation Unlocked
Log source types

Microsoft Windows Security Event Log (EventID: 4688, 4800, 4801)
UBA : Executive Only Asset Accessed by Non-Executive User

anomalies.
UBA : Executive Only Asset Accessed by Non-Executive User
Enabled by default
False
Default senseValue
15
Description
Detects when a non-executive user logs on to an asset that is for executive use only. Two empty reference
sets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit the
reference sets to add or remove any accounts and IP addresses that are flagged from your environment.
Enable this rule after you configure the reference sets.
Support rules
• BB:CategoryDefinition: Authentication Success
• BB:CategoryDefinition: Firewall or ACL Accept
Required configuration
Add the appropriate values to the following reference set: "UBA : Executive Users" and "UBA : Executive
Assets".
Log source types

APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Apache HTTP Server, Application Security
DbProtect, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy
Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda
Web Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA
Service Controller,Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard
CRYPTOShield, Carbon Black Protection, Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco
ACS, Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS
for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,
Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX
Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services
Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication
message filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark
Vault, DCN DCS/DCRS Series, EMC VMWare, ESET Remote Administrator, Enterasys Matrix K/N/S Series
Switch, Enterasys XSR Security Routers, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE
Injected, Extreme 800-Series Switch,Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1
Switch, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and Standalone
Switches, F5 Networks BIG-IP APM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification
Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C
Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem, Huawei AR Series
Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM BigFix, IBM
DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino,IBM Proventia Network
Intrusion Prevention System (IPS), IBM QRadar Network Security XGS, IBM Resource Access Control
Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager
for Mobile, IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud
Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM
z/OS, IBM zSecure Alert, Illumio Adaptive Security Platform, Imperva SecureSphere, Itron Smart Meter,
Juniper Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and
VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security
Manager,Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman
Random Password Manager, Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall
Enterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Metainfo MetaIP,
Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,
Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server,Microsoft
Windows Security Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niara, Nortel
Application Switch, Nortel Contivity VPN Switch, Nortel Contivity VPN Switch (obsolete), Nortel Ethernet
Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol
Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell
eDirectory, OS Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS, Oracle Acme Packet SBC, Oracle
Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS
Audit Record, Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security
Manager, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/
Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall,
Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit,SSH
Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform,
Snort Open Source IDS, Solaris BSM,Solaris Operating System Authentication Messages, Solaris
Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid Web
Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sybase ASE, Symantec

Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos
Control, Universal DSMVMware vCloud Director, VMware vShield, Venustech Venusense Security
Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate,
iT-CUBE agileSI
UBA : High Risk User Access to Critical Asset

anomalies.
UBA : High Risk User Access to Critical Asset
Enabled by default
False
Default senseValue
15
Description
Detects when a user involved in incidents (offenses) access to critical asset.
Support rules
Add the appropriate values to the following reference set: "Critical Assets".
Log source types

iT-CUBE agileSI
UBA : Multiple VPN Accounts Failed Login From Single IP

anomalies.
UBA : Multiple VPN Accounts Failed Login From Single IP
Enabled by default
False
Default senseValue
5
Description
Detects any VPN account login failures from the "UBA : Multiple VPN Accounts Failed Login From Single
IP" reference set.
Support rules
• UBA : Populate Multiple VPN Accounts Failed Login From Single IP
• BB:UBA : VPN Login Failed
Enable the following rule: "UBA : Populate Multiple VPN Accounts Failed Login From Single IP"

Log source types
Cisco Adaptive Security Appliance (ASA)
UBA : Multiple VPN Accounts Logged In From Single IP

anomalies.
UBA : Multiple VPN Accounts Logged In From Single IP
Enabled by default
False
Default senseValue
5
Description
Maps multiple VPN users that are coming from the same IP address and then raises the risk score. When
the rule detects VPN users coming from the same IP address, the IP address is added to the "UBA :
Multiple VPN Accounts Logged In From Single IP". Before enabling this rule, make sure the rule "UBA :
Populate Multiple VPN Accounts Logged In From Single IP" is enabled and the "UBA : Multiple VPN
Accounts Logged In From Single IP" reference set has data.
Support rules
• UBA : Populate Multiple VPN Accounts Logged In from Single IP
• BB:UBA : VPN Login Successful
Enable the following rule: "UBA : Populate Multiple VPN Accounts Logged In from Single IP"
Log source types

UBA : Repeat Unauthorized Access

anomalies.
UBA : Repeat Unauthorized Access
Enabled by default
False
Default senseValue
10
Description
Indicates that repeat unauthorized access activities were found.
Support rule
UBA : Unauthorized Access
Enable the following rule: "UBA : Unauthorized Access"
Log source types

Akamai KONA, Amazon AWS CloudTrail, Application Security DbProtect, Arbor Networks Pravail, Arpeggio
SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba Mobility Controller, Avaya VPN Gateway,
Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9
Security Platform, Blue Coat Web Security Service, BlueCat Networks Adonis, Bridgewater Systems AAA
Service Controller, Brocade FabricOS, CA ACF2,CA SiteMinder, CRE System, Carbon Black Protection,
Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance
(ASA), Cisco CSA,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco Firewall Services Module
(FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco
IronPort, Cisco Nexus,Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler,
Configurable Firewall Filter, CorreLog Agent for IBM zOS, Custom Rule Engine, DCN DCS/DCRS Series, DG
Technology MEAS, EMC VMWare, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers,
Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme Stackable and Standalone
Switches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, Fidelis XPS, Flow Classification Engine,
Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware Platform, HP
Network Automation, HP Tandem, Honeycomb Lexicon File Integrity Monitor, Huawei S Series Switch,
HyTrust CloudControl, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM
Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM
Resource Access Control Facility (RACF), IBM Security Access Manager for Mobile, IBM Security Identity
Manager, IBM Security Network IPS (GX), IBM Tivoli Access Manager for e-business, IBM WebSphere
Application Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform,
Imperva Incapsula, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Networks Firewall and
Manager, Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Kisco Information Systems
SafeNet/i, Lieberman Random Password Manager, Linux DHCP Server, Linux OS, Linux iptables Firewall,
Mac OS X, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway,
McAfee ePolicy Orchestrator, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft IAS Server,
Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server,
Microsoft Windows Security Event Log, NCC Group DDos Secure, Nortel Contivity VPN Switch, Nortel
Multiprotocol Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC, Okta, Open LDAP Software,
OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Database Listener, Palo Alto PA Series,
PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse
Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro,
Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT, Solaris
Operating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL SonicOS,
Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos Web Security Appliance, Squid Web
Proxy, Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System Protection, Symantec
Endpoint Protection, Symantec Gateway Security (SGS) Appliance, Symantec System Center, Symark
Power Broker, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series Appliances, Top
Layer IPS, Trend InterScan VirusWall, Trend Micro Deep Security, Universal DSM, Venustech Venusense
Security Platform,Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, iT-
CUBE agileSI
UBA : Terminated User Activity

anomalies.
UBA : Terminated User Activity
Enabled by default
False

Default senseValue
25
Description
Detects activity from any user that is listed as terminated or resigned.
Add the appropriate values to the following reference sets: "UBA : Terminated Users".
Note: This rule does not ignore any log sources.
Log source types

Any log source that provides a username.

anomalies.
Enabled by default
True
Default senseValue
10
Description
Indicates that unauthorized access activities were found.
Support rules
• BB:UBA : Access Denies
• BB:UBA : Application Denies
Log source types

Service Controller, Brocade FabricOS, CA ACF2,CA SiteMinder, CRE System, Carbon Black Protection,
Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance
IronPort, Cisco Nexus,Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler,
Mac OS X, McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway,
Security Platform,Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, iT-
CUBE agileSI
UBA : Unix/Linux System Accessed With Service or Machine Account

anomalies.
UBA : Unix/Linux System Accessed With Service or Machine Account
Enabled by default
False
Default senseValue
15
Description
Detects any interactive session (through GUI and CLI, both local and remote login) that is initiated by a
service or machine account in UNIX and Linux servers. Accounts and allowed interactive sessions are
listed in the UBA : Service, Machine Account and the UBA : Allowed Interaction Session reference sets.
Edit the reference sets to add or remove any interactive session that you want to flag from your
environment.
Support rules
• BB:CategoryDefinition: Firewall or ACL Accept
Add the appropriate values to the following reference sets: "UBA : Service, Machine Account" and "UBA :
Allowed Interactive Session".

Log source types
Linux OS
UBA : User Access - Failed Access to Critical Assets

anomalies.
UBA : User Access - Failed Access to Critical Assets
Enabled by default
False
Default senseValue
5
Description
This rule detects authentication failures for systems located in the Critical Assets reference set.
Support Rules
Log source types

SIFT-IT,Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility
Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security
Platform,Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA
ACF2, CA SiteMinder, CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Server
Suite, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco
Aironet,Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center,
Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion
Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN
3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix
Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable Authentication message filter,
CorreLog Agent for IBM zOS, CrowdStrike Falcon Host, Custom Rule Engine, Cyber-Ark Vault, CyberGuard
TSP Firewall/VPN, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare, ESET Remote
Administrator, Enterasys Matrix K/N/S Series Switch, Enterasys XSR Security Routers, Enterprise-IT-
Security.com SF-Sherlock, Epic SIEM,Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon
Network IPS, Extreme HiPath, Extreme Matrix E1 Switch, Extreme Networks ExtremeWare Operating
System (OS), Extreme Stackable and Standalone Switches, F5 Networks BIG-IP APM, F5 Networks BIG-
IP LTM, F5 Networks FirePass, Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate
Security Gateway, Foundry Fastiron, FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP
Network Automation, HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust
CloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM
Guardium, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar
Network Security XGS, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for
Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Identity Governance,
IBM Security Identity Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business,
IBM WebSphere Application Server, IBM i, IBM z/OS, IBM zSecure Alert, ISC BIND, Illumio Adaptive
Security Platform, Imperva SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform,
Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Juniper Steel-Belted
Radius, Juniper WirelessLAN, Lieberman Random Password Manager, LightCyber Magna, Linux OS, Mac
OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield Network IPS
Appliance, McAfee ePolicy Orchestrator, Microsoft IAS Server, Microsoft IIS, Microsoft ISA, Microsoft
Office 365, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security
Event Log, Motorola SymbolAP, Netskope Active, Nortel Application Switch, Nortel Contivity VPN
Switch,Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel
(SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC, Okta,
Open LDAP Software, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault, Oracle BEA WebLogic,
Oracle Database Listener, Oracle Enterprise Manager,Oracle RDBMS Audit Record, Oracle RDBMS OS
Audit Record, PGP Universal Server, Palo Alto PA Series,Pirean Access: One, ProFTPD Server, Proofpoint
Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure,RSA Authentication
Top Layer IPS, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,Tripwire Enterprise,
UBA : User Access - First Access to Critical Assets

anomalies.
Supports:
• UBA : User Access First Access to Critical Assets
• UBA : Critical Systems Users Seen Update
Enabled by default
False
Default senseValue
10
Description
UBA : User Access First Access to Critical Assets: Indicates that this is the first time the user accessed
a critical asset. The "Critical Systems Users Seen" reference collection governs the time-to-live of an
observation. By default this rule detects the first access in three months.
UBA : Critical Systems Users Seen Update: Updates the last seen value in the "Critical Systems Users
Seen" reference collection for Destination IP/Username matches that already exist.
Support rules

Log source types
iT-CUBE agileSI
UBA : User Access from Multiple Hosts
anomalies.
UBA : UBA : User Access from Multiple Hosts
Enabled by default
False
Default senseValue
5
Description
Detects when a single user logs in from more than an allowed number of devices.
Support rule
Log source types

Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System, CRYPTOCard
ACS, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS
Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1
DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM IMS, IBM Lotus Domino, IBM Proventia Network
Manager, Juniper Steel-Belted Radius, Juniper WirelessLAN, Kaspersky Security Center, Lieberman
Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft

Manager, Palo Alto PA Series, Pirean Access: One, ProFTPD Server, Proofpoint Enterprise Protection/
Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH
Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages, Solaris
Control, Universal DSM, VMware vCloud Director, VMware vShield, Venustech Venusense Security
iT-CUBE agileSI
UBA : User Access to Internal Server From Jump Server

anomalies.
UBA : User Access to Internal Server From Jump Server
Enabled by default
False
Default senseValue
10
Description
Detects when a user uses a jump server to access the VPN or internal servers.
Support Rules
Add the appropriate values to the following reference sets: "UBA : Jump Servers" and "UBA : Internal
Servers".
Log source types

iT-CUBE agileSI
UBA : User Access Login Anomaly

anomalies.
UBA : User Access Login Anomaly
Enabled by default
False
Default senseValue
5

Description
Indicates a sequence of login failures on a local asset. The rule might also indicate an account
compromise or lateral movement activity. Ensure that the Multiple Login Failures for Single Username rule
is enabled. Adjust the match and time duration parameters for this rule to tune the responsiveness.
Support rules
• Multiple Login Failures for Single Username
Enable the following rule: "Multiple Login Failures for Single Username"
Log source types

All supported log sources.
UBA : User Accessing Account from Anonymous Source

anomalies.
UBA : User Accessing Account from Anonymous Source
Enabled by default
False
Default senseValue
15
Description
Indicates that a user is accessing internal resources from an anonymous source such as TOR or a VPN.
Support Rules
Required Configuration
Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.
Log source types

CRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS,
Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for
Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,
Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX
Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo,Configurable Authentication
for Mobile,IBM Security Identity Governance, IBM Security Identity Manager, IBM SmartCloud
Enterprise, McAfee IntruShield Network IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP,
Routing Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol
iT-CUBE agileSI
UBA : User Time, Access at Unusual Times

anomalies.
UBA : User Time, Access at Unusual Times
Enabled by default
False
Default senseValue
5

Description
Indicates that users are successfully authenticating at times that are unusual for your network, as defined
by "UBA: Unusual Times, %" building blocks.
Support rules
• BB:UBA : Unusual Times, Evening
• BB:UBA : Unusual Times, Overnight
Log source types

iT-CUBE agileSI
UBA : VPN Access By Service or Machine Account

anomalies.
UBA : VPN Access By Service or Machine Account
Enabled by default
False
Default senseValue
10
Description
Detects when a Cisco VPN is accessed by a service or machine account. Accounts are listed in the 'UBA :
Service, Machine Account' reference set. Edit this list to add or remove any accounts to flag from your
environment.
Support rule
BB:UBA : VPN Mapping (logic)
Add the appropriate values to the following reference sets: "UBA : Service, Machine Account".
Log source types

UBA : VPN Certificate Sharing

anomalies.
UBA : VPN Certificate Sharing
Enabled by default
False
Note: If you plan to use the UBA : VPN Certificate Sharing rule, you must update the Cisco Firewall DSM to
the following:
• For V7.3.1 and later: DSM-CiscoFirewallDevices-7.3-20170619132427.noarch.rpm
Default senseValue
15

Description
This rule detects when a VPN event's Username is not equal to 'VPNSubjectcn'. This could indicate that
there is VPN certificate sharing occurring. Certificate sharing or other authentication token sharing can
make it difficult to identify who's done what. This can complicate taking next steps in the event of a
compromise.
Support rules
• BB:UBA : VPN Mapping (logic)
• UBA : Subject_CN and Username Map Update
• UBA : Subject_CN and Username Mapping
These rules update the associated reference sets with the required data.
Enable the following rules:
• UBA : Subject_CN and Username Map Update
• UBA : Subject_CN and Username Mapping
Log source types

UBA : Windows Access with Service or Machine Account

anomalies.
UBA : Windows Access with Service or Machine Account
Enabled by default
False
Default senseValue
15
Description
Detects any interactive session (RDP, local login) that is initiated by a service or machine account in
Windows Server. Accounts are listed in the UBA : Service, Machine Account reference set. Edit the list to
add or remove any accounts to flag from your environment.
Support rules
Add the appropriate values to the following reference sets: "UBA : Service, Machine Account".
Log source types

Microsoft Windows Security Event Log (EventID: 4776)
Accounts and privileges
UBA : Account or Group or Privileges Added
anomalies.
UBA : Account or Group or Privileges Added (formerly called UBA : Account, Group or Privileges Added or
Modified)
Enabled by default
False
Default senseValue
5
Description
Detects events that a user performs and that fit into one of the following categories. The rule dispatches
an IBM Sense event to increment the originating user's risk score.
• Authentication.Group Added
• Authentication.Group Changed
• Authentication.Group Member Added
• Authentication.Computer Account Added
• Authentication.Computer Account Changed
• Authentication.Policy Added
• Authentication.Policy Change
• Authentication.Trusted Domain Added
• Authentication.User Account Added
• Authentication.User Account Changed
• Authentication.User Right Assigned
Note: To tune the impact of this rule on users' overall risk scores, consider modifying the building block
rule "CategoryDefinition: Authentication User or Group Added or Changed" by adding event categories of
interest to your organization.
Support rules
• BB:UBA : Authentication User or Group or Policy Added
Log source types

Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CRE System,Carbon Black Protection,
Centrify Server Suite, Check Point, Cilasoft QJRN/400,Cisco ACS, Cisco Adaptive Security Appliance
IronPort, Cisco Nexus, Cisco PIX Firewall, Cisco Wireless Services Module (WiSM), Citrix NetScaler,

Mac OS X,McAfee Firewall Enterprise, McAfee IntruShield Network IPS Appliance, McAfee Web Gateway,
Security Platform, Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss,genua genugate, iT-
CUBE agileSI
Related concepts
UBA : Account or Group or Privileges Modified
anomalies.
UBA : DoS Attack by Account Deletion
anomalies.
UBA : User Account Created and Deleted in a Short Period of Time
anomalies.
UBA : Dormant Account Used
anomalies.
UBA : Dormant Account Use Attempted
anomalies.
UBA : Expired Account Used
anomalies.
UBA : First Privilege Escalation
anomalies.
UBA : New Account Use Detected
anomalies.
UBA : Suspicious Privileged Activity (First Observed Privilege Use)
anomalies.
UBA : Suspicious Privileged Activity (Rarely Used Privilege)
anomalies.
UBA : User Attempt to Use Disabled Account
anomalies.
UBA : User Attempt to Use a Suspended Account
anomalies.

anomalies.
UBA : Account or Group or Privileges Modified (formerly called UBA : User Account Change)
Enabled by default
False
Default senseValue
10
Description
Indicates when a user account was affected by an action which changes the user’s effective privileges,
either up or down.
False positive note: This event might misattribute modifications to an account name to the user making
the changes. If you want to reduce this false positive possibility you can add the test 'and when Username
equals AccountName'.
False negative note: This event might not detect all cases of account modifications for a user.
Support rules
• BB:UBA : Authentication User or Group or Policy Changed
Log source types

Microsoft Windows Security Event Log (EventID: 626, 642, 644, 1300, 1317, 625, 629, 4672, 4722,
4725, 4738, 4765, 4767, 4781, 4737, 4755)
Related concepts
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Detects DoS attack by checking the number of account deletion events against a fixed threshold within
fixed time span.
Support rules
• BB:UBA : User Account Deleted
Log source types

Amazon AWS CloudTrail (EventID: DeleteUser)
Application Security DbProtect (EventID: Login revoked - Windows, Login dropped - standard, Database
role - dropped, Database user revoked)
Aruba Mobility Controller (EventID: authmgr_user_del)
Box (EventID: DELETE_USER)
Brocade FabricOS (EventID: SEC-1181, SEC-3028)
CA ACF2 (EventID: ACF2-L)
Check Point (EventID: user_deleted, device_deleted, User Deleted)
Cilasoft QJRN/400 (EventID: C20020)
Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502102, %ASA-5-502102)
Cisco FireSIGHT Management Center (EventID: USER_REMOVED_CHANGE_EVENT)
Cisco Firewall Services Module (FWSM) (EventID: 502102)
Cisco Identity Services Engine (EventID: 86008, 86028)
Cisco NAC Appliance (EventID: CCA-1453, CCA-1502)
Cisco Nexus (EventID: SECURITYD-6-DELETE_STALE_USER_ACCOUNT)
Cisco Wireless LAN Controllers (EventID: 1.3.6.1.4.1.9.9.515.0.1)
CloudPassage Halo (EventID: Halo user deleted, Local account deleted (linux only))
CorreLog Agent for IBM zOS (EventID: RACF DELUSER: No Violations)
Custom Rule Engine (EventID: 3035, 3043)
Cyber-Ark Vault (EventID: 276)
EMC VMWare (EventID: AccountRemovedEvent)
Extreme Dragon Network IPS (EventID: HOST:LINUX:USER-DELETED, HOST:WIN:ACCOUNT-DELETED)
Extreme Matrix K/N/S Series Switch (EventID: User Deleted Event, has been deleted)
Extreme NAC (EventID: Deleted registered user)
Extreme NetsightASM (EventID: UserRemove)
Flow Classification Engine (EventID: 3035, 3043)
Forcepoint Sidewinder (EventID: passport deletion, all passports revoked)
HBGary Active Defense (EventID: DeleteUser)
HP Network Automation (EventID: User Deleted)
Huawei S Series Switch (EventID: SSH/6/DELUSER_SUCCESS)
IBM AIX Audit (EventID: USER_Remove SUCCEEDED)
IBM AIX Server (EventID: USER_Remove)
IBM DB2 (EventID: DROP_USER SUCCESS)
IBM DataPower (EventID: 0x81000136)

IBM IMS (EventID: USER DELETED)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Delete User)
IBM QRadar Packet Capture (EventID: UserDeleted)
IBM Resource Access Control Facility (RACF) (EventID: 80 17.2, DELUSER_SUCCESS, 80 17.0)
IBM Security Access Manager for Enterprise Single Sign-On (EventID: REVOKE_IMS_ID, DELETE_IMS_ID)
IBM Security Directory Server (EventID: SDS Audit)
IBM Security Identity Governance (EventID: 50, 43, 70005)
IBM Security Identity Manager (EventID: Delete SUCCESS, Delete SUBMITTED, Delete Success)
IBM SmartCloud Orchestrator (EventID: user)
IBM Tivoli Access Manager for e-business (EventID: 13408 - Succeeded, 13408 Command Succeeded)
IBM i (EventID: GSL2502, M250100, DO_USRPRF, GSL2602, GSL2601, M260100, MC@0400, GSL2501)
IBM z/OS (EventID: 80 1.35)
Juniper Networks Network and Security Manager (EventID: adm24473)
Linux OS (EventID: userDel, Account Deleted, DEL_USER)
McAfee Application/Change Control (EventID: USER_ACCOUNT_DELETED)
McAfee ePolicy Orchestrator (EventID: 20793)
Microsoft ISA (EventID: user removed)
Microsoft Office 365 (EventID: Delete User-PartiallySucceded, Delete user-success, Delete User-success,
Delete user-PartiallySucceded)
Microsoft SQL Server (EventID: 24129, DR - US, DR - SL, DR - LX, DR - AR,DR - SU, 24076, 24123, 38)
Microsoft Windows Security Event Log (EventID: 4743, 630, 1327, 647, 4726)
Netskope Active (EventID: Delete Admin, Deleted admin)
Nortel Application Switch (EventID: User Deleted)
Novell eDirectory (EventID: DELETE_ACCOUNT)
OS Services Qidmap (EventID: Account Deleted, User Deleted)
OSSEC (EventID: 18112)
Okta (EventID: core.user_group_member.user_remove, app.generic.import.details.delete_user)
Oracle Enterprise Manager (EventID: Computer Delete (successful), User Delete (successful))
Oracle RDBMS Audit Record (EventID: DROP USER-Standard:1, 53:1, 53:0,DROP USER-Standard:0, 53)
PGP Universal Server (EventID: ADMIN_DELETED_USER)
Palo Alto Endpoint Security Manager (EventID: User Deleted)
Pulse Secure Pulse Connect Secure (EventID: SYN24849, ADM20722, ADM24473, SYN24745,
SYN24850)
RSA Authentication Manager (EventID: unknown, Deleted user, REMOVE_ORPHANED_PRINCIPALS,
REMOTE_PRINCIPAL_DELETE, DELETE_PRINCIPAL)
SIM Audit (EventID: Configuration-UserAccount-AccountDeleted)
STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject DeletedTrueFalse, Active
DirectoryuserObject DeletedTrueFalse, Console user/group deleted, Console user/group deleted)
SafeNet DataSecure/KeySecure (EventID: Removed user)
Skyhigh Networks Cloud Security Platform (EventID: 10017)
Solaris BSM (EventID: delete user)
SonicWALL SonicOS (EventID: 559, 1157, 1158)
Trend Micro Deep Security (EventID: 651)
Universal DSM (EventID: Computer Account Removed, User Account Removed)
VMware vCloud Director (EventID: com/vmware/vcloud/event/user/remove, com/vmware/vcloud/event/
user/delete)
Vormetric Data Security (EventID: DAO0090I)
iT-CUBE agileSI (EventID: AU8, U0)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects when an user account is created and deleted in a short period of time.
Support rules
• BB:UBA : User Account Created
• BB:UBA : User Account Deleted
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
True
Default senseValue
10
Description
Detects the successful log in from an account that has been determined to be dormant.
For details on how accounts are determined to be dormant, see “Dormant accounts” on page 45.
Support rule
Log source types

Any supported log source that provides a username in the event.
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Detects the failed log in attempt from an account that has been determined to be dormant.
For details on how accounts are determined to be dormant, see “Dormant accounts” on page 45.
Support rule
Log source types

SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility
Controller, Avaya VPN Gateway,Barracuda Web Application Firewall, Barracuda Web Filter, Bit9 Security
Platform, Box, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder,
CRE System, CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Identity Platform, Centrify
Infrastructure Services, Check Point,Cilasoft QJRN/400, Cisco ACS,Cisco Adaptive Security Appliance
(ASA), Cisco Aironet, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT
Management Center,Cisco Firewall Services Module (FWSM),Cisco IOS,Cisco Identity Services
Engine,Cisco Intrusion Prevention System (IPS),Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco
PIX Firewall, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless
Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Configurable
Authentication message filter, CorreLog Agent for IBM zOS,CrowdStrike Falcon Host,Custom Rule Engine,
Cyber-Ark Vault, CyberGuard TSP Firewall/VPN, DCN DCS/DCRS Series, DG Technology MEAS, EMC
VMWare, ESET Remote Administrator, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM,Event CRE
Injected,Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme Matrix E1
Switch,Extreme Matrix K/N/S Series Switch,Extreme Networks ExtremeWare Operating System (OS),
Extreme Stackable and Standalone Switches, Extreme XSR Security Routers, F5 Networks BIG-IP APM,
F5 Networks BIG-IP LTM, F5 Networks FirePass, Flow Classification Engine, Forcepoint Sidewinder,
ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron, FreeRADIUS, H3C
Comware Platform, HBGary Active Defense, HP Network Automation, HP Tandem,Huawei AR Series
Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM Bluemix
Platform, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium, IBM Lotus Domino, IBM
Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS,IBM Resource
Access Control Facility (RACF),IBM Security Access Manager for Enterprise Single Sign-On, IBM Security
Access Manager for Mobile, IBM Security Identity Governance, IBM Security Identity Manager,IBM
SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business,IBM WebSphere Application
Server,IBM i,IBM z/OS,IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform, Imperva
SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform, Juniper Junos WebApp
Secure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP),
Juniper Networks Network and Security Manager, Juniper Steel-Belted Radius, Juniper WirelessLAN,
Lieberman Random Password Manager, LightCyber Magna, Linux OS, Mac OS X, McAfee Application/
Change Control,McAfee Network Security Platform,McAfee ePolicy Orchestrator, Microsoft IAS Server,
Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft SCOM, Microsoft SQL Server, Microsoft
SharePoint, Microsoft Windows Security Event Log, Motorola SymbolAP, Netskope Active, Nortel
eDirectory, OS Services Qidmap, OSSEC, Okta,OpenBSD OS, Open LDAP Software, Oracle Acme Packet
SBC, Oracle Audit Vault, Oracle BEA WebLogic, Oracle Enterprise Manager, Oracle RDBMS Audit Record,
Palo Alto PA Series, Pirean Access: One, PostFix MailTransferAgent, ProFTPD Server, Proofpoint
Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication
Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, Sybase
ASE,Symantec Encryption Management Server, Symantec Endpoint Protection, TippingPoint Intrusion
Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Deep Discovery
Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Tripwire Enterprise,
Related concepts
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
UBA : Expired Account Used. (formerly called UBA : Orphaned or Revoked or Suspended Account Used)
Enabled by default
False
Default senseValue
10
Description
Indicates that a user attempted to log in to a disabled or an expired account on a local system. This rule
might also suggest that an account was compromised.
Although not required, you can enable Search assets for username, when username is not available for
event or flow data in Admin Settings > UBA Settings.
Support rules
• BB:CategoryDefinition: Authentication to Expired Account
• BB:UBA : Expired Accounts (Kerberos)
Log source types

Extreme Dragon Network IPS (EventID: HOST:WIN:532-ACCOUNT-EXPIRED, HOST:WIN:535-PWD-
EXPIRED)
Microsoft Windows Security Event Log (EventID: 532, 535, 4768, 4771, 4772, 4625, 4776)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Failed_login-account_expired,
Failed_login-password_expired, NovellEdirectoryExpiredAccounts, SolarisUseraddExpiredAccounts)
Cisco CatOS for Catalyst Switches (EventID: HA_POLICY_TIMER_EXPIRED)
Juniper Junos OS Platform (EventID: LOGIN_PASSWORD_EXPIRED)
Microsoft IAS Server (EventID: IAS_ACCOUNT_EXPIRED)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Indicates that a user executed privileged access for the first time. This reporting rule can be disabled to
allow the tracking of user behaviors for baselining purposes.
Support rule
BB:UBA : Privileged User, First Time Privilege Use (logic)
Log source types

APC UPS, AhnLab Policy Center APC, Amazon AWS CloudTrail, Application Security DbProtect, Arbor
Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy
Manager, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Web Application Firewall, Bit9
Security Platform, Bluemix Platform, Box, Bridgewater Systems AAA Service Controller, Brocade
FabricOS, CA ACF2,CA Top Secret, CRE System, Carbon Black Protection, Centrify Server Suite, Check
Point, Cilasoft QJRN/400, Cisco ACSCisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA,
Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center, Cisco
Firewall Services Module (FWSM), Cisco IOS,Cisco Identity Services Engine, Cisco Intrusion Prevention
System (IPS), Cisco IronPort, Cisco NAC Appliance, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000
Series Concentrator, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Citrix
Access Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator, CorreLog Agent for IBM zOS,
Custom Rule Engine, Cyber-Ark Vault, DCN DCS/DCRS Series, DG Technology MEAS, EMC VMWare,
Enterasys Matrix K/N/S Series Switch, Enterprise-IT-Security.com SF-Sherlock, Epic SIEM, Event CRE
Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiPath, Extreme NAC,
Extreme NetsightASM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM,
Flow Classification Engine, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron,
H3C Comware Platform, HBGary Active Defense, HP Network Automation, Honeycomb Lexicon File
Integrity Monitor, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX
Audit, IBM AIX Server, IBM BigFix, IBM DB2, IBM DataPower,IBM Fiberlink MaaS360, IBM Guardium,
IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar
Packet Capture, IBM Resource Access Control Facility (RACF), IBM Security Access Manager for
Enterprise Single Sign-On, IBM Security Directory Server, IBM Security Identity Governance, IBM Security
Identity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM SmartCloud
z/OS, IBM zSecure Alert, ISC BIND, Imperva SecureSphere, Itron Smart Meter, Juniper Junos OS
Platform,Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN, Juniper
Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager,
Juniper WirelessLAN, Juniper vGW, Kaspersky Security Center, Lieberman Random Password Manager,
Linux OS, Mac OS X, McAfee Application/Change Control, McAfee Firewall Enterprise, McAfee IntruShield
Network IPS Appliance,McAfee ePolicy Orchestrator, Metainfo MetaIP, Microsoft DHCP Server, Microsoft
Endpoint Protection, Microsoft Hyper-V, Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft
Operations Manager, Microsoft SCOM, Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows
Security Event Log, NCC Group DDos Secure, Netskope Active, Niara, Nortel Application Switch, Nortel
Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch 8300/8600, Nortel Secure
Network Access Switch (SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS
Services Qidmap, OSSEC, ObserveIT, Okta, OpenBSD OS,Oracle Acme Packet SBC, Oracle Audit Vault,
Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit Record,
Oracle RDBMS OS Audit Record, PGP Universal Server, Palo Alto Endpoint Security Manager, Palo Alto PA
SeriesPirean Access: One, PostFix MailTransferAgent, Proofpoint Enterprise Protection/Enterprise
Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware
DefensePro, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH CryptoAuditor, STEALTHbits
StealthINTERCEPT, SafeNet DataSecure/KeySecure, Salesforce Security Auditing, Samhain HIDS,
Sentrigo Hedgehog, Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, Solaris BSM,
Solaris Operating System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL
SonicOS, Squid Web Proxy, Starent Networks Home Agent (HA), Stonesoft Management Center,Sybase
ASE, Symantec Critical System Protection, Symantec Endpoint Protection, Symantec System Center,
System Notification, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion Prevention
System (IPS),TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Control Manager, Trend Micro
Deep Discovery Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security,
Tripwire Enterprise, Universal DSM, VMware vCloud Director, VMware vShield, Venustech Venusense
Security Platform, Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua
genugate, iT-CUBE agileSI
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.

anomalies.
Enabled by default
True
Default senseValue
5
Description
Provides reporting functions that indicate an account successfully used for the first time. Accounts are
tracked and monitored by the UBA app.
Note: Prior to UBA V3.5.0 this rule monitored every event coming into QRadar and added any new user
account seen on an event to UBA. It populated a reference set that stored all of the user accounts and
compared every event to this reference set. Starting in V3.5.0 this rule now triggers when the app sends
in an event indicating the account is new. All accounts are stored in the UBA database instead of a
reference table. For more information on how new accounts are detected, see “New accounts” on page
44.
Log source types

IBM Sense (EventID: new account use detected)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Indicates that a user executed a privileged action that the user never executed before. Observations are
kept in "UBA : Observed Activities by Low Level Category and Username" map-of-sets.
Support rules
• BB:UBA : Privileged Activity
Log source types


Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Indicates that a user executed a privileged action that the user has not executed recently. Observations
are kept in "UBA : Recent Activities by Low Level Category and Username" map-of-sets. The sensitivity of
this event can be modified by changing the TTL (time-to-live) of the Reference Map-of-Sets for "UBA :
Recent Activities by Low Level Category and Username". Increasing the TTL reduces the sensitivity.
Decreasing the TTL increases the sensitivity.
Support rules
• BB:UBA : Privileged Activity
Log source types


Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Detects when a user tries to access the organization resources by using a disabled account.
Support rules
• BB:CategoryDefinition: Authentication to Disabled Account
• BB:UBA : Disabled Accounts (Kerberos)
• BB:UBA : Common Log Source Filters

Log source types
Extreme Dragon Network IPS (EventID: HOST:TACACS:REJECTED-USER, HOST:TACACS:REJECTED-
USER2, HOST:WIN:530-FAILED-RESTRICTED, HOST:WIN:531-ACCOUNT-DISABLED, HOST:WIN:533-
FAILED-NOT-ALLOWED, HOST:WIN:539-ACCOUNT-LOCKED, HOST:WIN:DIAL-IN-LOCKOUT, HOST:WU-
FTP:DISABLED-ACCOUNT)
Microsoft Windows Security Event Log (EventID: 530, 531, 533, 534, 644, 1327, 644, 4769, 4771, 4773,
4625 Account Disabled, 4625 Account Expired, 4625 Logon Outside Normal Time, 4625 User Locked
Out)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: Disabled Account Blank Pwd,
Disabled Account User Pwd, Failed_login-account_disabled, Failed_login-account_locked_out,
Failed_login-not_authorized_for_console_login, Failed_login-time_restriction_violation, Guessed
Disabled Account Pwd, User_account_disabled, User_account_locked_out)
Cisco Intrusion Prevention System (IPS) (EventID: 3343)
Microsoft IAS Server (EventID: IAS_ACCOUNT_DISABLED, IAS_ACCOUNT_LOCKED_OUT,
IAS_DIALIN_DISABLED, IAS_DIALIN_LOCKED_OUT)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Detects when a user tries to access the organization resources by using suspended or blocked privileges.
Although not required, you can enable Search assets for username, when username is not available for
event or flow data in Admin Settings > UBA Settings.
Log source types

Cisco Intrusion Prevention System (IPS), Extreme Dragon Network IPS, IBM Proventia Network Intrusion
Prevention System (IPS), Microsoft ISA, Microsoft Windows Security Event Log (EventID:
4656,4661,4673)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
Browsing behavior
UBA : Browsed to Business/Service Website
anomalies.
Enabled by default
False
Default senseValue
5
Description
A user has accessed a URL that might indicate an elevated security or legal risk.
Support rule
BB:UBA : URL Category Filter
Log source types

Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Palo Alto PA Series,
Forcepoint V Series, Fortinet FortiGate Security Gateway
Related concepts
UBA : Browsed to Communications Website
anomalies.
UBA : Browsed to Education Website
anomalies.
UBA : Browsed to Entertainment Website
anomalies.
UBA : Browsed to Gambling Website
anomalies.
UBA : Browsed to Government Website
anomalies.
UBA : Browsed to Information Technology Website
anomalies.
UBA : Browsed to Job Search Website
anomalies.
UBA : Browsed to LifeStyle Website
anomalies.
UBA : Browsed to Malicious Website
anomalies.
UBA : Browsed to Mixed Content/Potentially Adult Website
anomalies.
UBA : Browsed to Phishing Website
anomalies.
UBA : Browsed to Pornography Website
anomalies.
UBA : Browsed to Religious Website
anomalies.
UBA : Browsed to Scam/Questionable/Illegal Website
anomalies.
UBA : Browsed to Social Networking Website
anomalies.
UBA : Browsed to Uncategorized Website
anomalies.
UBA: User Accessing Risky URL
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5

Description
A user has accessed a URL which may indicate elevated security or legal risk.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Detected user browsing a website associated with education content.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
A user accessed a URL that might indicate elevated security or legal risk.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5

Description
Detected user browsing a website associated with government content.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
A user has accessed a URL that might indicate an elevated security or legal risk.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15

Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5

Description
A user accessed a URL that is associated with religious content.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
A user accessed a website that is categorized as Social Networking.
Support rules
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
A user accessed a URL that might indicate an elevated security or legal risk.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
UBA: User Accessing Risky URL (previously called X-Force Risky URL)
Enabled by default
False
Description
This rule detects when a local user is accessing questionable online content.

Support rules
• X-Force Risky URL
• Set Enable X-Force Threat Intelligence Feed to Yes in Admin Settings > System Settings.
• Enable the following rule: X-Force Risky URL.
Log source types

Juniper SRX Series Services Gateway, Microsoft ISA, Pulse Secure Pulse Connect Secure
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
Cloud
UBA : Anonymous User Accessed a Resource
anomalies.
UBA : Anonymous User Accessed a Resource
Enabled by default
False
Default senseValue
15
Description
Detects an anonymous user accessing a resource.
Support rules
Log source types

Microsoft Office 365 (EventID: AnonymousLinkUsed)
UBA : AWS Console Accessed by Unauthorized User

anomalies.
UBA : AWS Console Accessed by Unauthorized User
Enabled by default
False
Default senseValue
10

Description
Detects an unauthorized attempt to access the Amazon Web Services (AWS) console by a user that is
outside the authorized list in the 'AWS - Standard Users' reference set.
Support rules
• Install the following package from the IBM Security App Exchange: IBM QRadar Content Extension for
Monitoring Amazon AWS.
• Add the appropriate values to the following reference set: "AWS - Standard Users"
• Configure the following log source: Amazon AWS CloudTrail
Log source types

Amazon AWS CloudTrail (EventID: ConsoleLogin)
UBA : External User Failed Mailbox Login

anomalies.
UBA : External User Failed Mailbox Login
Enabled by default
False
Default senseValue
10
Description
Detects repeated failures to log in to mailbox from an external user.
Support rules
Log source types

Microsoft Office 365 (EventID: MailboxLogin-false)
UBA : Failed to Set Mailbox Audit Logging Bypass

anomalies.
UBA : Failed to Set Mailbox Audit Logging Bypass
Enabled by default
False
Default senseValue
10
Description
Detects when a user failed to correctly set mailbox audit logging bypass.
Support rules
Log source types

Microsoft Office 365 (EventID: Set-MailboxAuditBypassAssociation-false)
UBA : Inbox Set to Forward to External Inbox

anomalies.
UBA : Inbox Set to Forward to External Inbox
Enabled by default
False
Default senseValue
15
Description
Detects if a mailbox is set to forward to a domain that is not listed in the Trust Domains reference set.
Support rules
Add the appropriate values to the following reference sets: "UBA : Trusted Domains".
Log source types

Microsoft Office 365 (EventID: Set-Mailbox-true)
UBA : Internal User Failed Mailbox Login Followed by Success

anomalies.
UBA : Internal User Failed Mailbox Login Followed by Success
Enabled by default
False
Default senseValue
5
Description
Detects several mailbox login failures before a successful login from an internal user.

Support rules
• BB:UBA : Mailbox Login Success
• BB:UBA : Multiple Mailbox Login Failed in a Short Period of Time
Log source types

Microsoft Office 365 (EventID: MailboxLogin-false & EventID: MailboxLogin-true)
UBA : Mailbox Permission Added and Deleted in a Short Period of Time

anomalies.
UBA : Mailbox Permission Added and Deleted in a Short Period of Time
Enabled by default
False
Default senseValue
10
Description
Detects mailbox permissions that are added and deleted within an hour.
Support rules
• BB:UBA : Remove Mailbox Permission Succeeded
• BB:UBA : Add Mailbox Permission Succeeded
Log source types

Microsoft Office 365 (EventID: Add-MailboxPermission-true & Remove-MailboxPermission-true)
UBA : Non-Standard User Accessing AWS Resources

anomalies.
UBA : Non-Standard User Accessing AWS Resources
Enabled by default
False
Default senseValue
10
Description
Detects a non-standard user who is attempting to access Amazon Web Services (AWS) resources.
Support rules
• AWS Cloud: S3 Bucket accessed by Non-Standard User
Log source types

Amazon Web Services Extension
UBA : Sharing Link Sent to Guest

anomalies.
UBA : Sharing Link Sent to Guest
Enabled by default
False
Default senseValue
10
Description
Detects a sharing invitation being sent to a guest.
Support rule
Log source types

Microsoft Office 365 (EventID: SharingInvitationCreated)
UBA : Sharing Policy Changed or Shared External (SharePoint/OneDrive)

anomalies.
UBA : Sharing Policy Changed or Shared External (SharePoint/OneDrive)
Enabled by default
False
Default senseValue
15
Description
Detects when an item's sharing policy is changed to share with a guest user.
Support rule
Log source types

Microsoft Office 365 (EventID: ExternalSharingSet, SharingPolicyChanged)

UBA : User Added to a Group on SharePoint or OneDrive by Site Admin
anomalies.
UBA : User Added to a Group on SharePoint or OneDrive by Site Admin
Enabled by default
False
Default senseValue
10
Description
Detects a user being added to a group in Sharepoint or OneDrive by a System Admin.
Support rule
Log source types

Microsoft Office 365 (EventID: Add member to group-success)
UBA : User Failed to be Added to Role

anomalies.
UBA : User Failed to be Added to Role
Enabled by default
False
Default senseValue
10
Description
Detects when an attempt to add a user to a role fails.
Support rule
Log source types

Microsoft Office 365 (EventID: Add-RoleGroupMember-false, Update-RoleGroupMember-false)
Domain controller
UBA : DPAPI Backup Master Key Recovery Attempted
anomalies.
UBA : DPAPI Backup Master Key Recovery Attempted
Enabled by default
False
Default senseValue
10
Description
Detects when recovery is attempted for a DPAPI Master Key.
Support rule
Log source types

UBA : Kerberos Account Enumeration Detected

anomalies.
UBA : Kerberos Account Enumeration Detected
Enabled by default
False
Default senseValue
10
Description
Detects Kerberos account enumeration by detecting high number of user names being used to make
Kerberos requests from same source IP.
Support rule
Log source types

UBA : Multiple Kerberos Authentication Failures from Same User

anomalies.
UBA : Multiple Kerberos Authentication Failures from Same User
Enabled by default
False
Default senseValue
15

Description
Detects multiple Kerberos authentication ticket rejections or failures.
Support rules
• BB:UBA : Kerberos Authentication Failures
Enable Search assets for username, when username is not available for event or flow data in Admin
Settings > UBA Settings.
Log source types

Microsoft Windows Security Event Log (EventID: 4768, 4771)
UBA : Non-Admin Access to Domain Controller

anomalies.
UBA : Non-Admin Access to Domain Controller
Enabled by default
False
Default senseValue
5
Description
Detects non-admin account access attempts to domain controller.
Support rule
Add the appropriate values to the following reference sets: "UBA : Domain Controllers" and "UBA :
Domain Controller Administrators"
Log source types

iT-CUBE agileSI
UBA : Pass the Hash

anomalies.
UBA : Pass the Hash
Enabled by default
False
Default senseValue
15

Description
Detects Windows logon events that are possibly generated during pass the hash exploits.
Support rule
Required configuration:
Add the appropriate values to the following reference set: UBA : Trusted Domains.
Log source types

Microsoft Windows Security Event Logs (EventID: 4624)
UBA : Possible Directory Services Enumeration

anomalies.
UBA : Possible Directory Services Enumeration
Enabled by default
False
Default senseValue
5
Description
Detects reconnaissance attempts to Directory Service Enumeration.
Support rule
Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators"
Log source types

UBA : Possible SMB Session Enumeration on a Domain Controller

anomalies.
UBA : Possible SMB Session Enumeration on a Domain Controller
Enabled by default
False
Default senseValue
10
Description
Detects attempts at SMB enumeration against a domain controller.
Support rule
Add the appropriate values to the following reference sets:
• UBA : Domain Controllers
• UBA : Domain Controller Administrators
Log source types

UBA : Possible TGT Forgery

anomalies.
UBA : Possible TGT Forgery
Enabled by default
False
Default senseValue
15
Description
Detects Kerberos TGTs that contain Domain Name anomalies. These possibly indicate tickets that are
generated by using pass the ticket exploits.
Support rule
Add the appropriate values to the following reference sets: UBA : Trusted Domains.
Log source types

UBA : Possible TGT PAC Forgery

anomalies.
UBA : Possible TGT PAC Forgery
Enabled by default
False

Default senseValue
10
Description
Detects use of Forged PAC certificate to get a Service Ticket from Kerberos TGS.
Support rules
• BB:UBA : TCT PAC Forgery Patched Server
• BB:UBA : TCT PAC Forgery Unpatched Server
Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators".
Log source types

Microsoft Windows Security Event Log (EventID: 4672, 4769)
UBA : Replication Request from a Non-Domain Controller

anomalies.
UBA : Replication Request from a Non-Domain Controller
Enabled by default
False
Default senseValue
5
Description
Detects replication requests from an illegitimate Domain Controller
Support rules
Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators".
Log source types

UBA : TGT Ticket Used by Multiple Hosts

anomalies.
UBA : TGT Ticket Used by Multiple Hosts
Enabled by default
False
Default senseValue
15
Description
Detects Kerberos TGT ticket being used on two (or more) different computers.
Support rule
UBA : Kerberos Account Mapping
This rule updates the associated reference sets with the required data.
Enable the following rules: "UBA : Kerberos Account Mapping"
Log source types

Endpoint
UBA : Detect Insecure Or Non-Standard Protocol
anomalies.
Enabled by default
False
Default senseValue
5
Description
Detects any user that is communicating over unauthorized protocols that are regarded as insecure or non-
standard protocols. Authorized protocols are listed in the UBA : Ports of Authorized Protocols reference
set with default value 0, which is the port of QRadar events. Edit the UBA : Ports of Authorized Protocols
reference set to flag from your environment before you enable this rule.
Support rules
• BB:UBA : Insecure Ports
•
Add the appropriate values to the following reference set: UBA : Ports Of Authorized Protocols.

Log source types
Related concepts
UBA : Detect Persistent SSH session
anomalies.
UBA : Internet Settings Modified
anomalies.
UBA : Malware Activity - Registry Modified In Bulk
anomalies.
UBA : Netcat Process Detection (Linux)
anomalies.
UBA : Netcat Process Detection (Windows)
anomalies.
UBA : Process Executed Outside Gold Disk Whitelist (Linux)
anomalies.
UBA : Process Executed Outside Gold Disk Whitelist (Windows)
anomalies.
UBA : Ransomware Behavior Detected
anomalies.
UBA : Restricted Program Usage
anomalies.
UBA : User Installing Suspicious Application
anomalies.
UBA : User Running New Process
anomalies.
UBA : Volume Shadow Copy Created
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Detects SSH sessions that are active for more than 10 hours.
Support rules
• BB:UBA : SSH Session Closed
• BB:UBA : SSH Session Opened
This rule requires both SSH Opened and SSH Closed events to occur for an accurate detection. If the log
source that is used does not have an eventID for both events, you might receive inaccurate results. See
the Data sources to determine eventIDs for the log source in use.
Log source types (SSH Opened)

Centrify Infrastructure Services (EventID: 27100, 27104)
Cisco IOS (EventID: %SSH-5-SSH2_SESSION, %SSH-SW2-5-SSH2_SESSION)
Custom Rule Engine (EventID: 18037, 3071)
Cyber-Ark Vault (EventID: 378)
Extreme XSR Security Routers (EventID: NEW_SSH_CONNECTION)
Huawei S Series Switch (EventID: SSH/4/SFTP_REQ_RECORD)
HyTrust CloudControl (EventID: AUN0120, unknown)
IBM AIX Server (EventID: sshd2 connection established, ssh-server connect, ssh-server session open)
IBM DataPower (EventID: 0x8100011e, 0x810001e4, 0x810001e5)
Juniper MX Series Ethernet Services Router (EventID: SSH)
Juniper Networks AVT (EventID: SSH)
Mac OS X (EventID: OSX ssh session started)
OS Services Qidmap (EventID: Connection from, pam_open_session, pam_sm_open_session)
Solaris Operating System Authentication Messages (EventID: ssh session opened)
Universal DSM (EventID: SSH Opened, SSH Session Started)
Log source types (SSH Closed)

Aruba Mobility Controller (EventID: sshd_disconnect)
Centrify Infrastructure Services (EventID: 27102)
Cisco IOS (EventID: %SSH-5-SSH_CLOSE, %SSH-SW2-5-SSH2_CLOSE, %SSH-5-SSH2_CLOSE)
Custom Rule Engine (EventID: 3072, 18038, 18040)
Cyber-Ark Vault (EventID: 380, 381)
Flow Classification Engine (EventID: 3072, 18038, 18040)
Huawei S Series Switch (EventID: SSH/6/RECV_DISCONNECT)

IBM AIX Server (EventID: ssh-server disconnect, sshd2 connection lost, SSH Disconnect, sshd2 local
disconnect, ssh-server session close)
OS Services Qidmap (EventID: Done with connection, pam_sm_close_session, pam_close_session, Did
not receive identification string, Connection timed out, Received disconnect from IP, Connection closed)
Pulse Secure Pulse Connect Secure (EventID: GWE24572)
Universal DSM (EventID: SSH Terminated, SSH Session Finished, SSH Closed)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects modifications of internet settings on the system.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects processes that modify multiple registry values in bulk within a shorter interval.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects netcat process on a Linux system.
Support rule
BB:UBA : Common Log Source Filters
Log source types

Linux OS (EventID: SYSCALL)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects Netcat process on a Windows system.
Support rule
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects processes that are created on a Linux system and alerts when the process is outside of the
golden disk process whitelist.
Note: The rule is disabled by default. Enable the rule only after you populate or modify the process names
to be whitelisted in the reference set 'UBA : Gold Disk Process Whitelist - Linux'.

• Add the appropriate values to the following reference set: "UBA : Gold Disk Process Whitelist - Linux".
• Enable Search assets for username, when username is not available for event or flow data in Admin
Support rule
BB:UBA : Common Log Source Filters
Log source types

Linux OS (EventID: SYSCALL)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects processes that are created on a Windows system and alerts when the process is outside the
golden disk process whitelist.
Note: The rule is disabled by default. Enable the rule only after you populate or modify the process names
to be whitelisted in the reference set 'UBA : Gold Disk Process Whitelist - Windows'.
Add the appropriate values to the following reference set: "UBA : Gold Disk Process Whitelist - Windows".
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects behavior that is typically seen during a ransomware infection.
Support rule
Add the appropriate values to the following reference set: "UBA : Windows Common Processes".
Log source types

Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Indicates that a process is created and the process name matches one of the binary names listed in the
reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can
customize it. You can populate the reference set with file names that you want to monitor for risk
management.
For more information about adding or removing programs for monitoring, see Managing restricted
programs.
Support rule

Add the appropriate values to the following reference set: "UBA : Restricted Program Filenames".
Log source types

Microsoft Windows Security Event Log
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Supports the following rules:
• UBA : User Installing Suspicious Application
• UBA : Populate Authorized Applications
Enabled by default
False
Default senseValue
15
Description
Detects application installation events and then alerts when suspicious applications are seen. Note:
Populate the reference set "UBA : Authorized Applications" with the application names that are
authorized in the organization. Rule "UBA : Populate Authorized Applications" can be enabled for a short
duration to populate this reference set.
Rule "UBA : Populate Authorized Applications" populates the reference set "UBA : Authorized
Applications" with the names of applications that are installed while this rule is enabled. Note: The rule is
disabled by default. Enable for a shorter duration to populate the names while users are installing
applications.
Log source types

Microsoft Windows Security Event Logs
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
anomalies.
anomalies.

anomalies.
Supports the following rules:
• UBA : User Running New Process
• UBA : Populate Process Filenames
Enabled by default
False
Default senseValue
15
Description
Detects processes that are created by the user and then alerts when a user runs a new process.
Rule "UBA: Populate Process Filenames" populates the reference set "UBA : Process Filenames" used as
a utility rule for "UBA : User Running New Process." Note: The rule is disabled by default. Enable the rule
for a shorter duration to populate the filenames.
Support rule
BB:UBA : Common Event Filters, UBA : Populate Process Filenames
Add the appropriate values to the following reference set: "UBA : Process Filenames".
Log source types

Microsoft Windows System Event Logs (EventID:4688)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects shadow copies that were created using vssadmin.exe or Windows Management Instrumentation
Command-line (WMIC).
Support rule
Log source types

Microsoft Windows Security Event Logs (EventID: 1 or 4688)
Related concepts

anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
Exfiltration
UBA : Data Exfiltration by Cloud Services
anomalies.
UBA : Data Exfiltration by Cloud Services
Enabled by default
False
Default senseValue
5
Description
Detects users that are uploading files to personal cloud services.
Support rules
• BB:UBA : File Transfer to Cloud services
Log source types

Aruba Introspect (EventID: Cloud Exfiltration)
Fortinet FortiGate Security Gateway (EventID: 16064, 35599, 35977, 35984, 36076, 36115, 36300,
36343, 36350, 36353, 36413, 38668, 38902, 38994, 39287, 39297, 39356, 39474, 39806)
UBA : Data Exfiltration by Print

anomalies.
UBA : Data Exfiltration by Print
Enabled by default
False
Default senseValue
5
Description
Detects users that are sending files to print or that are using screen capture tools such as Print Screen
and Snipping Tool.
Support rules
• BB:UBA : File Transfer to Print
Log source types

Universal DSM (EventID: File Print)
Verdasys Digital Guardian (EventID: Print, ADE Print Screen)
UBA : Data Exfiltration by Removable Media

anomalies.
UBA : Data Exfiltration by Removable Media
Enabled by default
False
Default senseValue
5

Description
Detects users that are transferring files to removable media such as USB and CD.
Support rules
• BB:UBA : File Transfer to CD
• BB:UBA : File Transfer to USB
Log source types

Symantec Endpoint Protection (EventID: Log writing to USB drives_File_Write, Log writing to USB
drives_Write File)
Verdasys Digital Guardian (EventID: CD Burn)
UBA : Data Loss Possible

anomalies.
UBA : Data Loss Possible
Enabled by default
False
Default senseValue
15
Description
Detects possible data loss determined by either the data source, event category or specific events related
to data loss detection and prevention.
Support rules
• BB:UBA : Data Loss Categories
• BB:UBA : Data Loss Devices
• BB:UBA : Data Loss Events
Log source types

Check Point (EventID: Detect)
Cisco Stealthwatch (EventID: 40, 45)
Forcepoint V Series (EventID: BLOCKED_BY_WEB_DLP)
Fortinet FortiGate Security Gateway (EventID: dlp passthrough, 43720)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: BsdlprSymlink,FreebsdLpdBo,
HummingbirdLpdBo, MozillaSenduidlPop3Bo, BsdLpdBo)
McAfee Network Security Platform (EventID: 0x4517f400)
Netskope Active (EventID: dlp)
Pulse Secure Pulse Connect Secure (EventID: SYS24815, SYS24843, SYS24844)
Skyhigh Networks Cloud Security Platform (EventID: Anomaly, Incident, 10003, 10004, 10005, 10036)
Symantec DLP (EventID: all ids)
TippingPoint Intrusion Prevention System (IPS) (EventID: 26335,26334, 26336,27318, 27494, 27515)
Universal DSM (EventID: Data Loss Possible, Data Loss Prevention Policy Violation)
Verdasys Digital Guardian (EventID: ADE Screen Capture, Application Data Exchange, Attach Mail, CD
Burn, File Archive, File Copy, File Delete, File Move, File Recycle, File Rename, File Save As, Network
Transfer Download, Network Transfer Upload, Print, Print Screen, ADE Print Process)
WatchGuard Fireware OS (EventID: 1CFF0011, 1AFF002F, 1AFF0030, 1AFF0031, 1BFF0024, 1BFF0025,
1BFF0026, 1BFF0027, 1CFF0012, 1CFF0013, 1CFF0014)
UBA : Initial Access Followed by Suspicious Activity

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects the scenario of phishing or malware activity followed by suspicious access activity within 24
hours. Note: Edit the supported building blocks to monitor any rules that are appropriate for the
environment.
Support rules
BB:UBA : Compromised Account - Initial Access
• UBA : Browsed to Malicious Website
• UBA : Browsed to Phishing Website
• UBA : Browsed to Scam/Questionable/Illegal Website
• UBA : User Accessing Risky IP, Botnet
• UBA : User Accessing Risky IP, Malware
BB:UBA : Compromised Account - Execution
• UBA : User Geography Change
• UBA : Unauthorized Access
• UBA : User Access - Failed Access to Critical Assets
• UBA : User Access Login Anomaly
• UBA : User Accessing Account from Anonymous Source
• UBA : Account or Group or Privileges Added
• UBA : Account or Group or Privileges Modified
• UBA : User Account Created and Deleted in a Short Period of Time
• UBA : Dormant Account Use Attempted
• UBA : Dormant Account Used
• UBA : User Time, Access at Unusual Times
• “UBA : Suspicious Privileged Activity (Rarely Used Privilege)” on page 107

See supported rules
Log source types

See supported rules
UBA : Large Outbound Transfer by High Risk User

anomalies.
UBA : Large Outbound Transfer by High Risk User
Enabled by default
False
Default senseValue
15
Description
Detects an outbound transfer of 200,000 bytes or more by a high risk user.
Support rules
Log source types

Log sources that have the CEP BytesSent defined.
UBA : Multiple Blocked File Transfers Followed by a File Transfer

anomalies.
UBA : Multiple Blocked File Transfers Followed by a File Transfer
Enabled by default
False
Default senseValue
10
Description
Detects exfiltration by checking for file uploads that were initially blocked but were followed by a
successful upload within a span of 5 minutes.
Support rules
• BB:UBA : Blocked File Transfer
• BB:UBA : Successful File Transfer
This rule requires both Blocked file transfers and Successful file transfers events to occur for an accurate
detection. If the log source that is used does not have an eventID for both events, you might receive
inaccurate results. See the Data sources to determine eventIDs for the log source in use.
Log source types (Blocked file transfers)

Cisco Call Manager (EventID: %UC_DRF-3-DRFSftpFailure)
Cisco IOS (EventID: %UPDATE-3-SFTP_TRANSFER_FAIL)
Custom Rule Engine (EventID: 18014, 18071, 18187, 4032)
Extreme Stackable and Standalone Switches (EventID: FFTP request failed)
Flow Classification Engine (EventID: 4032, 18187, 18014, 18071)
Forcepoint Sidewinder (EventID: FTP Permits, denied ftp command)
IBM i (EventID: UNR0907, UNR0908, UNR2302, GSL0118, GSL0119, GSL0318, GSL0319, GSL3718,
GSL3719, GSL0618,UNR0701, UNR0707, UNR0901, UNR0910, UNR2301, UNR0705, UNR0706,
UNR0708, UNR0710, UNR0801, UNR0802, UNR0905, UNR0906, GSL0619)
Juniper Networks Intrusion Detection and Prevention (IDP) (EventID: TFTP:AUDIT:READ-FAILED)
Microsoft IIS (EventID: 530)
Microsoft Operations Manager (EventID: 22095)
OSSEC (EventID: 11504, 11512)
Universal DSM (EventID: FTP Action Denied, TFTP Session Denied,FTP Denied,FileTransfer Denied)
WatchGuard Fireware OS (EventID: 1CFF0002,1CFF0006,1CFF0007,1CFF0009, 1CFF0001,1CFF0019,
1CFF0000, 1CFF0003)
Log source types (Successful file transfers)

Cisco FireSIGHT Management Center (EventID: FILE_EVENT, FILE_EVENT_0)
Cisco IOS (EventID: %FTPSERVER-6-NEWCONN)
Cisco IronPort (EventID: FTP_connection)
Custom Rule Engine (EventID: 18010, 4031,18431, 18183)
DG Technology MEAS (EventID: 119-003, 119-070)
Flow Classification Engine (EventID: 18010, 4031,18431, 18183)
Flow Device Type (EventID: 21984, 21879, 51337, 51336, 35159, 21910)
Huawei S Series Switch (EventID: FTPS/5/REQUEST)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: FTP, TFTP)
IBM i (EventID: MLD1200, MLD2100, MO10300,MO10400, MO11800, MO12100, MO12400, MO20200,
MO20300. MO21300, MO21800, MO21900, GSL0101, GSL0102, GSL0301, GSL0302,
GSL3701,GSL3702, M090100, UNA0705, UNA0706, UNA0708, UNA0710, UNA0801, UNA0802,
UNA0905, UNA0906, UNA0907,UNA0908, UNA2302,UNA0601, UNA0604, UNA0605, UNA0607,
UNA0701, UNA0707, UNA0901, UNA0902, UNA0910, UNA2301, M030100, MLD1100)
Juniper MX Series Ethernet Services Router (EventID: TFTP, FTP)
Juniper Networks AVT (EventID: TFTP, FTP)
Microsoft IIS (EventID: 150, 125, 225)

ProFTPD Server (EventID: FTP session opened)
Solaris Operating System Authentication Messages (EventID: ftp connection)
SonicWALL SonicOS (EventID: 1112, 1113)
Squid Web Proxy (EventID: 3C0002_ALLOWED)
Trend InterScan VirusWall (EventID: Trend ftpconnect)
Universal DSM (EventID: File Transfer, FTP Opened, FTP Action Allowed, TFTP Session Opened)
Verdasys Digital Guardian (EventID: Network Transfer Upload, Network Transfer Download)
WatchGuard Fireware OS (EventID: 2AFF0004, 1CFF0019)
UBA : Potentially Compromised Account

anomalies.
UBA : Potentially Compromised Account
Enabled by default
False
Default senseValue
25
Description
Detects scenario of suspicious activity followed by exfiltration within 24 hours.
Support rules
UBA : Suspicious Activity Followed by Exfiltration
See supported rules
Log source types

See supported rules
UBA : Suspicious Access Followed by Data Exfiltration

anomalies.
UBA : Suspicious Access Followed by Data Exfiltration
Enabled by default
False
Default senseValue
15
Description
Detects access from unusual, restricted, or prohibited locations followed by a data exfiltration attempt.
Support rule
• BB:UBA : Data Exfiltration
• UBA : User Access from Restricted Location
• UBA : User Access from Prohibited Location
• UBA : User Geography, Access from Unusual Locations
Enable the following rules:
• UBA : User Access from Restricted Location
• UBA : User Access from Prohibited Location
Log source types

Cisco Stealthwatch (EventID: 45)
IBM Security Trusteer Apex Advanced Malware Protection (EventID: ConnectionCreate.Connection_Test,
CerberusNG.ent_create_remote_thread, ConnectionCreate.in_suspend_state,
ConnectionCreate.orphant_thread_connect, close.file_inspection, processcreate.file_inspection)
Skyhigh Networks Cloud Security Platform (EventID: 10003, 10004)

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects scenario of suspicious activity followed by exfiltration within 24 hours.
Support rules
BB:UBA : Compromised Account - Execution
• “UBA : User Geography Change” on page 186
• “UBA : Unauthorized Access” on page 76
• “UBA : User Access - Failed Access to Critical Assets” on page 78
• “UBA : User Access Login Anomaly” on page 83
• “UBA : User Accessing Account from Anonymous Source” on page 84

• “UBA : Suspicious Privileged Activity (Rarely Used Privilege)” on page 107
BB:UBA : Compromised Account - Exfiltration
• “UBA : Large Outbound Transfer by High Risk User” on page 172
• “UBA : Suspicious Access Followed by Data Exfiltration” on page 174
• “UBA : Potential Access to DGA Domain” on page 193
See supported rules
Log source types

See supported rules
UBA : User Potentially Phished

anomalies.
UBA : User Potentially Phished
Enabled by default
False
Default senseValue
10
Description
Detects 3 or more instances of potential phishing attacks on a single user within an hour. Note: Edit the
supported building block to monitor any rules that are appropriate for the environment.
Support rules
BB:UBA : Compromised Account - Initial Access
See supported rules
Log source types

See supported rules
Geography
UBA : Anomalous Account Created From New Location
anomalies.
Enabled by default
False
Default senseValue
5
Description
Detects anomalous account creation activity from new location.
Support rules
• BB:UBA : Cloud Endpoints
Enable the following rule: "UBA : User Geography Change".
Log source types

AhnLab Policy Center APC (EventID: Administrator Account Add:Succeeded,
ADD_ADMIN_ACCOUNT_SUCCESS)
Application Security DbProtect (EventID: Database user created, Login created - standard, Login added -
Windows, Database role - created)
Aruba Mobility Controller (EventID: authmgr_user_add)
Bit9 Security Platform (EventID: User_group_created, User_group_modified, User_group_deleted,
Console_user_created, Console_user_modified, Console_user_deleted)
Box (EventID: NEW_USER)
Brocade FabricOS (EventID: SEC-1180,SEC-3025, SEC-1182)
CA ACF2 (EventID: ACF2-L)
Check Point (EventID: User Added, device_added)
Cilasoft QJRN/400 (EventID: C20010, C20011)
Cisco Adaptive Security Appliance (ASA) (EventID: %PIX|ASA-5-502101, %ASA-5-502101)
Cisco Firewall Services Module (FWSM) (EventID: 502101, 504001)
Cisco IOS (EventID: %APF-6-USER_NAME_CREATED)
Cisco Identity Services Engine (EventID: 86006)
Cisco NAC Appliance (EventID: CCA-1500)

Cisco PIX Firewall (EventID: %PIX-0-502101, %PIX-1-502101, %PIX-2-502101, %PIX-3-502101,
%PIX-4-502101, %PIX-5-502101, %PIX-6-502101, %PIX-7-502101)
Cisco PIX Firewall (EventID: 502101)
Cisco Wireless LAN Controllers (EventID: %APF-6-USER_NAME_CREATED, 1.3.6.1.4.1.9.9.515.0.2)
Cisco Wireless Services Module (WiSM) (EventID: %AAA-6-GUEST_ACCOUNT_CREATE, %APF-6-
USER_NAME_CREATED)
CloudPassage Halo (EventID: Halo user added, Halo user re-added, Local account created (linux only))
CorreLog Agent for IBM zOS (EventID: RACF ADDUSER: No Violations)
Cyber-Ark Vault (EventID: 180, 2)
EMC VMWare (EventID: AccountCreatedEvent)
Extreme Dragon Network IPS (EventID: HOST:WIN:ACCOUNT-CREATED)
Extreme Matrix K/N/S Series Switch (EventID: created with, User Created Event)
Extreme NAC (EventID: Added registered user, Add Registered User)
Forcepoint Sidewinder (EventID: passport addition)
Fortinet FortiGate Security Gateway (EventID: add, auth-logon)
Foundry Fastiron (EventID: SNMP_USER_ADDED)
HBGary Active Defense (EventID: CreateUser)
HP Network Automation (EventID: User Added)
IBM AIX Audit (EventID: USER_Create SUCCEEDED)
IBM AIX Server (EventID: USER_Create)
IBM DB2 (EventID: ADD_USER SUCCESS)
IBM IMS (EventID: USER CREATED)
IBM QRadar Packet Capture (EventID: UserAdded)
IBM Resource Access Control Facility (RACF) (EventID: 80 10.0, 80 10.2)
IBM Security Access Manager for Enterprise Single Sign-On (EventID: PRE_PROVISION_IMS_USER,
AA_SCR_REGISTRATION, REGISTER_MAC_IDENTITY, REGISTER_IDENTITY)
IBM Security Directory Server (EventID: SDS Audit)
IBM Security Identity Governance (EventID: 49, 70004, 42)
IBM Security Identity Manager (EventID: Add Success, Add SUBMITTED, Add SUCCESS)
IBM SmartCloud Orchestrator (EventID: user)
IBM Tivoli Access Manager for e-business (EventID: 13402 - Succeeded, 13401 - Succeeded, 13402
Command Succeeded, 13401 Command Succeeded)
IBM i (EventID: GSL2401,MC@0300, GSL2402, M240100, CP_CRT)
Imperva SecureSphere (EventID: NEW_USERS_ACCOUNT, SOX_NEW_USERS, SOX - New users, New
Users Account)
Itron Smart Meter (EventID: CEUI-AUDIT-27, CEUI.AUDIT.26)
Juniper Networks Network and Security Manager (EventID: adm23303, aut20167, adm30407, aut20168,
adm20716, adm20717)
Linux OS (EventID: ADD_USER)
McAfee Application/Change Control (EventID: USER_ACCOUNT_CREATED)
McAfee ePolicy Orchestrator (EventID: 20792)
Microsoft ISA (EventID: user added)
Microsoft SQL Server (EventID: CR - SU, CR - US, CR - SL, CR - LX, CR - AR, CR - WU, 24127, 24121,
24075)
Microsoft SharePoint (EventID: 37)
Microsoft Windows Security Event Log (EventID: 624, 645, 1318, 4720, 4741)
NCC Group DDos Secure (EventID: 1003)
Netskope Active (EventID: Create Admin, Created new admin)
Novell eDirectory (EventID: CREATE_ACCOUNT)
OS Services Qidmap (EventID: User Account Added)
OSSEC (EventID: 5902, 18110)
Okta (EventID: app.user_management.push_new_user_success, app.generic.import.details.add_user,
app.generic.import.new_user, app.user_management.provision_user,
app.user_management.push_new_user, app.user_management.push_profile_success,
core.user.config.user_creation.success, core.user_group_member.user_add,
cvd.user_profile_bootstrapped, cvd.appuser_profile_bootstrapped)
OpenBSD OS (EventID: add user)
Oracle Enterprise Manager (EventID: User Create (successful), Computer Create (successful))
Oracle RDBMS Audit Record (EventID: 51:1, 51:0, CREATE USER-Standard:1, CREATE USER-Standard:0)
Oracle RDBMS OS Audit Record (EventID: 51)
Pirean Access: One (EventID: IsimUserRegistration;*;1)
Pulse Secure Pulse Connect Secure (EventID: ADM23303, ADM20265, AUT20167, ADM30407,
AUT20168)
RSA Authentication Manager (EventID: Added user, unknown, REMOTE_PRINCIPAL_CREATE,
CREATE_PRINCIPAL, CREATE_AM_PRINCIPAL)
SIM Audit (EventID: Configuration-UserAccount-AccountAdded)
STEALTHbits StealthINTERCEPT (EventID: Active DirectorycomputerObject AddedTrueFalse, Console ?
user/group added, Console � user/group added, Active DirectoryuserObject AddedTrueFalse, Console -
user/group added)
SafeNet DataSecure/KeySecure (EventID: Added user)
Salesforce Security Auditing (EventID: Created new Customer User, Created new user)
Skyhigh Networks Cloud Security Platform (EventID: 10016)
Solaris BSM (EventID: create user)
SonicWALL SonicOS (EventID: 558)
Symantec Encryption Management Server (EventID: ADMIN_IMPORTED_USER)
ThreatGRID Malware Threat Intelligence Platform (EventID: user-account-creation)
Trend Micro Deep Discovery Email Inspector (EventID: SYSTEM_EVENT_ACCOUNT_CREATED)
Trend Micro Deep Security (EventID: 650)
Universal DSM (EventID: Computer Account Added, User Account Added)
VMware vCloud Director (EventID: com/vmware/vcloud/event/user/create, com/vmware/vcloud/event/
user/import)
Vormetric Data Security (EventID: DAO0089I)

iT-CUBE agileSI (EventID: U0, AU7)
Related concepts
UBA : Anomalous Cloud Account Created From New Location
anomalies.
UBA : User Access from Multiple Locations
anomalies.
UBA : User Access from Prohibited Location
anomalies.
UBA : User Access from Restricted Location
anomalies.
UBA : User Geography Change
anomalies.
UBA : User Geography, Access from Unusual Locations
anomalies.

anomalies.
Enabled by default
False
Default senseValue
10
Description
Detects cloud account creation activities from a new location.
Support rules
• BB:UBA : Cloud Endpoints
Enable the following rule: "UBA : User Geography Change".
Log source types

Amazon AWS CloudTrail (EventID: CreateUser)
Microsoft Office 365 (EventID: Add User-success, Add user-PartiallySucceded)
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
Indicates that multiple locations or sources are using the same user account simultaneously. Adjust the
match and duration parameters to tune responsiveness.
Support rule
Log source types


iT-CUBE agileSI
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects user access from a location not in the "UBA : Allowed Location List."
Support rules:
•
Add the appropriate values to the following reference set: UBA : Allowed Location List
Log source types


iT-CUBE agileSI
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects user access from a location on the "UBA : Restricted Location List." You can add countries from
"geographic location" to the "UBA : Restricted Location List."
Support rules
•
Add the appropriate values to the following reference set: UBA : Restricted Location List
Log source types


iT-CUBE agileSI
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
5
Description
A match indicates that a user logged in remotely from a country that is different from the country of the
user's last remote login. This rule might also indicate an account compromise, particularly if the rule
matches occurred closely in time.
Support rules
• UBA : User Geography Map
Enable the following rule: UBA : User Geography Map
Log source types


iT-CUBE agileSI
Support rule
User Geography Map
This rule updates the associated reference sets with the required data.
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Indicates that users were able to authenticate in countries that are unusual for your network, as defined
by the building block rule "UBA : BB : Unusual Source Locations".
Support rules
• BB:UBA : Unusual Source Locations
Log source types

CRYPTOShield, Carbon Black Protection,Centrify Server Suite, Check Point, Cilasoft QJRN/400, Cisco ACS,
Cisco Adaptive Security Appliance (ASA),Cisco Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for
Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,
Cisco Intrusion Prevention System (IPS), Cisco IronPort,Cisco NAC Appliance, Cisco Nexus, Cisco PIX
Routing Switch 2500/4500/5500,Nortel Ethernet Routing Switch 8300/8600, Nortel Multiprotocol

iT-CUBE agileSI
Related concepts
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
anomalies.
Network traffic and attacks

UBA : D/DoS Attack Detected
anomalies.
Enabled by default
False
Default senseValue
15
Description
Detects network Denial of Service (DoS) attacks by a user.
Note: Before you can use this rule, complete the following steps:
1. From the Admin tab, click UBA Settings.
2. Select the Search assets for username, when username is not available for event or flow data
checkbox to search for user names in the asset table. The UBA app uses assets to look up a user for an
IP address when no user is listed in an event.
3. The event rule needs "Snort Open Source IDS" log source to work.
Support rules
• BB:CategoryDefinition: DDoS Attack Events
• BB:CategoryDefinition: Network DoS Attack
• BB:CategoryDefinition: Service DoS
Log source types

Akamai KONA, Application Security DbProtect, Aruba Mobility Controller, Barracuda Web Application
Firewall, Brocade FabricOS, CRE System, Check Point, Cisco Adaptive Security Appliance (ASA), Cisco
Firewall Services Module (FWSM), Cisco IOS, Cisco Intrusion Prevention System (IPS), Cisco PIX Firewall,
Cisco Stealthwatch, Cisco Wireless LAN Controllers, Cisco Wireless Services Module (WiSM), Custom Rule
Engine, CyberGuard TSP Firewall/VPN, Enterprise-IT-Security.com SF-Sherlock, Event CRE Injected,
Extreme Dragon Network IPS, Extreme HiPath, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5
Networks BIG-IP LTM, Fair Warning, FireEye, Flow Classification Engine, ForeScout CounterACT, Fortinet
FortiGate Security Gateway, Foundry Fastiron, Huawei AR Series Router, IBM Proventia Network Intrusion
Prevention System (IPS), IBM Security Network IPS (GX), Imperva Incapsula, Juniper Junos OS Platform,
Detection and Prevention (IDP), Juniper Networks Network and Security Manager, McAfee Firewall
Enterprise, McAfee IntruShield Network IPS Appliance, McAfee ePolicy Orchestrator, Motorola SymbolAP,
NCC Group DDos Secure, Niksun 2005 v3.5, Nortel Application Switch, OS Services Qidmap, OSSEC, Palo
Alto PA Series, Radware AppWall, Radware DefensePro, Riverbed SteelCentral NetProfiler, STEALTHbits
StealthINTERCEPT, SafeNet DataSecure/KeySecure, Sentrigo Hedgehog, Skyhigh Networks Cloud
Security Platform, Snort Open Source IDS, SonicWALL SonicOS, Squid Web Proxy, Stonesoft Management
Center, Symantec Endpoint Protection, TippingPoint Intrusion Prevention System (IPS), Top Layer IPS,
Trend Micro Deep Security, Universal DSM, Vectra Networks Vectra, Venustech Venusense Security
Platform, WatchGuard Fireware OS
Related concepts
UBA : Honeytoken Activity
anomalies.
UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage
anomalies.

anomalies.
Enabled by default
False

Default senseValue
10
Description
Detects activity using a Honeytoken account.
Support rules
Add the appropriate values to the following reference sets: UBA : Honeytoken Accounts
Add the appropriate log sources to the following log source groups: UBA : Systems with Honeytoken
Accounts.
Log source types

All log sources added to the UBA : Systems with Honeytoken Accounts log source group.
Related concepts
anomalies.
anomalies.

anomalies.
Enabled by default
False
Default senseValue
15
Description
Indicates that a process is created and the process name matches one of the binary names that are listed
in the reference set "UBA : Network Capture, Monitoring and Analysis Program Filenames". This reference
set lists the binary names of network packet capturing software. The reference set is pre-populated with
the names of some common network protocol analysis software filenames.
For more information about adding or removing programs for monitoring, see Managing network
monitoring tools.
Support rule
Add the appropriate values to the following reference set: UBA : Network Capture, Monitoring and
Analysis Program Filenames.
Log source types

Microsoft Windows Security Event Log
Related concepts
anomalies.
anomalies.
QRadar DNS Analyzer

For more information, see IBM QRadar DNS Analyzer.
UBA : Potential Access to Blacklist Domain

anomalies.
UBA : Potential Access to Blacklist Domain
Enabled by default
False
Default senseValue
5
Description
Detects events that indicate the user potentially accessed a blacklist domain. Requires the IBM QRadar
DNS Analyzer app.
Before enabling this rule, you must install the IBM QRadar DNS Analyzer app. For more information, see
IBM QRadar DNS Analyzer.
Support rule
BB:UBA : DNS Common Filter
Log source types

IBM QRadar DNS Analyzer
UBA : Potential Access to DGA Domain

anomalies.
UBA : Potential Access to DGA Domain

Enabled by default
False
Default senseValue
5
Description
Detects events that indicate the user potentially accessed a DGA (Domain Generated by Algorithm)
domain. Requires the IBM QRadar DNS Analyzer app.
Support rule
Log source types

UBA : Potential Access to Squatting Domain

anomalies.
UBA : Potential Access to Squatting Domain
Enabled by default
False
Default senseValue
5
Description
Detects events that indicate the user potentially accessed a squatting domain. Requires the IBM QRadar
DNS Analyzer app.
Support rule
Log source types

UBA : Potential Access to Tunneling Domain
anomalies.
UBA : Potential Access to Tunneling Domain
Enabled by default
False
Default senseValue
5
Description
Detects events that indicate the user potentially accessed a tunneling domain. Requires the IBM DNS
Analyzer app.
Support rule
Log source types

Threat intelligence
UBA : Detect IOCs For Locky
anomalies.
UBA : Detect IOCs For Locky
Enabled by default
False
Default senseValue
10
Description
Detects user computers that show Indicators of Compromise (IOCs) for Locky by using URLs or IPs that
are populated from X-Force campaign feeds.
Support rules
• BB:UBA : Detect Locky Using IP
• BB:UBA : Detect Locky Using URL

• Add the appropriate values to the following reference sets: UBA : IOCs-Locky IP and UBA : IOCs-Locky
URL.
Log source types

UBA : Detect IOCs for WannaCry

anomalies.
UBA : Detect IOCs For WannaCry
Enabled by default
False
Default senseValue
10
Description
Detects user computers that show Indicators of Compromise (IOCs) for WannaCry by using URLs, IPs, or
hashes that are populated from X-Force campaign feeds.
Support rules
• BB:UBA : Detect WannaCry Using Hashes
• BB:UBA : Detect WannaCry Using IP
• BB:UBA : Detect WannaCry Using URL
• Add the appropriate values to the following reference sets: UBA : Malware Activity WannaCry - Hash,
UBA : Malware Activity WannaCry - IP, and UBA : Malware Activity WannaCry - URL.
Log source types

UBA : Multiple Sessions to Monitored Log Sources (NIS Directive)

anomalies.
UBA : Multiple Sessions to Monitored Log Sources (NIS Directive)
Enabled by default
False
Default senseValue
15
Description
Detects more than 2 connections to the same QRadar log source system within 5 minutes from a single
user.
Support rules
BB:CategoryDefinition: Authentication Success
Add the appropriate values to the following reference sets: "UBA : Monitored Log Sources (NIS
Directive)".
Log source types

Linux OS (EventID: CRYPTO_LOGIN, ANOM_ROOT_TRANS, Accepted Password, GRP_AUTH, session
opened, Privilege escalation, CRED_ACQ, Accepted password, USER_LOGIN, Successful Login, password
changed, LOGIN)
Microsoft Windows Security Event Log (EventID: Login succeeded for user, 18454, 193, 18455, 627,
4648, 1202, 680, 18453, 628, 621, 4624, 552, 672, 673_Attempt, 4672, 169, 10015, 10014, 678, 671,
6280, 4717, 4723, 4724, 540, 528, 673_Request, 673_Granted, 4776, 405, 5823, 1200, 682)
UBA : ShellBags Modified By Ransomware

anomalies.
UBA : ShellBags Modified By Ransomware
Enabled by default
False
Default senseValue
10
Description
Detects ShellBag registry modifications that indicate typical malware or ransomware behavior.
Support rules
Log source types

UBA : User Accessing Risky IP, Anonymization

anomalies.
UBA : User Accessing Risky IP, Anonymization (previously called X-Force Risky IP, Anonymization)

Enabled by default
False
Description
This rule detect when a local user or host is connecting to an external anonymization service.
Support rules
• X-Force Risky IP, Anonymization
• Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings > System Settings.
• Enable the following rule: X-Force Risky IP, Anonymization.
Log source types

UBA : User Accessing Risky IP, Botnet

anomalies.
UBA : User Accessing Risky IP, Botnet (previously called X-Force Risky IP, Botnet)
Enabled by default
False
Description
This rule detects when a local user or host is connecting to a botnet command and control server.
Support rules
• X-Force Risky IP, Botnet
• Enable the following rule: X-Force Risky IP, Botnet.
Log source types

UBA : User Accessing Risky IP, Dynamic

anomalies.
UBA : User Accessing Risky IP, Dynamic (previously called X-Force Risky IP, Dynamic)
Enabled by default
False
Description
This rule detects when a local user or host is connecting to a dynamically assigned IP address.
Support rules
• X-Force Risky IP, Dynamic
• Enable the following rule: X-Force Risky IP, Dynamic.
Log source types

UBA : User Accessing Risky IP, Malware

anomalies.
UBA : User Accessing Risky IP, Malware (previously called X-Force Risky IP, Malware)
Enabled by default
False
Description
This rule detects when a local user or host is connecting to a malware host.
Support rules
• X-Force Risky IP, Malware
• Enable the following rule: X-Force Risky IP, Malware.
Log source types

UBA : User Accessing Risky IP, Spam

anomalies.
UBA : User Accessing Risky IP, Spam (previously called X-Force Risky IP, Spam)
Enabled by default
False
Description
This rule detects when a local user or host is connecting to a spam-sending host.

Support rules
• X-Force Risky IP, Spam
• Enable the following rule: X-Force Risky IP, Spam.
Log source types

Supported QRadar content

Several rules were designed to feed events to UBA from other apps. These rules require you to install the
content for the other apps.
Content dependencies
For more information about other supported QRadar content and required apps, see the following table.
Required Apps Supported Rules

IBM QRadar DNS Analyzer “QRadar DNS Analyzer” on page 193
• QNI : Confidential Content Being Transferred to

QRadar Network Insights Content for V7.3.0+ Foreign Geography
• QNI : Access to Improperly Secured Service -
Certificate Expired
Certificate Invalid
• QNI : Potential Spam/Phishing Subject Detected
from Multiple Sending ServersQNI : Observed
File Hash Seen Across Multiple Hosts
• QNI : Observed File Hash Associated with
Malware Threat
• QNI : Potential Spam/Phishing Attempt Detected
on Rejected Email Recipient
Self Signed Certificate
Weak Public Key Length
IBM Security Reconnaissance Content • Local L2L TCP Scanner

• Local L2L Windows Server Scanner
• Local L2L Game Server Scanner
• Local L2L DNS Scanner
• Local L2L Mail Server Scanner
• Local L2L Proxy Server Scanner
• Local L2L IM Server Scanner
• Local L2L Web Server Scanner
• Local L2L P2P Server Scanner

• Local L2L SNMP Scanner
• Local L2L RPC Server Scanner
• Local L2L UDP Scanner
• Local L2L DHCP Scanner
• Local L2L ICMP Scanner
IBM QRadar Content for Sysmon • Detected a Possible Keylogger

• Detected a New Unseen Process Started with a
System User Privileges
• Detected a Remotely Executed Process over
Multiple Hosts
• Process Started from Unusual Directories
(Recycle.bin, ..)
• A Hidden Network Share Has Been Added
• Powershell Malicious Usage Detected
• Powershell Malicious Usage Detected with
Encoded Command
• Unusual Process (ex: word, iexplore, AcroRd..)
• Launched a Command Shell
• Command Shell Started With a System Privileges
• Detected a Successful Login From a
Compromised Host Into Other Hosts
• Detected a Possible Credential Dumping Tool
• Childless Process Launched/Spawned a Process
• Process Launched From Temp Directory
• Abnormal Parent for a System Process
• Detected a Suspicious Svchost Process
• A Network Share Has Been Accessed From a
Compromised Host
• An Administrative share Has Been Accessed
• An Administrative share Has Been Accessed
From a Compromised Machine
• Process Launched From a Shared Folder and
Created Thread into Another Process
• Detected Excessive Usage of System Tools From
a Single Machine
• Excessive Failed Attempts to Access a Network
Shared Resource From a Compromised Host
• Excessive Failed Attempts to Access an
Administrative Share From a Single source
• Powershell Has Been Launched in a
Compromised Host
• PsExec Has Been Launched From a
Compromised Host

• Detected SMB Traffic From a Compromised Host

Into Other Hosts
• A Command Shell or Powershell Has been
Launched From a Remote System
• A Scheduled Task Has Been Created in a
Compromised Host
• A Malicious Service Has Been Installed in a
System
• Detected a Service Configured to Use Powershell
• Detected a Service Configured to Use a Pipe
IBM QRadar Content Extension for Amazon AWS • AWS Cloud: Cloud activity by root user
• AWS Cloud: Critical EC2 Instance Has Been
Stopped OR Terminated
• AWS Cloud: Detected A Successful Login To AWS
Console From Different Geographies
• AWS Cloud: Logs Have Been Deleted / Disabled
or Stopped
• AWS Cloud: Multiple Console Login Failures From
Different Source IPs
• AWS Cloud: Multiple Console Login Failures from
Same Source IP
• AWS Cloud: Multiple Failed API Requests From
Different Source IPs
Same Source IP
The Same Username
Unsupported UBA rules

The User Behavior Analytics (UBA) app no longer supports some rules. The functions that the rules
provided are now integrated into the app, available in separate content packs, or implemented with
machine learning models.
With UBA V3.5.0 and later, during the upgrade, a one-time task runs to disable all unsupported UBA rules
found on the system. If any of the rules are enabled at a later time, they will not be disabled again by the
application.
Although the following lists of UBA rules and building blocks are no longer supported by the UBA app, the
rules or the functions that the rules provided are still available.
The following rules, and the functionality they provided, are now managed by Machine Learning:
• UBA : Abnormal Outbound Transfer Attempts
UBA : Abnormal Outbound Transfer Attempts Found

• UBA : Abnormal data volume to external domain
UBA : Abnormal data volume to external domain Found

• UBA : Abnormal visits to Risky Resources
UBA : Abnormal visits to Risky Resources Found
UBA : User Accessing Risky Resources
UBA : Risky Resources

• UBA : User Behavior, Session Anomaly by Destination
UBA : User Behavior, Session Anomaly by Destination Found

• UBA : User Event Frequency Anomaly - Categories
UBA : User Event Frequency Anomaly - Categories Found

• UBA : User Volume Activity Anomaly - Traffic to External Domains
UBA : User Volume Activity Anomaly - Traffic to External Domains Found

• UBA : User Volume Activity Anomaly - Traffic to Internal Domains
UBA : User Volume Activity Anomaly - Traffic to Internal Domains Found

• UBA : User Volume of Activity Anomaly - Traffic
UBA : User Volume of Activity Anomaly - Traffic Found

The following rules and building blocks, and the functionality they provided, are now managed within the
UBA application:
• UBA : User Has Gone Dormant (no activity anomaly rule)
BB:UBA : Dormant User First Login (logic)

BB:UBA : Dormant User Subsequent Login (logic)
UBA : Username to User Accounts, Successful, Dormant
• New Account
UBA : Username to User Accounts, Successful, Observed

UBA : Username to User Accounts, Successful, Recent
UBA : Username to User Accounts, Successful, Recent Update
BB:UBA : User First Time Access (logic)
The following rules and building blocks, and the functionality they provided, are now handled by allowing
non-UBA rules to work with UBA:
• QNI
UBA : QNI - Access to Improperly Secured Service - Certificate Expired

UBA : QNI - Access to Improperly Secured Service - Certificate Invalid
UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate
UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length
UBA : QNI - Observed File Hash Associated with Malware Threat
UBA : QNI - Observed File Hash Seen Across Multiple Hosts
UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient
UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers
UBA : QNI - Confidential Content Being Transferred to Foreign Geography
• SYSMON
UBA : Suspicious PowerShell Activity

UBA : Suspicious PowerShell Activity (Asset)
UBA : Suspicious Command Prompt Activity
UBA : User Access Control Bypass Detected (Asset)
UBA : Suspicious Scheduled Task Activities
UBA : Suspicious Service Activities
UBA : Suspicious Service Activities (Asset)
UBA : Suspicious Entries in System Registry (Asset)
UBA : Suspicious Image Load Detected (Asset)
UBA : Suspicious Pipe Activities (Asset)
UBA : Suspicious Activities on Compromised Hosts

UBA : Suspicious Activities on Compromised Hosts (Asset)
UBA : Suspicious Administrative Activities Detected
UBA : Process Creating Suspicious Remote Threads Detected (Asset)
UBA : Common Exploit Tools Detected
UBA : Common Exploit Tools Detected (Asset)
UBA : Malicious Process Detected
UBA : Network Share Accessed
• Recon
UBA : Unusual Scanning of DHCP Servers Detected

UBA : Unusual Scanning of DNS Servers Detected
UBA : Unusual Scanning of Database Servers Detected
UBA : Unusual Scanning of FTP Servers Detected
UBA : Unusual Scanning of Game Servers Detected
UBA : Unusual Scanning of Generic ICMP Detected
UBA : Unusual Scanning of Generic TCP Detected
UBA : Unusual Scanning of Generic UDP Detected
UBA : Unusual Scanning of IRC Servers Detected
UBA : Unusual Scanning of LDAP Servers Detected
UBA : Unusual Scanning of Mail Servers Detected
UBA : Unusual Scanning of Messaging Servers Detected
UBA : Unusual Scanning of P2P Servers Detected
UBA : Unusual Scanning of Proxy Servers Detected
UBA : Unusual Scanning of RPC Servers Detected
UBA : Unusual Scanning of SNMP Servers Detected
UBA : Unusual Scanning of SSH Servers Detected
UBA : Unusual Scanning of Web Servers Detected
UBA : Unusual Scanning of Windows Servers Detected
Rules enabled by default in 3.5.0

The IBM QRadar User Behavior Analytics (UBA) app enabled certain rules by default in 3.5.0.
In UBA 3.5.0 or earlier, the rules were either enabled or disabled by default. In 3.6.0, all of the rules are
disabled by default except for the following 3 rules: UBA : Unauthorized Access, UBA : Dormant Account
Used, and UBA : New Account Use Detected.
Important: If you modified a rule (for example, enabled or disabled a rule or made a change in the tests
or response of any rule) in UBA 3.5.0 or earlier, it is seen as modified in your QRadar system. When you
upgrade to 3.6.0, the rule maintains the previous state and will not take the new default state.
The following list of rules were enabled by default in 3.5.0:
• UBA : Anomalous Account Created From New Location
• UBA : Anomalous Cloud Account Created From New Location
• UBA : Browsed to Business/Service Website
• UBA : Browsed to Communications Website
• UBA : Browsed to Education Website
• UBA : Browsed to Entertainment Website
• UBA : Browsed to Gambling Website
• UBA : Browsed to Government Website
• UBA : Browsed to Information Technology Website
• UBA : Browsed to Job Search Website
• UBA : Browsed to LifeStyle Website
• UBA : Browsed to Mixed Content/Potentially Adult Website
• UBA : Browsed to Pornography Website
• UBA : Browsed to Religious Website
• UBA : Browsed to Social Networking Website
• UBA : Browsed to Uncategorized Website
• UBA : Bruteforce Authentication Attempts
• UBA : Data Loss Possible
• UBA : Detect Persistent SSH session
• UBA : Expired Account Used
• UBA : First Privilege Escalation
• UBA : Internet Settings Modified
• UBA : Kerberos Account Enumeration Detected
• UBA : Malware Activity - Registry Modified In Bulk
• UBA : Multiple Blocked File Transfers Followed by a File Transfer
• UBA : Multiple VPN Accounts Failed Login from Single IP
• UBA : Multiple VPN Accounts Logged In from Single IP
• UBA : Netcat Process Detection (Linux)
• UBA : Netcat Process Detection (Windows)
• UBA : New Account Use Detected
• UBA : Populate Multiple VPN Accounts Failed Login from Single IP
• UBA : Populate Multiple VPN Accounts Logged In from Single IP
• UBA : Repeat Unauthorized Access
• UBA : Replication Request from a Non-Domain Controller
• UBA : ShellBags Modified By Ransomware
• UBA : Suspicious Privileged Activity (First Observed Privilege Use)
• UBA : Suspicious Privileged Activity (Rarely Used Privilege)
• UBA : Terminated User Activity
• UBA : Unauthorized Access
• UBA : UNIX/Linux System Accessed With Service or Machine Account
• UBA : User Access - Failed Access to Critical Assets
• UBA : User Access - First Access to Critical Assets
• UBA : User Access from Multiple Locations
• UBA : User Access Login Anomaly
• UBA : User Accessing Account from Anonymous Source
• UBA : User Accessing Risky IP, Anonymization
• UBA : User Accessing Risky IP, Dynamic

• UBA : User Accessing Risky IP, Spam
• UBA : User Accessing Risky URL
• UBA : User Attempt to Use a Suspended Account
• UBA : Volume Shadow Copy Created
• UBA : VPN Access By Service or Machine Account
• UBA : VPN Certificate Sharing
• UBA : Windows Access with Service or Machine Account
Chapter 9. Machine Learning Analytics app
The Machine Learning Analytics (ML) app extends the capabilities of your QRadar system and the QRadar
User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the Machine
Learning Analytics models, you can gain additional insight into user behavior with predictive modeling.
The ML app helps your system to learn the expected behavior of the users in your network.
Attention: You must install IBM QRadar 7.3.2 or later before you install the UBA app and the ML
app. You must also have admin permissions.
Note: For the best experience with Machine Learning, you should consider running the UBA app and the
ML app on an App Host. For more information, see App Host.
Important:
• It is best to enable Machine Learning Analytics Settings one day after you initially configure the UBA
app. This waiting period ensures that the UBA app has sufficient time to create risk profiles for users.
• The QRadar console limits the amount of memory that can be used by apps. The ML app installation size
options are based on how much memory QRadar currently has for applications.
– The minimum amount of free memory required to install the ML app is 2 GB. However, 5 GB or higher
is recommended.
– The number of users monitored by the ML app depends on the ML app installation size and the
specific Machine Learning analytic. Starting at 5 GB the maximum number of monitored users by any
Machine Learning model is 40,000 per 5 GB up to 160,000 users total. For example, 5 GB would be
up to 40,000 users and 15 GB would be up to 120,000 users.
• The installation might fail due to a lack of available memory. This situation can occur if the amount of
memory available for applications is decreased because other applications are installed.
Known issues for Machine Learning Analytics

The Machine Learning Analytics app has required information for installation and known issues.
The Machine Learning Analytics app has the following known issues:
• The Machine Learning app might show warning messages in the Status of Machine Learning section. For
more information, see “Machine Learning app status shows warning on dashboard” on page 270.
• The installation might fail due to a lack of available memory. This situation can occur on 128 GB
consoles if several other apps are already installed and less than 10 GB remains for the ML app to use.
If the installation fails, the error message "FAILED" is displayed. To remedy this situation, uninstall
some of the other apps and then try again.
Prerequisites for installing the Machine Learning Analytics app

Before you install the Machine Learning Analytics app, ensure that you meet the requirements.
You must meet the following system requirements and fully install and configure the User Behavior
Analytics (UBA) app before you can install the Machine Learning Analytics app.
Component Minimum requirements

System memory 2 GB of free memory from the QRadar application pool of
memory
IBM QRadar version 7.3.2 or later
Sense DSM Install the DSM RPM file.
UBA app • Install the UBA 3.7.0 app.

Component Minimum requirements
• Configure the UBA Settings.

• Click the User Analytics tab and confirm that the UBA
Dashboard contains user data.
Installing the IBM Sense DSM manually

The UBA app and the Machine Learning Analytics app use the following IBM Sense DSM files to add user
risk scores and offenses into QRadar.
Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar.
1. Copy the DSM RPM file to your QRadar Console.
2. Use SSH to log in to the QRadar host as the root user.
3. Go to the directory that includes the downloaded file.
4. Type the following command:
rpm -Uvh <rpm_filename>
5. From the Admin settings, click Advanced > Deploy Full Configuration.
Note: Instructions for installing and configuring the UBA app are on the IBM Knowledge Center.
Related tasks
“Installing the User Behavior Analytics app” on page 15
QRadar Console.
“Configuring UBA settings” on page 25
Installing the Machine Learning Analytics app

As a QRadar Admin, you can install the Machine Learning Analytics (ML) app after you have installed the
UBA app from the Extension Manager.
Before you begin

Make sure you have completed all of the Prerequisites for installing the Machine Learning Analytics app.
For the best experience with Machine Learning, you should consider running the UBA app and the ML app
on an App Host. For more information, see App Host.
About this task

After you install the User Behavior Analytics (UBA) app, you can install the ML app from the Machine
Learning Settings page.
You must have admin permissions to view Machine Learning Settings.
Procedure

2. Click the Machine Learning Settings icon.
• In QRadar 7.3.2 or later, click Apps > User Analytics > Machine Learning Settings.
3. On the Machine Learning Settings page, click Install ML App.
4. At the prompt, click Yes to install the app. The ML app takes several minutes to install.
What to do next
When the installation is complete, you can enable ML use cases and then click Save Configuration.
UBA dashboard with Machine Learning

The IBM QRadar User Behavior Analytics (UBA) app with Machine Learning Analytics includes the
Machine Learning model status and additional details for the selected user.
Dashboard
After you enable the Machine Learning models, click the User Analytics tab to open the dashboard.
The Status of Machine Learning Models section shows you the ingestion and the building progress for
each model you have enabled.
• The light blue progress bar indicates that the model is ingesting data.
• The blue progress bar indicates that the model is building.
Chapter 9. Machine Learning Analytics app 209

• The green progress bar indicates that the model is training. Note: If the model is not receiving data,
then it remains in training until enough data is received.
• The green check mark indicates that the model is enabled.
• The yellow warning icon indicates a problem was encountered during the model building phase. See
“Machine Learning app status shows warning on dashboard” on page 270.
Click the ML Settings icon to open the Machine Learning Analytics page and edit the configuration
for the Machine Learning Analytics models.
Note: If you edit the configuration after it has been saved, a new model will be built and the time to wait
for the ingestion and model building is reset.
User details page

You can click a user name from anywhere in the app to see details for the selected user.
You can learn more about the user's activities with the event viewer pane. The event viewer pane shows
information about a selected activity or point in time. Clicking an event in the event viewer pane reveals
more details such as syslog events and payload information. The event viewer pane is available for all
donut and line graphs on the User details page.
The following table describes the Machine Learning Analytics graphs available on the User Details page.
Access Activity Shows actual and expected user activity behavior patterns by Access high-level
category. The actual values are the number of events per high-level category for that
user during the selected time period. The expected values are the predicted number
of events per high-level category for that user during the selected time period. A red
circle indicates that an anomaly was detected and a sense event was generated by
machine learning.
On the Access Activity graph, you can:
• Click the Calendar icon to specify a time and date.
• Click a category to open the timeline graph for the selected category.
On the timeline graph for the selected category, you can:
• Click a data node and get a query listing of the events that represent that node.
• Click the Calendar icon to specify a custom date range.
Activity Shows dynamic behavior clusters for all users that are monitored by machine
Distribution learning. The clusters are inferred by the low-level activity categories for all users
that are monitored by machine learning. The actual values are the percent match to
that cluster. The expected values are the predicted percent match to that cluster.
Each color in the graph represents a unique dynamic behavior cluster for all users
monitored by machine learning. A color used to denote a particular group is the
same for all users. A red vertical line indicates that an anomaly was detected and a
sense event was generated by machine learning.
On the Activity Distribution graph, you can:
• Hover over each cluster to view the actual and predicted activity percentiles and
the top 3 contributing low-level categories.
• Click the Calendar icon to specify a date range.
Aggregated Shows the actual and expected (learned) amount of activity of users throughout the
Activity day. The actual values are the number of events for that user during the selected
time period. The expected values are the number of events predicted for that user
during the selected time period. A red circle indicates that an anomaly was detected
and a sense event was generated by machine learning.
On the Aggregated Activity graph, you can:
• Click a data node and get a query listing of the events that make up the anomaly.
Authentication Shows actual and expected user activity behavior patterns by Authentication high-
Activity level category. The actual values are the number of events per high-level category
for that user during the selected time period. The expected values are the predicted
number of events per high-level category for that user during the selected time
period. A red circle indicates that an anomaly was detected and a sense event was
generated by machine learning.
On the Authentication Activity graph, you can:
Data Downloaded Shows if a user's inbound traffic usage has deviated from their expected behavior.
The actual values are the volume of data received during the selected time period.

The learned values are the model's predicted volume of data received. A red circle
indicates that an anomaly was detected and a sense event was generated by
machine learning.
Data Uploaded to Shows if a user's outbound traffic volume has deviated from their expected behavior.
Remote The actual values are the volume of data that is sent for that user during the selected
Networks time period. The learned values are the model's predicted volume of data that is
sent. A red circle indicates that an anomaly was detected and a sense event was
generated by machine learning.
Defined peer Shows how much a user's event activity deviates from that of their defined peer
group group. The analytic uses the low-level activity categories of the users' events to
determine the users' deviation from their defined peer group.
A red circle indicates that an anomaly was detected and a sense event was
generated by machine learning. Defined group is the LDAP group name. Behavior
detected as are the groups the user behavior was similar to during the day.
Deviation from peer group signifies the percentage a user has deviated from their
defined peer group. Confidence is based on the amount of data gathered to build
the model from users in the group to make accurate predictions. An alert is triggered
if the deviation and the confidence both exceed their thresholds.
To view the Defined peer group analytic, you must configure user imports to gather
user grouping properties to meet minimum requirements. Select the grouping
property on the configuration page that represents the groups to be modeled. See
“Tuning user import configurations” on page 37 for details on configuring the custom
group.
On the Defined Peer Group graph, you can:
• Click a data point to view the Peers in "your defined peer group" table.
The Peers in "your defined peer group" table shows you the riskiest users in the
current user's group. You can:
• Click a user name to open the User Details page
• Click the drop-down list to select the user attributes to display
• Search to filter the user names
Learned Peer Shows how much the user deviated from the inferred peer group they were expected
Group to be in. The Learned Peer Group is inferred by the low-level activity categories for
the user.
A red circle indicates that an anomaly was detected and a sense event was
generated by machine learning. Anomaly triggered by lists the low-level category
that is detected by the algorithm that caused the deviation. Deviation from peer
group signifies the percentage a user has deviated from their inferred peer group.
Confidence is based on the amount of data gathered to build the model from users
in the group to make accurate predictions. An alert is triggered if the deviation and
the confidence both exceed their thresholds.
On the Learned Peer Group graph, you can:
• Click a data point to view the Peers in Group table.
The Peers in Group table shows you all the users that are expected and that are
actually in the group. You can:
• Click a user name to open the User Details page
• Expected match shows how confident the analytic is for that user to be in the
group
• Click the drop-down list to select the user attributes to display
• Search to filter the user names
Outbound Shows if a user's outbound traffic usage has deviated from their expected behavior.
Transfer The actual values are the number of transfer attempts for that user during the
Attempts selected time period. The learned values are the model's predicted number of
transfer attempts. A red circle indicates that an anomaly was detected and a sense
event was generated by machine learning.
On the Abnormal Outbound Transfer Attempts graph, you can:
• Click a node and get a query listing of the events.
Risk Posture Shows if a user's risk score deviates from their expected risk score pattern. The
actual values are the sum of the sense values for the sense events for that user
during the selected time period. The expected values are the predicted sum of the
sense values for the sense events for that user during the selected time period. A red
machine learning.
On the Risk Posture graph, you can:
• Click a node and get a query listing of the events.

Suspicious Shows actual and expected user activity behavior patterns by Suspicious high-level
Activity category. The actual values are the number of events per high-level category for that
user during the selected time period. The expected values are the predicted number
of events per high-level category for that user during the selected time period. A red
machine learning.
On the Suspicious Activity graph, you can:
Related tasks
“Enabling user models” on page 214
To view information in the Machine Learning Analytics app, you must configure Machine Learning settings
for User Models.
Enabling user models

To view information in the Machine Learning Analytics app, you must configure Machine Learning settings
for User Models.
About this task

With 3.3.0 and later of the UBA app, the Machine Learning Settings page has a new look and feel. You can
enable models or select a model to edit the default settings. You can also create your own custom models
with the included templates. You can enable up to 17 models.
Example
Access Activity
Enable the Access Activity machine learning model to display the user’s activity in the Access high-level
category on the User Details page.
Before you begin

Review the following model details.
• Event Name: UBA : Abnormal increase in Access activity
• sensevalue: 5
• Required configuration: System is monitoring events that have QRadar high-level category of Access.
• Log source types: Akamai KONA, Amazon AWS CloudTrail, Apache HTTP Server, Application Security
DbProtect, Arbor Networks Pravail, Arpeggio SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba
Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web Application
Firewall, Barracuda Web Filter, BeyondTrust PowerBroker, Bit9 Security Platform, Blue Coat Web
Security Service, Bridgewater Systems AAA Service Controller, Brocade FabricOS, CA ACF2, CA
SiteMinder, CA Top Secret, CRE System, Carbon Black Protection, Centrify Identity Platform, Check
Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco CSA, Cisco Call
Manager, Cisco CatOS for Catalyst Switches, Cisco Cloud Web Security, Cisco FireSIGHT Management
Center, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine, Cisco
Intrusion Prevention System (IPS), Cisco IronPort, Cisco Nexus, Cisco PIX Firewall, Cisco VPN 3000
Series Concentrator, Cisco Wireless Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler,
CloudPassage Halo, Configurable Firewall Filter, CorreLog Agent for IBM zOS, Custom Rule Engine, DCN
DCS/DCRS Series, EMC VMWare, Epic SIEM, Event CRE Injected, Extreme Dragon Network IPS, Extreme
HiPath, Extreme Matrix K/N/S Series Switch, Extreme NAC, Extreme Stackable and Standalone
Switches, Extreme XSR Security Routers, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5
Networks BIG-IP LTM, F5 Networks FirePass, Fidelis XPS, Flow Classification Engine, Forcepoint
Sidewinder, Forcepoint V Series, Fortinet FortiGate Security Gateway, Foundry Fastiron, H3C Comware

Platform, HP Network Automation, HP ProCurve, HP Tandem, Honeycomb Lexicon File Integrity
Monitor, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Server, IBM Bluemix Platform, IBM
DB2, IBM DataPower, IBM Fiberlink MaaS360, IBM Guardium, IBM IMS, IBM Informix Audit, IBM Lotus
Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM QRadar Network Security XGS,
IBM Resource Access Control Facility (RACF), IBM Security Access Manager for Enterprise Single Sign-
On, IBM Security Access Manager for Mobile, IBM Security Identity Manager, IBM Security Network IPS
(GX), IBM Tivoli Access Manager for e-business, IBM WebSphere Application Server, IBM i, IBM z/OS,
IBM zSecure Alert, ISC BIND, Illumio Adaptive Security Platform, Imperva Incapsula, Imperva
SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper DX Application Acceleration Platform, Juniper
Junos OS Platform, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN,
Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security
SafeNet/i, Lieberman Random Password Manager, Linux OS, Linux iptables Firewall, Mac OS X, McAfee
Application/Change Control, McAfee Network Security Platform, McAfee ePolicy Orchestrator, Microsoft
Azure, Microsoft Exchange Server, Microsoft Hyper-V, Microsoft IAS Server, Microsoft IIS, Microsoft ISA,
Microsoft Office 365, Microsoft Operations Manager, Microsoft SQL Server, Microsoft Windows Security
Event Log, Motorola SymbolAP, NCC Group DDos Secure, NGINX HTTP Server, Netskope Active, Nortel
Contivity VPN Switch, Nortel Ethernet Routing Switch 2500/4500/5500, Nortel Ethernet Routing Switch
8300/8600, Nortel Multiprotocol Router, Nortel Secure Network Access Switch (SNAS), Nortel Secure
Router, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC, Okta, Open LDAP
Software, OpenBSD OS, Oracle Audit Vault, Oracle BEA WebLogic, Oracle RDBMS OS Audit Record, Palo
Alto PA Series, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse
Connect Secure, RSA Authentication Manager, Radware AppWall, Radware DefensePro, Redback ASE,
Riverbed SteelCentral NetProfiler Audit, SSH CryptoAuditor, STEALTHbits StealthINTERCEPT,
Salesforce Security Auditing, Snort Open Source IDS, Solaris Operating System Authentication
Messages, Solaris Operating System DHCP Logs, Solaris Operating System Sendmail Logs, SonicWALL
SonicOS, Sophos Astaro Security Gateway, Sophos Enterprise Console, Squid Web Proxy, Starent
Networks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, Sybase ASE, Symantec
Critical System Protection, Symantec Encryption Management Server, Symantec Endpoint Protection,
Symantec Gateway Security (SGS) Appliance, Symantec System Center, TippingPoint Intrusion
Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend InterScan VirusWall,
Trend Micro Deep Security, Universal DSM, Venustech Venusense Security Platform, Verdasys Digital
Guardian, Vormetric Data Security, WatchGuard Fireware OS, Zscaler Nss, genua genugate, iT-CUBE
agileSI
About this task

Enable the Access Activity model to track a user’s activity in the Access high-level category and create a
learned behavioral model for each hour of the day. If the user’s Access activity deviates from the learned
behavior, it is deemed suspicious and a Sense Event is generated to increase the user’s risk score.
Attention: After you configure or modify your settings, it takes a minimum of 1 hour to ingest data,
build an initial model, and see initial results for users.
Active users are monitored continuously. If a user has no activity for 28 days, the user and the user's data
are removed from the model. If the user is active again, they will return as a new user.
Procedure

2. In QRadar 7.3.2 or later, click Apps > User Analytics > Machine Learning Settings.
3. On the Machine Learning Settings page, click Enabled to turn on the Access Activity
model.
4. Click Access Activity if you want to edit the default settings.
5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a
sense event is triggered. The default value is 5.
6. Enable the toggle to scale the risk value. When enabled, the base risk value is multiplied by a factor
(range 1 - 10). This factor is determined by how much the user deviates from their expected behavior
and not just that they deviated.
7. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the
machine learning algorithm should be before it triggers an anomalous event. The default value is
0.95.
8. In the Data Retention Period field, set the number of days you want to save the model data. The
default value is 30.
9. The Show graph on User Details page toggle is enabled by default to display the Access Activity
graph on the User Details page. If you do not want to display the Access Activity graph on the User
Details page, click the toggle.
10. In the AQL Search Filter field, you can add an AQL filter to narrow the data that the analytic queries
for in QRadar. By filtering with an AQL query, you can reduce the number of users or the types of data
the analytic is analyzing. Before you save your settings, click Validate Query to launch a full AQL
query in QRadar so that you can review the query and verify the results.
Important: If you modify the AQL filter, the existing model is marked invalid and is then rebuilt. The
length of time the rebuild takes depends on the amount of data that is returned by the modified filter.
You can filter on specific log sources, network names, or reference sets that contain specific users.
See the following examples:
• REFERENCESETCONTAINS('Important People', username)
• LOGSOURCETYPENAME(devicetype) in ('Linux OS', 'Blue Coat SG Appliance',
'Microsoft Windows Security Event Log')
• INCIDR('172.16.0.0/12', sourceip) or INCIDR('10.0.0.0/8', sourceip) or
INCIDR('192.168.0.0/16', sourceip)
For more information, see Ariel Query Language.
11. Click Save.

Results
It can take a minimum of 1 hour for the app to ingest data and build an initial model.
Related tasks
Activity Distribution
Configure the Activity Distribution machine learning model to display dynamic behavior clusters for all
users that are monitored by machine learning on the User Details page.
Aggregated Activity
Enable the Aggregated Activity machine learning model to display the user’s general activity by time on
the User Details page.
Authentication Activity
Enable the Authentication Activity machine learning model to display the user’s activity in the
Authentication high-level category on the User Details page.
Data Downloaded
Enable the Data Downloaded machine learning model to display data that is downloaded for each user on
Data Uploaded to Remote Networks
Enable the Data Uploaded to Remote Networks machine learning model to display the actual and
expected (learned) amount of local to remote upload volume for each user on the User Details page.
Defined Peer Group
Configure the Defined Peer Group machine learning model to display how much a user's event activity
deviates from the event activity of their defined peer group on the User Details page.
Learned Peer Group
Enable the Learned Peer Group machine learning model to display how much the user deviated from the
inferred peer group they were expected to be in on the User Details page.
Outbound Transfer Attempts
Enable the Outbound Transfer Attempts machine learning model to display outbound traffic usage for
each user on the User Details page.
Risk Posture
Enable the Risk Posture machine learning model to display the user's risk score deviation on the User
Details page.
Suspicious Activity
Enable the Suspicious Activity machine learning model to display the actual and expected (learned)
amount of Suspicious Activity high-level category on the User Details page.
Creating a custom model
Create a custom model to measure and baseline a numeric feature for a person per hour.
Before you begin

• Event Name: UBA : Deviation from normal activity patterns
• sensevalue: 5
• To enable the Activity Distribution model for installations greater than 10 GB, you must install an App
Host. For more information, see App Hosts.
• Log source types: Any log source with events that provide a username.
About this task

Enable the Activity Distribution model so that the model can learn behavior clusters that represent groups
of similar activity (similar low-level categories of QRadar). Search for deviations from the normal
distribution of these clusters over time. Malicious behavior can manifest as changes in the distribution of
a user’s behavior cluster; that is, the user’s activities begin to deviate from his customary activities.
Similar activities are represented by the same colors for all users.
Attention: After you configure or modify your settings, it takes a minimum of 2 days to ingest data,
Procedure


3. On the Machine Learning Settings page, click Enabled to turn on the Activity Distribution
model.
Important: You must have 7 days of data available for the analytic to generate a model.
4. Click Activity Distribution if you want to edit the default settings.
0.99.
9. The Show graph on User Details page toggle is enabled by default to display the Activity Distribution
graph on the User Details page. If you do not want to display the Activity Distribution graph on the
User Details page, click the toggle.
11. Click Save.
Results
Related tasks
Access Activity
Aggregated Activity
Data Downloaded

Defined Peer Group
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity
Aggregated Activity
Before you begin

• Event Name: UBA : Abnormal increase in User activity
• sensevalue: 5
About this task

Enable the Aggregated Activity model to track a user’s general activity by time and create a model for the
predicted weekly behavior patterns. If the user’s activity deviates from the learned behavior, it is deemed
suspicious and a Sense Event is generated to increase the user’s risk score.
Procedure

3. On the Machine Learning Settings page, click Enabled to turn on the Aggregated Activity
model.
4. Click Aggregated Activity if you want to edit the default settings.
0.95.
9. The Show graph on User Details page toggle is enabled by default to display the Aggregated Activity
graph on the User Details page. If you do not want to display the Aggregated Activity graph on the
11. Click Save.

Results
Related tasks
Access Activity
Data Downloaded
Defined Peer Group
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity
Before you begin

• Event Name: UBA : Abnormal increase in Authentication activity
• sensevalue: 5
• Required configuration: System is monitoring events that have QRadar high-level category of
Authentication.
• Log source types: 3Com 8800 Series Switch, APC UPS, AhnLab Policy Center APC, Amazon AWS
CloudTrail, Apache HTTP Server, Application Security DbProtect, Arbor Networks Pravail, Arpeggio
SIFT-IT, Array Networks SSL VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Introspect,
Aruba Mobility Controller, Avaya VPN Gateway, Barracuda Spam & Virus Firewall, Barracuda Web
Application Firewall, Barracuda Web Filter, Bit9 Security Platform, Box, Bridgewater Systems AAA
Service Controller, Brocade FabricOS, CA ACF2, CA SiteMinder, CA Top Secret, CRE System,
CRYPTOCard CRYPTOShield, Carbon Black Protection, Centrify Identity Platform, Centrify Infrastructure
Services, Check Point, Cilasoft QJRN/400, Cisco ACS, Cisco Adaptive Security Appliance (ASA), Cisco
Aironet, Cisco CSA, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT
Management Center, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Identity Services Engine,
Module (WiSM), Citrix Access Gateway, Citrix NetScaler, CloudPassage Halo, Cloudera Navigator,
Configurable Authentication message filter, CorreLog Agent for IBM zOS, CrowdStrike Falcon Host,
Custom Rule Engine, Cyber-Ark Vault, CyberGuard TSP Firewall/VPN, DCN DCS/DCRS Series, DG
Technology MEAS, EMC VMWare, ESET Remote Administrator, Enterprise-IT-Security.com SF-Sherlock,
Epic SIEM, Event CRE Injected, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme
HiPath, Extreme Matrix E1 Switch, Extreme Matrix K/N/S Series Switch, Extreme NAC, Extreme
NetsightASM, Extreme Networks ExtremeWare Operating System (OS), Extreme Stackable and

Standalone Switches, Extreme XSR Security Routers, F5 Networks BIG-IP APM, F5 Networks BIG-IP
ASM, F5 Networks BIG-IP LTM, F5 Networks FirePass, FireEye, Flow Classification Engine, Forcepoint
Sidewinder, ForeScout CounterACT, Fortinet FortiGate Security Gateway, Foundry Fastiron,
FreeRADIUS, H3C Comware Platform, HBGary Active Defense, HP Network Automation, HP ProCurve,
HP Tandem, Huawei AR Series Router, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit,
IBM AIX Server, IBM BigFix, IBM Bluemix Platform, IBM DB2, IBM DataPower, IBM Fiberlink MaaS360,
IBM Guardium, IBM IMS, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS),
IBM QRadar Network Security XGS, IBM QRadar Packet Capture, IBM Resource Access Control Facility
(RACF), IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for
Mobile, IBM Security Directory Server, IBM Security Identity Governance, IBM Security Identity
Manager, IBM SmartCloud Orchestrator, IBM Tivoli Access Manager for e-business, IBM WebSphere
Imperva SecureSphere, Infoblox NIOS, Itron Smart Meter, Juniper Junos OS Platform, Juniper Junos
WebApp Secure, Juniper MX Series Ethernet Services Router, Juniper Networks Firewall and VPN,
Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security
Random Password Manager, LightCyber Magna, Linux OS, Mac OS X, McAfee Application/Change
Control, McAfee Network Security Platform, McAfee ePolicy Orchestrator, Metainfo MetaIP, Microsoft
Azure, Microsoft DHCP Server, Microsoft Exchange Server, Microsoft Hyper-V, Microsoft IAS Server,
Microsoft IIS, Microsoft ISA, Microsoft Office 365, Microsoft Operations Manager, Microsoft SCOM,
Microsoft SQL Server, Microsoft SharePoint, Microsoft Windows Security Event Log, Motorola SymbolAP,
NCC Group DDos Secure, Netskope Active, Nortel Application Switch, Nortel Contivity VPN Switch,
Nortel Contivity VPN Switch (obsolete), Nortel Ethernet Routing Switch 2500/4500/5500, Nortel
(SNAS), Nortel Secure Router, Nortel VPN Gateway, Novell eDirectory, OS Services Qidmap, OSSEC,
ObserveIT, Okta, Open LDAP Software, OpenBSD OS, Oracle Acme Packet SBC, Oracle Audit Vault,
Oracle BEA WebLogic, Oracle Database Listener, Oracle Enterprise Manager, Oracle RDBMS Audit
Record, Oracle RDBMS OS Audit Record, Palo Alto Endpoint Security Manager, Palo Alto PA Series,
Pirean Access: One, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/
Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware
AppWall, Radware DefensePro, Redback ASE, Riverbed SteelCentral NetProfiler Audit, SIM Audit, SSH
Auditing, Salesforce Security Monitoring, Sentrigo Hedgehog, Skyhigh Networks Cloud Security
Platform, Snort Open Source IDS, Solaris BSM, Solaris Operating System Authentication Messages,
Solaris Operating System Sendmail Logs, SonicWALL SonicOS, Sophos Astaro Security Gateway, Squid
Encryption Management Server, Symantec Endpoint Protection, ThreatGRID Malware Threat
Intelligence Platform, TippingPoint Intrusion Prevention System (IPS), TippingPoint X Series
Appliances, Top Layer IPS, Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Discovery
Inspector, Trend Micro Deep Security, Tripwire Enterprise, Tropos Control, Universal DSM, VMware
vCloud Director, VMware vShield, Vectra Networks Vectra, Venustech Venusense Security Platform,
Verdasys Digital Guardian, Vormetric Data Security, WatchGuard Fireware OS, genua genugate, iT-CUBE
agileSI
About this task

Enable the Authentication Activity model to track a user’s activity in the Authentication high-level category
and create a learned behavioral model for each hour of day. If the user’s Authentication activity deviates
from the learned behavior, it is deemed suspicious and a Sense Event is generated to increase the user’s
risk score.
Procedure

3. On the Machine Learning Settings page, click Enabled to turn on the Authentication
Activity model.
4. Click Authentication Activity if you want to edit the default settings.
0.95.
9. The Show graph on User Details page toggle is enabled by default to display the Authentication
Activity graph on the User Details page. If you do not want to display the Authentication Activity
graph on the User Details page, click the toggle.
11. Click Save.

Results
Related tasks
Access Activity
Aggregated Activity
Data Downloaded
Defined Peer Group
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity
Data Downloaded
Before you begin

• Event Name : UBA : Abnormal Data Downloaded
• sensevalue: 5
• Required configuration Custom event property "BytesReceived" must exist for the desired log source
type.
• Log source types: Pulse Secure Pulse Connect Secure, Fortinet FortiGate Security Gateway, Blue Coat
SG Appliance, Juniper SRX Series Services Gateway, Microsoft ISA, Citrix NetScaler
About this task

Enable the Data Downloaded model to monitor data that is downloaded for each user and then alerts on
abnormal behavior. When the actual volume of data that is downloaded exceeds the model’s predicted
number, a Sense Event is generated to increase the user’s risk score.
Procedure


3. On the Machine Learning Settings page, click Enabled to turn on the Data Downloaded
model.
4. Click Data Downloaded if you want to edit the default settings.
0.95.
9. The Show graph on User Details page toggle is enabled by default to display the Data Downloaded
graph on the User Details page. If you do not want to display the Data Downloaded graph on the User
Details page, click the toggle.
11. Click Save.
Results
Related tasks
Access Activity
Aggregated Activity

Defined Peer Group
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity

Before you begin

• Event Name: UBA : Abnormal Volume of Data to External Domains
• sensevalue: 5
• Required configuration: Custom event property "BytesSent" must exist for the desired log source type.
About this task

Enable the Data Uploaded to Remote Networks model to monitor external domain data usage for each
user and alerts on abnormal behavior. When the actual number of external domain data usage exceeds
the model’s predicted number, a Sense Event is generated to increase the user’s risk score.
Procedure

3. On the Machine Learning Settings page, click Enabled to turn on the Data Uploaded to
Remote Networks model.
4. Click Data Uploaded to Remote Networks if you want to edit the default settings.
0.95.
9. The Show graph on User Details page toggle is enabled by default to display the Data Uploaded to
Remote Networks graph on the User Details page. If you do not want to display the Data Uploaded to
Remote Networks graph on the User Details page, click the toggle.
11. Click Save.

Results
Related tasks
Access Activity
Aggregated Activity
Data Downloaded
Defined Peer Group
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity
Defined Peer Group

Before you begin

• Event Name: UBA : Deviation from define peer group
• sensevalue: 5
• Required configuration: Configure user import to gather user grouping properties to meet minimum
requirements. Select the grouping property on the configuration page that represents the groups to be
modeled. See “Tuning user import configurations” on page 37 for details on configuring the custom
group.
• You must have 7 days of event data available for the analytic to generate a model.
About this task

Enable the Defined Peer Group model to show users grouped and analyzed based on the Group by field. If
a user’s current behavior is significantly different from the user’s defined group, it is deemed suspicious
and a Sense Event is generated to increase the user’s risk score. Note: You must have a minimum of two
defined groups that each contains 5 or more users. If you change the group selection, a new model needs
to be constructed. A significant amount of time and computer resources are required to complete the
model creation. It is not recommended to change this value frequently.
Attention: After you configure or modify your settings, it takes a minimum of 1 day to ingest data,

Procedure

3. On the Machine Learning Settings page, click Enabled to turn on the Defined Peer Group
model.
4. Click Defined Peer Group if you want to edit the default settings.
0.99.
9. The Show graph on User Details page toggle is enabled by default to display the Defined Peer Group
graph on the User Details page. If you do not want to display the Defined Peer Group graph on the
10. In the Group By field, select the group that you want the Defined Peer Group analytic to use.
For more information, see Overview of Ariel Query Language.
12. Click Save.
Results
Related tasks
Access Activity
Aggregated Activity

Data Downloaded
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity
Learned Peer Group

Before you begin

• Event Name: UBA :Deviation from learned peer group
• sensevalue: 5
• To enable the Learned Peer Group model on QRadar V7.3.2 and later, you must install an App Host. For
more information, see App Hosts.
• You must have 7 days of event data available for the Learned Peer Group analytic to generate a model.
About this task

Enable the Learned Peer Group model to identifies users who engage in similar activities and then places
them into peer groups. If a user’s current peer group is significantly different from former groups, then a
Sense Event is generated to increase the user’s risk score.
Attention: After you configure or modify your settings, it takes a minimum of 1 day to ingest data,
Procedure

3. On the Machine Learning Settings page, click Enabled to turn on the Learned Peer Group
model.
4. Click Learned Peer Group if you want to edit the default settings.
0.99.
9. The Show graph on User Details page toggle is enabled by default to display the Learned Peer Group
graph on the User Details page. If you do not want to display the Learned Peer Group graph on the
11. Click Save.

Results
Related tasks
Access Activity
Aggregated Activity
Data Downloaded
Defined Peer Group
Risk Posture
Details page.
Suspicious Activity

Before you begin

• Event Name : UBA : Abnormal Outbound Transfer Attempts
• sensevalue: 5
• Required configuration : Custom event property 'BytesSent' must exist for the desired log source type.
About this task

Enable the Outbound Transfer Attempts to monitor outbound traffic usage for each user and alert on
abnormal behavior. When the actual number of transfer attempts exceeds the model’s predicted number,
a Sense Event is generated to increase the user’s risk score.
Procedure


3. On the Machine Learning Settings page, click Enabled to turn on the Outbound Transfer
Attempts model.
4. Click Outbound Transfer Attempts if you want to edit the default settings.
0.95.
9. The Show graph on User Details page toggle is enabled by default to display the Outbound Transfer
Attempts graph on the User Details page. If you do not want to display the Outbound Transfer
Attempts graph on the User Details page, click the toggle.
11. Click Save.
Results
Related tasks
Access Activity
Aggregated Activity

Data Downloaded
Defined Peer Group
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity
Risk Posture
Details page.
Before you begin

• Event Name: UBA : Deviation from normal Risk posture
• sensevalue: 5
• Required configuration: UBA is configured and sense events are being created.
• Log source types: Any log sources with events that trigger sense events.
About this task

Enable the Risk Posture model to track a user’s risky activity by the rate of sense events generated and
create a baseline model. If the user’s risky activity deviates from the baseline, it is deemed suspicious
and a sense event is generated to increase the user’s overall risk score.
Procedure
3. On the Machine Learning Settings page, click Enabled to turn on the Risk Posture model.
4. Click Risk Posture if you want to edit the default settings.
0.95.
9. The Show graph on User Details page toggle is enabled by default to display the Risk Posture graph
on the User Details page. If you do not want to display the Risk Posture graph on the User Details
page, click the toggle.
11. Click Save.

Results
Related tasks
Access Activity
Aggregated Activity
Data Downloaded
Defined Peer Group
Learned Peer Group
Suspicious Activity
Suspicious Activity
Before you begin

• Event Name: UBA : Abnormal increase in Suspicious activity
• sensevalue: 5
• Required configuration: System is monitoring events that have QRadar high level category of Suspicious
Activity.
• Log source types: 3Com 8800 Series Switch, Akamai KONA, Application Security DbProtect, Arbor
Networks Peakflow SP, Aruba Introspect, Aruba Mobility Controller, Avaya VPN Gateway, Barracuda
Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Bridgewater Systems
AAA Service Controller, Brocade FabricOS, CRE System, Carbon Black, Carbon Black Protection, Check
Point, Cilasoft QJRN/400, Cisco Adaptive Security Appliance (ASA), Cisco Aironet, Cisco CSA, Cisco
CatOS for Catalyst Switches, Cisco Firewall Services Module (FWSM), Cisco IOS, Cisco Intrusion
Prevention System (IPS), Cisco IronPort, Cisco Meraki, Cisco NAC Appliance, Cisco PIX Firewall, Cisco
Stealthwatch, Cisco Umbrella, Cisco VPN 3000 Series Concentrator, Cisco Wireless LAN Controllers,
Cisco Wireless Services Module (WiSM), CloudLock Cloud Security Fabric, CrowdStrike Falcon Host,
Custom Rule Engine, CyberArk Privileged Threat Analytics, CyberGuard TSP Firewall/VPN, Damballa
Failsafe, EMC VMWare, ESET Remote Administrator, Enterprise-IT-Security.com SF-Sherlock, Event
CRE Injected, Exabeam, Extreme 800-Series Switch, Extreme Dragon Network IPS, Extreme HiGuard,
Extreme HiPath, Extreme Matrix K/N/S Series Switch, Extreme Networks ExtremeWare Operating
System (OS), Extreme XSR Security Routers, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5
Networks BIG-IP LTM, F5 Networks FirePass, Fair Warning, Fidelis XPS, FireEye, Flow Classification
Engine, Forcepoint Sidewinder, ForeScout CounterACT, Fortinet FortiGate Security Gateway,
FreeRADIUS, H3C Comware Platform, Huawei AR Series Router, Huawei S Series Switch, IBM AIX
Server, IBM BigFix Detect, IBM Guardium, IBM Lotus Domino, IBM Proventia Network Intrusion
Prevention System (IPS), IBM Resource Access Control Facility (RACF), IBM Security Network IPS (GX),

IBM Security Trusteer Apex Advanced Malware Protection, IBM WebSphere Application Server, IBM i,
IBM z/OS, ISC BIND, Imperva SecureSphere, Juniper Junos OS Platform, Juniper Junos WebApp
Secure, Juniper Networks Firewall and VPN, Juniper Networks Intrusion Detection and Prevention
(IDP), Juniper Networks Network and Security Manager, Juniper WirelessLAN, Kaspersky CyberTrace,
Kaspersky Security Center, Kisco Information Systems SafeNet/i, Lastline Enterprise, LightCyber
Magna, Linux DHCP Server, Linux OS, McAfee Application/Change Control, McAfee Network Security
Platform, McAfee ePolicy Orchestrator, Microsoft DHCP Server, Microsoft DNS Debug, Microsoft
Endpoint Protection, Microsoft Hyper-V, Microsoft Operations Manager, Microsoft Windows Security
Event Log, Motorola SymbolAP, NCC Group DDos Secure, Netskope Active, Niksun 2005 v3.5, Nortel
Contivity VPN Switch, Nortel Secure Router, Nortel VPN Gateway, OS Services Qidmap, OSSEC,
ObserveIT, Onapsis Inc Onapsis Security Platform, Palo Alto Endpoint Security Manager, Palo Alto PA
Series, PostFix MailTransferAgent, ProFTPD Server, Proofpoint Enterprise Protection/Enterprise Privacy,
Pulse Secure Pulse Connect Secure, RSA Authentication Manager, Radware AppWall, Radware
DefensePro, Riverbed SteelCentral NetProfiler, SAP Enterprise Threat Detection, SSH CryptoAuditor,
STEALTHbits StealthINTERCEPT, SafeNet DataSecure/KeySecure, Samhain HIDS, Sentrigo Hedgehog,
Skyhigh Networks Cloud Security Platform, Snort Open Source IDS, SolarWinds Orion, Solaris Operating
System Authentication Messages, Solaris Operating System Sendmail Logs, SonicWALL SonicOS,
Sophos Astaro Security Gateway, Sophos Enterprise Console, Sophos PureMessage, Squid Web Proxy,
Starent Networks Home Agent (HA), Stonesoft Management Center, Symantec Endpoint Protection,
Symantec System Center, ThreatGRID Malware Threat Intelligence Platform, TippingPoint Intrusion
Prevention System (IPS), TippingPoint X Series Appliances, Top Layer IPS, Trend Micro Deep Discovery
Email Inspector, Trend Micro Deep Discovery Inspector, Trend Micro Deep Security, Universal DSM,
Vectra Networks Vectra, Verdasys Digital Guardian, WatchGuard Fireware OS, Zscaler Nss, genua
About this task

Enable the Suspicious Activity model to track a user’s activity in the Suspicious Activity high-level
category and create a learned behavioral model for each hour of the day. If the user’s Suspicious Activity
deviates from the learned behavior, it is deemed suspicious and a Sense Event is generated to increase
the user’s risk score.
Procedure

3. On the Machine Learning Settings page, click Enabled to turn on the Suspicious Activity
model.
4. Click Suspicious Activity if you want to edit the default settings.
0.95.
9. The Show graph on User Details page toggle is enabled by default to display the Suspicious Activity
graph on the User Details page. If you do not want to display the Suspicious Activity graph on the
11. Click Save.

Results
Related tasks
Access Activity
Aggregated Activity
Data Downloaded
Defined Peer Group
Learned Peer Group
Risk Posture
Details page.

Before you begin

Review the following model details for each model template:
• Application Events
• Source IP
• Destination Port
• Office File Access
• AWS Access
• Process
• Website
• Risky IP
About this task

You can create a custom model so that you can review the learned behavior and the actual data for users.
If significant changes from the baseline behavior are detected, you will receive alerts that the user's risk
score is raised. Examples of models you can create include: showing how much data a user downloads,
how many applications a user runs, or how many emails a user send per hour.

Procedure

3. On the Machine Learning Settings page, click Create Model.
4. On the Model Definition tab, you can select a template to populate the AQL field or you can create a
custom AQL query.
5. Click Next.
6. On the General Settings tab, enter a name and description.

0.95.
11. The Show graph on User Details page toggle is enabled by default to display the custom model
graph on the User Details page. If you do not want to display the graph on the User Details page,
click the toggle.
13. Click Save.

Related tasks
Access Activity
Aggregated Activity
Data Downloaded
Defined Peer Group
Learned Peer Group
Risk Posture
Details page.
Suspicious Activity
Application Events
Procedure
• Event Name : UBA : Custom Analytic Anomaly
• senseValue = 5
• Required configuration: System is monitoring events that have QRadar high level category of
Application.
• Log source types: APC UPS, Apache HTTP Server, Application Security DbProtect, Array Networks SSL
VPN Access Gateways, Aruba ClearPass Policy Manager, Aruba Mobility Controller, Avaya VPN
Gateway, Barracuda Web Application Firewall, Barracuda Web Filter, Blue Coat Web Security Service,
BlueCat Networks Adonis, CRE System, Centrify Infrastructure Services, Check Point, Cilasoft QJRN/
400, Cisco Call Manager, Cisco CatOS for Catalyst Switches, Cisco FireSIGHT Management Center,
Cisco IOS, Cisco Identity Services Engine, Cisco Intrusion Prevention System (IPS), Cisco IronPort,
Cisco Meraki, Cisco Nexus, Cisco PIX Firewall, Cisco Stealthwatch, Cisco Umbrella, Cisco Wireless
Services Module (WiSM), Citrix Access Gateway, Citrix NetScaler, Custom Rule Engine, Cyber-Ark
Vault, DG Technology MEAS, EMC VMWare, Event CRE Injected, Extreme Matrix K/N/S Series Switch,
Extreme Stackable and Standalone Switches, F5 Networks BIG-IP AFM, F5 Networks BIG-IP ASM, F5
Networks BIG-IP LTM, Fidelis XPS, FireEye, Flow Classification Engine, Flow Device Type, Forcepoint
Sidewinder, Forcepoint V Series, Fortinet FortiGate Security Gateway, FreeRADIUS, H3C Comware
Platform, Huawei S Series Switch, HyTrust CloudControl, IBM AIX Audit, IBM AIX Server, IBM DB2,
IBM DataPower, IBM Lotus Domino, IBM Proventia Network Intrusion Prevention System (IPS), IBM
Resource Access Control Facility (RACF), IBM Security Directory Server, IBM Tivoli Access Manager for
e-business, IBM i, IBM z/OS, ISC BIND, Imperva SecureSphere, Infoblox NIOS, Juniper Junos OS
Platform, Juniper MX Series Ethernet Services Router, Juniper Networks AVT, Juniper Networks
Firewall and VPN, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper WirelessLAN,
Kisco Information Systems SafeNet/i, Linux DHCP Server, McAfee Network Security Platform, McAfee
Web Gateway, Metainfo MetaIP, Microsoft DHCP Server, Microsoft DNS Debug, Microsoft Exchange
Server, Microsoft IIS, Microsoft Office 365, Microsoft Operations Manager, Microsoft Windows Security
Event Log, Motorola SymbolAP, NGINX HTTP Server, Nortel Contivity VPN Switch, Nortel VPN Gateway,

OS Services Qidmap, OSSEC, ObserveIT, Okta, Open LDAP Software, OpenBSD OS, Oracle BEA
WebLogic, Oracle Database Listener, PostFix MailTransferAgent, ProFTPD Server, Proofpoint
Enterprise Protection/Enterprise Privacy, Pulse Secure Pulse Connect Secure, RSA Authentication
Manager, Radware DefensePro, SSH CryptoAuditor, Skyhigh Networks Cloud Security Platform, Solaris
Operating System Authentication Messages, Solaris Operating System DHCP Logs, SonicWALL
SonicOS, Sophos Astaro Security Gateway, Sophos Web Security Appliance, Squid Web Proxy, Starent
Networks Home Agent (HA), Stonesoft Management Center, Sun ONE LDAP, Symantec Critical System
Protection, Symantec Encryption Management Server, Symantec Endpoint Protection, TippingPoint
Intrusion Prevention System (IPS), Top Layer IPS, Trend InterScan VirusWall, Trend Micro Deep
Security, Universal DSM, Venustech Venusense Security Platform, Verdasys Digital Guardian,
WatchGuard Fireware OS, genua genugate, iT-CUBE agileSI
SourceIP
Procedure
• sensevalue: 5
• Log source types: Any log source that contains username and source ip in the events.
Destination Port
Procedure
• sensevalue: 5
• Log source types: Any log source that contains username and destination port in the events
Office File Access
Procedure
• sensevalue: 5
• Required configuration : System is monitoring event that have QRadar event names that include the
word "file".
• Log source type: Microsoft Office 365
AWS Access
Procedure
• sensevalue: 5
• Required configuration: System is monitoring events that contain QRadar event names that include the
word "bucket".
• Log source types: Amazon AWS Cloudtrail
Process
Procedure
• sensevalue: 5
• Required configuration: Custom event property 'Process' must exist for the desired log source type.
• Log source types: Microsoft Windows Security Event Log; Linux OS
Website
Procedure
• sensevalue: 5
• Support rules: 'UBA : Browsed to Entertainment Website', 'UBA : Browsed to LifeStyle Website', 'UBA :
Browsed to Business/Service Website', 'UBA : Browsed to Communications Website'
• Required configuration: Custom event property 'Web Category' must exist for the desired log source
type.
• Log source types: Blue Coat SG Appliance, Cisco IronPort, McAfee Web Gateway, Check Point, Squid
Web Proxy, Palo Alto PA Series; Forcepoint V Series, Fortinet FortiGate Security Gateway
Risky IP
Procedure
• sensevalue: 5
• Required configuration: Set "Enable X-Force Threat Intelligence Feed" to Yes in Admin Settings >
System Settings.
• Log source types: Any log source with events that have a user name.
Uninstalling the Machine Learning Analytics app

Uninstall the Machine Learning Analytics app from the Machine Learning Settings page.
About this task

Before you uninstall the UBA app, you must complete the following procedure for uninstalling the ML app.
If you do not uninstall the ML app before you uninstall UBA, you must remove it from the interactive API
documentation interface.
Procedure

3. On the Machine Learning Settings screen, click Uninstall ML App.

4. At the uninstall prompt, click Yes.
What to do next
You must clear your browser cache before logging back in to the QRadar Console.

Chapter 10. Reference Data Import - LDAP app
Use the Reference Data Import - LDAP app to gather contextual identity information from multiple LDAP
sources into your QRadar Console.
Attention: With UBA 3.6.0 and later, the Reference Data Import - LDAP app is no longer bundled
with the UBA app or required for importing user data. However, you can still use the previously
installed version of the bundled LDAP app or the standalone Reference Data Import - LDAP app
that is available from the IBM Security App Exchange.
In 3.5.0 or earlier, when you install the IBM® QRadar® User Behavior Analytics (UBA) app, the Reference
Data Import - LDAP (LDAP) app is also installed. You can use the LDAP app to import user data from an
LDAP/AD server or CSV file into a QRadar reference table. The reference table is then consumed by the
UBA app or can be used for QRadar searches or rules.
Using the LDAP data in QRadar

Every time the reference table is updated, a ReferenceDataUpdated event is triggered. You can set a
time-to-live value for the LDAP data in the reference table. When the time-to-live period is exceeded, a
ReferenceDataExpiry event is triggered. You can create rules that respond to these events, or create
searches to query the payloads of these events on the QRadar Log Activity tab.
Accessing the Reference Data Import - LDAP app

In 3.5.0 or earlier, access the QRadar Reference Data Import - LDAP app by clicking the Reference Data
Import LDAP icon from the Admin settings.
For more information on reference data collections in QRadar, see IBM QRadar SIEM Administration
Guide.
Known issues for the LDAP app

The Reference Data Import - LDAP app has known issues.
The Reference Data Import - LDAP app has the following known issues:
• There is an issue with the LDAP Configuration when saving passwords. If you need to edit an existing
LDAP Configuration, you must clear the password text and then re-enter the password.
• There are issues with certain versions of Firefox when adding a new LDAP import or modifying an
existing import. To avoid any potential issues, use Mozilla Firefox version 55 and later.
• Importing more than 100,000 users into LDAP for UBA can severely affect your QRadar system and your
UBA app installation. The issue is caused due to a known issue in APAR IV98655. Importing more than
200,000 users is not recommended unless you use QRadar 7.3.0 or later on a 128 GB console.

Importing user data from a CSV file
You can upload a CSV file that contains user data with the Reference Data Import - LDAP app
About this task

If you have user data in a standard CSV format, you can import the data from a CSV file into the UBA app.
Procedure

2. In UBA 3.5.0 or earlier, click Apps > Reference Data Import - LDAP > Reference Data Import - File.
3. On the Reference Data Import (File) window, click Configure to create an authorized service token.
4. On the Reference Data Import (File) window, click Import.
5. On the Add user data screen, browse for a CSV file that contains user data.
Note:
The file must be 5 MB or less, contain a header row with the column names, and must have at least
one column that contains unique data.
6. Click Next and select whether you want to merge data with an existing reference table or to create a
reference table.
• If you choose to merger into an existing reference table, click Next and select an existing reference
table.
• If you choose to create a reference table, click Next and create a reference table.
7. Click Next.
8. On the Attribute Mapping screen, set the attribute names and the key for the reference table and click
Import.
Creating an authorized service token

Before you can configure your LDAP server to add data to a reference table, you must create an
authorized service token.
Before you begin

QRadar on Cloud administrators can learn how to add and manage authorized service tokens by reading
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/
c_qrocss_manageauthservices.html.
About this task

Note: After you submit the authorized service token, you must deploy changes for the new authorized
service token to take effect.
IBM QRadar requires that you use an authentication token to authenticate the API calls that the
Reference Data Import - LDAP app makes. You use the Manage Authorized Services window in the
Admin settings to create authorized service token.
Procedure
1. On the Reference Data Import - LDAP app window, click Configure.
2. In the Configure Authorized Service Token dialog box, click Manage Authorized Services.
3. In the Manage Authorized Services window, click Add Authorized Service.
4. Add the relevant information in the following fields and click Create Service:
a) In the Service Name field, type a name for this authorized service. The name can be up to 255
characters in length.
b) From the User Role list, select Admin.
c) From the Security Profile list, select the security profile that you want to assign to this authorized
service. The security profile determines the networks and log sources that this service can access
on the QRadar user interface.
d) In the Expiry Date list, type or select a date for this service to expire. If an expiry date is not
5. Click the row that contains the service you created, select and copy the token string in the Selected
Token field on the menu bar, and close the Manage Authorized Services window.
6. In the Configure Authorized Service Token dialog box, paste the token string into the Token field,
and click OK.
7. Deploy changes for the new authorized service token to take effect.
What to do next
“Adding an LDAP configuration” on page 261
Adding a private root certificate authority

You can upload a private root certificate authority (CA) bundle to IBM QRadar for use with the LDAP app.
Procedure

2. Click the Reference Data Import LDAP icon.
3. On the Reference Data Import LDAP app main window, click Configure.
4. Click Choose File and then click Upload. Only the .pem file type is supported.
5. Click OK.
Adding an LDAP configuration

Add LDAP server information that you use to insert user data into a reference map of maps.
Before you begin

You must create and add an authentication token to the Reference Data Import - LDAP app before you
can add an LDAP configuration.
Procedure
1. On the Reference Data Import - LDAP app window, click Add Import.
2. Enter the following information on the LDAP Configuration tab:
a) Enter a URL that begins with ldap:// or ldaps:// (for TLS) in the LDAP URL field.
b) Enter the point in the LDAP directory tree from where the server must search for users in the Base
DN field.
For example, if your LDAP server was on the domain example.com, you might use:
dc=example,dc=com
Chapter 10. Reference Data Import - LDAP app 261

c) Enter the attribute or attributes you want to use to sort the data that is imported into the reference
table in the Filter field.
For example:
cn=*; uid=*; sn=*
The following default values will work with Active Directory: (&(sAMAccountName=*)
(samAccountType=805306368)).
d) Enter the user name that is used to authenticate the LDAP server in the Username field.
e) Enter the password for the LDAP server in the Password field.
3. Click Test Connection or Next to confirm that IBM QRadar can connect to the LDAP server. If your
connection attempt is successful, information from your LDAP server is displayed on the LDAP
Configuration tab.
What to do next
“Selecting attributes” on page 262.
Related tasks
Creating an authorized service token
Before you can configure your LDAP server to add data to a reference table, you must create an
authorized service token.
Adding LDAP attribute mappings
You can add aliases and set the key for the reference table.
“Adding a private root certificate authority ” on page 261
You can upload a private root certificate authority (CA) bundle to IBM QRadar for use with the LDAP app.
Selecting attributes
Select the attributes to extract from your LDAP server.
Procedure
1. On the Select Attributes tab, search for specific attributes and select the attributes that you want to
extract from your LDAP server.
2. Click Next.
What to do next
Add LDAP attribute mappings.

About this task

If you want to merge LDAP data from multiple sources into the same reference table, you can use custom
aliases to differentiate LDAP attributes with the same name in different sources.
Procedure
1. On the Attribute Mapping tab, set the key for the reference table.
Tip: You can create new LDAP Attribute fields by clicking Add and combining two attributes. For
example, you can use the following syntax: "Last: {ln}, First: {fn}".
2. Click Next.
What to do next
Configure a reference data table to store LDAP data..
Related tasks
Adding a reference data configuration
Use the Reference Configuration tab to set up a reference data table to store LDAP data.
Creating a rule that responds to LDAP data updates
After you have configured the IBM QRadar Reference Data Import - LDAP app to store data from your
LDAP server in a reference table in QRadar, you can use the data to create event rules.

Before you begin

After you configure your LDAP server information, you must set up a reference table to store the LDAP
data that is passed to the app. You can then use the stored data to construct rules in QRadar or create
searches and reports.
Procedure
1. Use the Reference Configuration tab to enter a new reference table or designate an existing reference
table to which you want to add LDAP data.
a) Enter a name for the reference data collection in the Reference Data field or select an existing
reference data collection from the list.
b) The Generate map of sets checkbox is disabled by default. If you enable the checkbox, it sends
data to a reference set format to improve QRadar searching and might impact performance.
c) Use the Time to live fields to define how long you want the data to persist in the reference table. By
default, the data you add never expires. When the time-to-live period is exceeded, a
ReferenceDataExpiry event is triggered.
Note: If you append data to an existing reference map of maps, the app uses the original time-to-
live parameters. These parameters cannot be overridden on the Reference Configuration tab.
2. Click Next.
What to do next
Set the polling interval.
Related tasks
Configuring polling

Use the Polling Interval tab to configure how often the app polls your LDAP server for new information.
Configuring polling
Use the Polling Interval tab to configure how often the app polls your LDAP server for new information.
Before you begin

After you configure your LDAP server information and reference data collection, you configure how often
you want the app to draw down data from the LDAP server.
Procedure
1. Use the Polling Interval in minutes field to define in minutes how often you want the app to poll your
LDAP server for data.
The minimum permissible polling interval value is 120.
2. Enter a value for the number of records you want the poll to return in the Record retrieval limit field.
By default, 100,000 records are returned. The maximum number of records that can be returned is
200,000.
3. The Paged results checkbox is selected by default to avoid limiting the number of records the LDAP
server returns for each poll.
Note: Paged results are not supported by all LDAP servers.
4. Click Save.
Results
Data from your LDAP server is added to the reference data collection you selected at the interval you
configured. You can use the API page on your IBM QRadar console to check that data was added to the
reference data collection.
Related tasks
Checking that data is added to the reference data collection
You can use the IBM QRadar API documentation page to test if data was added to the reference data
collection you created.
Checking that data is added to the reference data collection

You can use the IBM QRadar API documentation page to test if data was added to the reference data
collection you created.
About this task

The API Documentation page on your QRadar Console can show the data that is stored in the reference
table that you created in the Reference Data Import - LDAP app. You can use the API Documentation
page to check that LDAP information was updated by the app.
Procedure
1. Log in to the QRadar API Documentation page.
https://<Console_IP>/api_doc
2. In the navigation tree, open the most recent API.
3. Go to /reference_data > /table > /name > GET
4. In the Value field of the Name parameter, enter the name of the reference data collection you created
to store LDAP information, and click Try it out!.
The data added by the app is returned in the Response Body field.
Creating a rule that responds to LDAP data updates

After you have configured the IBM QRadar Reference Data Import - LDAP app to store data from your
LDAP server in a reference table in QRadar, you can use the data to create event rules.
About this task

When you poll your LDAP server and data are added to the reference table, ReferenceDataUpdated
events are triggered. When the time-to-live period you configured on the Reference Configuration tab is
exceeded, a ReferenceDataExpiry event is triggered. You can create rules that respond to content
within a ReferenceDataUpdated or ReferenceDataExpiry event payloads.
LDAP data stored by the app in a reference data collection is available to rules you can configure by using
the QRadar Rules Wizard. The Rules Wizard can be accessed from the Offenses, Log Activity, or
Network Activity tabs.
Procedure
1. Click Log Activity > Rules > Actions > New Event Rule.
2. On the Rule Wizard introduction page, click Next.
3. Ensure that the Events radio button is selected, and click Next.
4. Enter a name for the rule in the field provided.
5. Select a test from the Test Group list, and click the + icon beside the test you want to use:
The rule test you select depends on the information you want to retrieve from the reference data
collection that holds your LDAP data.
The following reference maps of maps event property test is designed to test events that triggered
when the Reference Data Import - LDAP app reference table is updated:
when any of these event properties is the key of the first map
and any of these event properties is the key of the second map
and any of these event properties is the value
in any of these reference map of maps.

A rule is configured to test the ReferenceDataExpiry event payload if the LDAP attribute
PasswordIsExpired is updated to true for any UID in a the LDAPtest1 reference data collection.
To use this event property test, you must create custom event properties for the outer key (the key
of the first map), inner key (the key of the second map) and value fields. In the following example,
the Reference Data Import - LDAP app was configured to import information on users whose password
is expired from an LDAP server at example.com.
The outer key
This property contains the data entered in the LDAP fields specified in the Base DN and Filter
fields in the app LDAP configuration tab. The regex for the custom event property might look like
this:
(uid=(.*?),dc=example,dc=com)
The inner key
This property contains the data entered in the LDAP fields specified in the Attribute field in the
app LDAP configuration tab. You can use attribute aliases in this field. The regex for the custom
event property might look like this:
(passwordIsExpired)
The value field
This property contains the data retrieved for passwordIsExpired LDAP attribute for each user.
The regex for the custom event property might look like this:
(\['true'\])
For more information about custom event properties, see the IBM QRadar SIEM Users Guide.
6. Click Next.
7. Select the rule action, rule response and rule limiter you want to apply to the rule and click Finish.
For more information on custom event rules, see the IBM QRadar SIEM Users Guide.
Results
The next time you poll your LDAP server and the reference data collection you created is updated, your
rule is triggered.
Related tasks

Chapter 11. Troubleshooting and support
To isolate and resolve problems with your IBM product, you can use the troubleshooting and support
information.
For answers to common support questions about the User Behavior Analytics app and the Machine
Learning Analytics app, see https://developer.ibm.com/answers/topics/uba/
Help and support page for UBA

The UBA app includes a Help and Support section for using the UBA app, the LDAP app, and the Machine
Learning Analytics app.
Accessing the Help and Support page for UBA

The Help and Support page provides links to documentation, troubleshooting and support, video
tutorials, log files, and administrative functions. You must have QRadar® administrator privileges to view
log files and complete administrative functions from the Help and support page.
After you install the UBA app, you can access the Help and Support page from the following locations:
• From the Admin Settings, in QRadar 7.3.2 or later, click Apps > User Analytics > Help and Support.
• From the User Analytics tab, click the Help and Support icon.
Administrative functions
You must have QRadar® administrator privileges to view log files and complete administrative functions.
Administrative functions include the ability to complete the following actions:
• Click Clear UBA Data to remove all UBA user data but maintain all of your current UBA configuration
settings. Clearing UBA data makes the UBA app behave as if you just installed and configured the UBA
Settings. If the Machine Learning app is installed, the Clear UBA Data button also resets the ML app.
• Click Reset ML Setting if the Machine Learning app is installed and you want to reset all of your Machine
Learning settings and disable all of the analytics that are enabled.
Service requests
Service requests are also known as Problem Management Records (PMRs).
Several methods exist to submit diagnostic information to IBM Software Technical Support. To open a
service request, or to exchange information with technical support, view the IBM Software Support
Exchanging information with Technical Support page (http://www.ibm.com/software/support/

exchangeinfo.html). Service requests can also be submitted directly by using the Service requests (PMRs)
tool (http://www.ibm.com/support/entry/portal/Open_service_request).
Machine Learning app status shows warning on dashboard

If the Status of Machine Learning Models on the UBA dashboard shows warning messages, review the
procedures to resolve the issue.
If the Status of Machine Learning Models shows Model failed to build for an analytic, you can try the
following suggestions to resolve the issue:
• See the error logs for the ML App.
• Check the disk space on the system that is running the Machine Learning app.
• Verify that the UBA app has users with events.
• Contact IBM Customer Support.
Related concepts
“Extracting UBA and Machine Learning logs” on page 272
Use the UBA and Machine Learning log files to help troubleshoot problems.
Machine Learning app status shows no progress for data ingestion

If the Status of Machine Learning Models on the UBA dashboard appears to be stuck during the data
ingestion phase, review the procedure to resolve the issue.
If the Status of Machine Learning Models shows no progress for data ingestion for an analytic, you can try
the following suggestions to resolve the issue:
• Restart the Ariel Server Service
• Check the disk space on the system running the Machine Learning app.
• Check inside the ML container to see if the UBAController process is running.
• Contact IBM Customer Support.
ML app status is in an error state

If the Machine Learning Analytics (ML) app fails to install and the Machine Learning Settings shows an
Error status, you can use the cURL command line tool and the API Documentation settings to uninstall
the ML app.
Procedure
If the ML App Status in the Machine Learning Settings page shows Error, complete the procedure to
uninstall the failed app.
Note: You must have a valid authentication token. You can see the list of configured authentication
tokens in the Authorized Services section in the Admin settings of the QRadar Console.
1. Using SSH, log in to the QRadar Console.
2. Run the following command:
# psql -U qradar -c 'select id,name,status from installed_application'
Example output:
id | name | status
-----+---------------------------------+---------
1356 | User Analytics | RUNNING
1358 | Machine Learning Analytics | ERROR
1357 | dataimport.ldap.applicationname | RUNNING
3. Locate and record the id value for Machine Learning Analytics from the output of the command.
4. Using a valid authentication token in the place of <valid token> and the recorded id value in place of
<id>, run the following command to uninstall the failed Machine Learning app: # curl -X DELETE -
k -H 'SEC:<valid token>' https://127.0.0.1/api/gui_app_framework/
applications/<id>
Removing the Machine Learning app

To remove the Machine Learning app using the gui_app_framework API, complete the following steps:
1. Open the QRadar Console and navigate to the API doc page at the following location: https://
<host_address_port>/api_doc
2. Open the folder for the highest API version number (the number is different based on the QRadar
version; for example, 7.0 on QR 7.2.8).
3. Open the /gui_app_framework folder and then select /applications.
4. At this point, you should be at the GET API. Click the "Try It Out!" button to get the list of installed
applications.
Chapter 11. Troubleshooting and support 271

5. Search for Machine Learning Analytics in the results from step 4 and get the application_id
attribute value.
6. Expand the /applications menu in the API docs (same location as step 3), select the /
application_id API and click the DELETE tab.
7. Enter the application ID value from step 5 and then click the "Try It Out!" button to remove the
application.
8. The API should return an HTTP 204 status code to indicate the application was successfully removed.
Extracting UBA and Machine Learning logs

Use the UBA and Machine Learning log files to help troubleshoot problems.
Downloading app log files

You can easily download log files for the UBA app and the Machine Learning app from “Help and support
page for UBA” on page 269.
UBA app log files

Follow these steps to manually extract the UBA app log files from the docker container.
1. On the QRadar host running UBA, navigate to a directory that has enough space to create a zip file that
includes all of the app's log files.
find /store/docker/v* -name uba.db

3. Copy the directory path that precedes uba.db
For example, in the following directory path

/store/docker/volumes/qapp-1001/uba.db
you would copy
/store/docker/volumes/qapp-1001/
4. Run the following command substituting the directory path from step 1:
zip -qr uba_logs.zip <your_path_here>log*
For example:
zip -qr uba_logs.zip /store/docker/volumes/qapp-1001/log*
Machine Learning app log files

Follow these steps to manually extract the Machine Learning app log files from the docker container.
1. On the QRadar host running UBA, navigate to a directory that has enough space to create a zip file that
includes all of the app's log files.
find /store/docker/v* -name itproot

3. Copy the directory path that precedes itproot.
For example, in the following directory path:

/store/docker/volumes/qapp-1003/itproot
you would copy
/store/docker/volumes/qapp-1003/
4. Run the following command substituting the directory path from step 1:
zip -qr ml_logs.zip <your_path_here>log*
For example:
zip -qr ml_logs.zip /store/docker/volumes/qapp-1003/log*
Chapter 11. Troubleshooting and support 273

Chapter 12. APIs for UBA
Use the APIs for UBA.
User import
Use the APIs to add directory server or reference table imports to the UBA User Import feature.
Entry point
https://<<Qradar ip>>/console/plugins/<UBA app id>/app_proxy/user_import
Endpoints
HTTP Method Endpoint Media Type

POST /cert multipart/form-data
POST /imports application/json

Chapter 12. APIs for UBA 277
Importing from an LDAP server with a certificate file
To import from an LDAP server with a certificate authority, complete the following steps.
1. Get the application UBA app id by either going to UBA Settings in the browser and looking at the URL in
the address bar (between "plugins" and "app_proxy") or opening an SSH connection to the QRadar
console machine and issuing the following: psql -U qradar -c "select id from
installed_application where name = 'User Analytics';"
Note: You will use the application id when creating the URL used in the cURL commands.
2. If you want to create a new directory server import that uses a certificate, use the Cert API to upload
the certificate file: curl -X POST -F 'importId=0' -F 'file=@<PATH/TO/CERT/FILE>' -H
"Content-Type: multipart/form-data" -H "SEC: <AUTHORIZED_SERVICE_TOKEN>"
https://<QR_IP_ADDRESS>/console/plugins/<APP_ID>/app_proxy/user_import/cert
Note: You will use the output of the cURL command in the body of the POST request that creates the
new import.
3. Use the Imports API to create the new import
4. Enter the following command: curl -X POST -H "Content-Type: application/json" -H
"SEC: <AUTHORIZED_SERVICE_TOKEN>" -d '{"pollingInterval": 24,"configName":
"<CONFIG_NAME>", "retrievalLimit": 500000, "dataSource":"LDAP",
"configLdap": {"filter": "(objectClass=person)", "ssl": false,"host":
"<SERVER_IP_OR_HOSTNAME>", "password": "", "username": "", "paged":
true,"baseDN": "<BASE_DN>", "ca": {"expiryTime": "<FROM_CERT_API>",
"filename":"<FROM_CERT_API>"}, "port": 389}}' https://<QRADAR_IP_ADDRESS>/
console/plugins/<APP_ID>/app_proxy/user_import/imports
Importing from an LDAP server without a certificate file

To import from an LDAP server without a certificate file, complete the following steps.
console machine and issuing the following: psql -U qradar -c "select id from
2. Use the Imports API to create the new import
3. Enter the following command: curl -X POST -H "Content-Type: application/json" -H
"SEC: <AUTHORIZED_SERVICE_TOKEN>" -d '{"pollingInterval": 24,"configName":
"<CONFIG_NAME>", "retrievalLimit": 500000, "dataSource":"LDAP",
"configLdap": {"filter": "(objectClass=person)", "ssl": false,"host":
"<SERVER_IP_OR_HOSTNAME>", "password": "", "username": "", "paged":
true,"baseDN": "<BASE_DN>", "ca": {"expiryTime": "", "filename":""}, "port":
389}}' https://<QRADAR_IP_ADDRESS>/console/plugins/<APP_ID>/app_proxy/
user_import/imports
Importing from a reference table

To import from a reference table, complete the following steps
console machine and entering the following command: psql -U qradar -c "select id from
2. Most users choose to use the web interface to create a new reference table import. However, the
Imports API is also supported.
Note: The reference table must already exist on the QRadar system and must be used as the
CONFIG_NAME
3. Enter the following command: curl -X POST -d '{"pollingInterval": 24,
"configName": "<CONFIG_NAME>","retrievalLimit": 500000, "dataSource":
"REF"}' -H "Content-Type:application/json" -H "SEC:
<AUTHORIZED_SERVICE_TOKEN>" https://<QRADAR_IP_ADDRESS>/console/plugins/
<APP_ID>/app_proxy/user_import/imports
Chapter 12. APIs for UBA 279

Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply that only
that IBM product, program, or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not grant you any license to these patents. You can send
license inquiries, in writing, to:
IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual
Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"

WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in
any manner serve as an endorsement of those websites. The materials at those websites are not part of
the materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you provide in any way it believes appropriate without
incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and other programs (including this
one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Director of Licensing

IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
US
Such information may be available, subject to appropriate terms and conditions, including in some cases,
payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by
IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any
equivalent agreement between us.
The performance data and client examples cited are presented for illustrative purposes only. Actual
performance results may vary depending on specific configurations and operating conditions..
Information concerning non-IBM products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,
and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without
notice. Dealer prices may vary.
This information contains examples of data and reports used in daily business operations. To illustrate
them as completely as possible, the examples include the names of individuals, companies, brands, and
products. All of these names are fictitious and any similarity to actual people or business enterprises is
entirely coincidental.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or
trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Terms and conditions for product documentation

Permissions for the use of these publications are granted subject to the following terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBM website.
Personal use
You may reproduce these publications for your personal, noncommercial use provided that all proprietary
notices are preserved. You may not distribute, display or make derivative work of these publications, or
any portion thereof, without the express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided that
all proprietary notices are preserved. You may not make derivative works of these publications, or
282 Notices
reproduce, distribute or display these publications or any portion thereof outside your enterprise, without
the express consent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either
express or implied, to the publications or any information, data, software or other intellectual property
contained therein.
IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of
the publications is detrimental to its interest or, as determined by IBM, the above instructions are not
being properly followed.
You may not download, export or re-export this information except in full compliance with all applicable
laws and regulations, including all United States export laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS ARE
PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-
INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
IBM Online Privacy Statement

IBM Software products, including software as a service solutions, (“Software Offerings”) may use cookies
or other technologies to collect product usage information, to help improve the end user experience, to
tailor interactions with the end user or for other purposes. In many cases no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings can help enable you to
collect personally identifiable information. If this Software Offering uses cookies to collect personally
identifiable information, specific information about this offering’s use of cookies is set forth below.
Depending upon the configurations deployed, this Software Offering may use session cookies that collect
each user’s session id for purposes of session management and authentication. These cookies can be
disabled, but disabling them will also eliminate the functionality they enable.
If the configurations deployed for this Software Offering provide you as customer the ability to collect
personally identifiable information from end users via cookies and other technologies, you should seek
your own legal advice about any laws applicable to such data collection, including any requirements for
notice and consent.
For more information about the use of various technologies, including cookies, for these purposes, see
IBM’s Privacy Policy at http://www.ibm.com/privacy and IBM's Online Privacy Statement at https://
www.ibm.com/privacy/details/us/en/ in the section entitled “Cookies, Web Beacons and Other
Technologies”.
General Data Protection Regulation

Clients are responsible for ensuring their own compliance with various laws and regulations, including the
European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of
competent legal counsel as to the identification and interpretation of any relevant laws and regulations
that may affect the clients’ business and any actions the clients may need to take to comply with such
laws and regulations. The products, services, and other capabilities described herein are not suitable for
all client situations and may have restricted availability. IBM does not provide legal, accounting or
auditing advice or represent or warrant that its services or products will ensure that clients are in
compliance with any law or regulation.
To learn more about IBM's own GDPR readiness journey and our GDPR capabilities and offerings, see the
following information: https://ibm.com/gdpr.
Notices 283
IBM®

User Guide: Ibm Qradar User Behavior Analytics (Uba) App

Uploaded by

Copyright:

Available Formats

User Guide: Ibm Qradar User Behavior Analytics (Uba) App

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User Guide: Ibm Qradar User Behavior Analytics (Uba) App

Uploaded by

Copyright:

Available Formats

IBM QRadar User Behavior Analytics (UBA)

© Copyright International Business Machines Corporation 2016, 2020.

Chapter 1. User Behavior Analytics for QRadar....................................................... 1

Chapter 2. Installing and uninstalling...................................................................15

Chapter 3. Upgrading the User Behavior Analytics app..........................................19

Chapter 4. Configuring the User Behavior Analytics app........................................21

Chapter 7. Multitenancy in UBA............................................................................55

Chapter 8. Rules and tuning for the UBA app........................................................ 67

Chapter 9. Machine Learning Analytics app........................................................ 207

Chapter 10. Reference Data Import - LDAP app.................................................. 259

Chapter 11. Troubleshooting and support...........................................................269

Chapter 12. APIs for UBA...................................................................................275

Importing users and user data

© Copyright IBM Corp. 2016, 2020 1

What's new in the User Behavior Analytics app

What's new in 3.7.0

What's new in 3.6.0

What's new in 3.5.0

Chapter 1. User Behavior Analytics for QRadar 3

What's new in 3.4.0

Known issues for 3.7.0

How UBA works

1. Logs send data to QRadar.

Chapter 1. User Behavior Analytics for QRadar 5

How senseValues are used to create user risk scores

Rules and sense events

Machine Learning Analytics and sense events

Video demonstrations and tutorials

IBM Security Learning Academy

Video tutorials on YouTube

UBA dashboard and user details

Tip: To add a user to a watchlist, click the Watchlist icon.

Chapter 1. User Behavior Analytics for QRadar 7

User details page

The Advanced Actions list includes the following actions:

Chapter 1. User Behavior Analytics for QRadar 9

Managing the UBA dashboard views

Before you begin

About this task

Chapter 1. User Behavior Analytics for QRadar 11

Before you begin

Prerequisites for installing the User Behavior Analytics app

Installing the IBM Sense DSM manually

Chapter 1. User Behavior Analytics for QRadar 13

Installing the User Behavior Analytics app

Before you begin

About this task

© Copyright IBM Corp. 2016, 2020 15

Uninstalling the UBA app

Before you begin

Chapter 2. Installing and uninstalling 17

Before you begin

© Copyright IBM Corp. 2016, 2020 19

Configuring the Reference Data Import LDAP app

Before you begin

About this task

1. On the navigation menu ( ), click Admin to open the admin tab.

© Copyright IBM Corp. 2016, 2020 21

Chapter 4. Configuring the User Behavior Analytics app 23