Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Investigating User Behavior Analytics Rules

User Behavior Analytics rules can help you identify potential insider threats inside your network. After the user analytics rules from QRadar User Behavior Analytics 4.1.0 or later are integrated in QRadar Use Case Manager 3.2.0 or later, you can manage and tune them to best suit your organization's needs. Then, the data automatically displays in the QRadar User Behavior Analytics dashboards so that you can visualize the risks to your network.

For a rule to be considered relevant to QRadar User Behavior Analytics, the Dispatch new event option must be selected in the Rule Response. You can also associate any other rules to work with QRadar User Behavior Analytics by editing them in the rule wizard in QRadar Use Case Manager.

Note:

In QRadar User Behavior Analytics, the dashboard rule count is based on the total number of rules that QRadar User Behavior Analytics detects, regardless of whether the rules are installed or not. In QRadar Use Case Manager, filtering is based on what rules are installed.
  1. On the Use Case Explorer page, click the list icon, and pick one of the following templates to use:

    All User Behavior Analytics rules

    Shows the risk score for all the installed and non-installed User Behavior Analytics rules.

    Installed User Behavior Analytics rules

    Shows the risk score for installed User Behavior Analytics rules.

    Tip:

    To use filters that are similar to the Rules and Tuning page in QRadar User Behavior Analytics, select this template. To view category information, add the Content category column. QRadar Use Case Manager does not contain kill chain information.

    Non-installed User Behavior Analytics rules

    For non-installed content extensions, this template shows the User Behavior Analytics rules that are available when the extensions are installed.

  2. To modify the risk score for a predefined QRadar User Behavior Analytics rule, click the name of the rule, expand the User Behavior Analytics risk score section, and adjust the number. The user risk score in QRadar User Behavior Analytics automatically updates.

    A risk score is the summation of all risk events that are detected by QRadar User Behavior Analytics rules. The higher the risk score, the more likely an internal user is to be a security risk and warrants further review of your user's network activity. The risk score reduces over time if no new events occur. Rules that are integrated from the QRadar User Behavior Analytics app typically have a risk score in the range of 5 - 25. You can display the risk score in any report by adding the Rule attributes: User Behavior Analytics risk column to your current template. For more information, see Configuring application settings.

  3. To add a risk score to a rule and associate it with QRadar User Behavior Analytics, follow these steps:
    1. Open the selected rule in the rule wizard and expand the User Behavior Analytics risk score section.
    2. If the Dispatch New Event option isn't selected in the Rule response section, click Edit in rule wizard and complete that step now.
    3. Assign a risk score to the rule.

    The QRadar User Behavior Analytics app tracks any events that the rule generates, and considers the risk score in its analysis.

  4. If you no longer want a rule to be associated with QRadar User Behavior Analytics, follow these steps:
    1. Open the selected rule in the rule wizard and expand the User Behavior Analytics risk score section.
    2. Follow the instructions in the tooltip to disconnect the rule from QRadar User Behavior Analytics.
    When you remove the references to the rule from the reference table in QRadar User Behavior Analytics, any events that are triggered by the rule stop contributing to the user's risk score.
Review the relevant reports that include the User Behavior Analytics rules. The rules also contribute to the tactic counts in the MITRE ATT&CK reports. You can also visualize rules on the dashboards in the QRadar User Behavior Analytics app.