IBM Security QRadar User Behavior Analytics

IBM® QRadar® User Behavior Analytics (UBA) analyzes user activity to detect malicious insiders and determine if a user’s credentials have been compromised. Security analysts can easily see risky users, view their anomalous activities and drill down into the underlying log and flow data that contributed to a user’s risk score.

As an integrated component of the QRadar Security Intelligence Platform, UBA leverages out of the box behavioral rules and machine learning (ML) models to add user context to network, log, vulnerability and threat data to more quickly and accurately detect attacks.


QRadar UBA

 Gain visibility into insider threats

Guard against rogue insiders and cyber criminals using compromised credentials. Uncover anomalous behaviors, lateral movement, threats and data exfiltration─with a user focus.

 Improve analyst productivity

Easily identify risky users by applying machine learning (ML) and behavioral analytics to QRadar security data, calculate users’ risk scores and only raise alerts on high risk incidents.

 Accelerate time to value

Generate meaningful insights within 24 hours. QRadar clients can download and install the UBA app quickly and easily from the IBM Security App Exchange.

 Extend QRadar security features

The UBA dashboard is an integrated part of the QRadar console and helps extend capabilities of the QRadar Security Intelligence Platform.


UBA 2019 Report

Detects insider threats based on user behavioral anomalies 

User behavior analysis and fine-grained machine learning algorithms can detect when users deviate from normal activity patterns or behave differently from their peers. QRadar UBA creates a baseline of normal activity and detects significant deviations to expose both malicious insiders and users whose credentials have been compromised by cyber criminals.

Integrate seamlessly with IBM QRadar  

QRadar UBA integrates directly into the QRadar Security Intelligence Platform, leveraging the existing QRadar user interface and database. All enterprise-wide security data can remain in one central location, and analysts can tune rules, generate reports and integrate with complementary Identity and Access Management (IAM) solutions – all without having to learn a new system or build a new integration.

Generates detailed risk scores for individual users

Risk scores dynamically change based on user activity, and high-risk users can be added to a watch list. Security analysts can easily drill down to view the actions, offenses, logs and flow data that contributed to a person’s risk score. This helps shorten the investigation and response times associated with insider threats.

Available from the IBM Security App Exchange

QRadar UBA is packaged as a downloadable app that is independent of the platform’s formal release cycles. All current QRadar clients can add this app to QRadar version 7.2.8 or higher to begin seeing a user-centric view of activity within their networks.




How Customers Use it


Gain visibility into insider threats:


Detecting cyberattacks, prioritizing security incidents, and effectively responding to insider threats.


Uncover anomalous behaviors to more quickly and effectively identify rogue insiders and cyber criminals using compromised credentials.

Extend QRadar platform capabilities:


Monitoring potentially malicious activity for individual users is manual and requires many disconnected tools.


The UBA dashboard is an integrated part of the QRadar console and helps extend existing capabilities to better identify high-risk users. Investigate any user's anomalous behavior from the individual user details page of the UBA app.

Monitor user risk across the enterprise:


Determining the overall health of your environment and the risks that user pose in it.


Apply machine learning to generate users’ risk scores, identify high-risk users and only raise alerts on the riskiest activities to provide early warning of a threat without overwhelming analysts.