Understanding the UBA Risk Score

Posted on Updated on

The Use Behaviour Analytics (UBA) app is one of the most interesting QRadar apps. It allows you to detect internal threats, such as rouge employees and compromised accounts. The UBA works by observing the behaviour of each user and attributing a risk score for each person. For each UBA rule triggered, the risk score for the user is incremented. In this way you can track which users are performing risky (or abnormal) actions. Once a user surpass the company risk threshold, an offence is generated for the user. If a user stays a long period of time without having any risky action, then the risk is gradually decreased, which is called risk decay.

UBA Risk Score Example
UBA Risk Score – Example

To exemplify the risk score concept, take a look on the figure above. Let’s imagine that John access a suspicious website. This triggers an UBA rule that increase his user risk by 10 points. Then, John logs into a server and escalate his privileges to root for the first time. Again, an UBA rule is triggered and his risk is increased. After that, he does not present any risky behaviour for 8 hours, so his score slowly starts to decay. Eight hours later, John dumps an entire SQL database, increasing his risk again. After that, he SSH into a server in Russia, which also increases his score. At this point, his risk is higher than the company threshold risk, so an offence is generated for John. After that, even if John’s risk decay, his offence will still be open.

This example shows the real value of the UBA app, since each small action is not enough for a traditional rule-based offence. However the combined actions are indeed suspicious and the UBA app was able to detect it.

If you want to learn more about the UBA and other QRadar apps, check this online course in which the main QRadar apps are presented.