IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

One of users in UBA recognize like more other users.

1. One of users in UBA recognize like more other users.

Like
Vadim Novikov
Posted Wed September 11, 2019 05:31 AM

Reply
Hello.

I need your help for resolving this problem:
In Qradar UBA we have one user with great score. This user recognize by UBA like many other users. Detailed information is on screen.

Thank you.

------------------------------
Vadim Novikov
SOC Engineer
IT-Specialist
Kiev
+380972970792
------------------------------
2. RE: One of users in UBA recognize like more other users.

Like
Chinmay Kulkarni
Posted Fri October 25, 2019 08:19 AM

Reply
Hi @Vadim Novikov,
The first thing I can think of is the coalescing os users. Normally when users are coalesced on an identity which is duplicate. For example Employee A and Employee B have different employee id, email address etc but same department. When you import information from LDAP you need to coalesce them on employee id and email address and not department. If you do on department all users in the department will be shown as one.

So do this:
In the UBA configuration, under coalescing, see if you are coalescing on an identity which can be duplicate. The UBA app will normally tell you (with an exclamation mark inside a triangle with yellow) to show that you have duplicates.
Hope this helps.

------------------------------
Chinmay Kulkarni
------------------------------

Original Message
3. RE: One of users in UBA recognize like more other users.

Like
PATEL MILAN
Posted Thu November 07, 2019 03:18 PM

Reply
Vadim:

This is due to the coalescing field/fields chosen has over lapping entry i.e. one field has multiple values that points to different users.
an example of that will be dept. code...if you pick the dept code as a field to coalesce users by, then ALL the people working in that dept. will be coalesced into a single user.

Goto the UBA Setting page in the user coalesce section (about half way down that page) see the fields that you have chosen (checkmark) to coalesce users... the field that has this multiple overlapping value will be identified by an "!" mark next to it..uncheck that field and save and exit. In about 24 hours this problem should correct itself. hope it helps. Milan

------------------------------
PATEL MILAN
IBM
------------------------------

Original Message

IBM QRadar

IBM QRadar

One of users in UBA recognize like more other users.

Vadim NovikovWed September 11, 2019 05:31 AM

Chinmay KulkarniFri October 25, 2019 08:19 AM

PATEL MILANThu November 07, 2019 03:18 PM

1. One of users in UBA recognize like more other users.

2. RE: One of users in UBA recognize like more other users.

3. RE: One of users in UBA recognize like more other users.

Additional
Resources

Office

Quick Links

IBM QRadar

IBM QRadar

One of users in UBA recognize like more other users.

Vadim NovikovWed September 11, 2019 05:31 AM

Chinmay KulkarniFri October 25, 2019 08:19 AM

PATEL MILANThu November 07, 2019 03:18 PM

1. One of users in UBA recognize like more other users.

2. RE: One of users in UBA recognize like more other users.

3. RE: One of users in UBA recognize like more other users.

Related Content

UBA user coalescing unique attributes

Event coalescing

Import Identities from Multiple Sources and Systems into QRadar UBA

3 Elements of Successful User Behavior Analytics Deployments

Log Source Event Coalescing

Additional Resources

Office

Quick Links

Additional
Resources