Starting with version 3.2 of Use Case Manager, tune your QRadar User Behavior Analytics (UBA) rules using the full power of Use Case Manager. View or update mappings of internal UBA rules to MITRE ATT&CK, as these mappings are now ported into Use Case Manager and counted towards your MITRE ATT&CK coverage along with all other rule mappings. Finally, easily integrate any custom QRadar rule with the UBA app using rule wizard UI in Use Case Manager app.
You can now distinguish rules related to the UBA app from those that are not and tune them using the similar report that existed in the UBA app under Rule Tuning option. You can also see which content extension the rules are coming from. When Content extension field is blank, it means that rules are installed along with the UBA app. When needed, you can also use the filter to exclude all UBA rules from the report. We built three pre-defined report templates for you. The one shown in the screenshot below is All User Behavior Analytics rules, but like all other reports in Use Case Manager they are highly customizable as well.
Besides reviewing if UBA rules are enabled or not, and whether they reference an empty reference set, you can use all other features of Use Case Manager to help tune and manage these rules, like: investigate further tuning options in rule wizard, check out rule activity, update MITRE ATT&CK mappings, and others.
Finally, you can easily integrate any existing or custom QRadar rule with the UBA app. There is now a new User Behavior Analytics risk score section on rule details page. If risk score was previously defined, you can update it, or remove any references to UBA. If risk score was not defined before, you can simply set it. Note that if the rule’s response does not include Dispatch New Event option, you will need to set that first.
For the full list of what’s new in Use Case Manager v3.2, check out
IBM App Exchange