When monitoring their SOC environments for insider threats, security analysts often monitor users’ activity and risk posture by grouping of users based on a common criteria. For example, analysts identifying people in similar roles, in the same department or people working on the same project.
Figure 1 below shows two user watchlists on the QRadar UBA dashboard — one for the company’s executives and a second for the sales team:
Figure 1: Multiple user watchlists in UBA
The QRadar User Behavior Analytics (UBA) app allows analysts to easily create multiple watchlists to group of users by a specified criteria. They can then easily and quickly see a change in an individual users’ risk scores, as well as the compare it to behavior of the user’s peers in the same watchlist.
Creating a simple watchlist and adding a user can be done easily from the UBA dashboard, as shown in Figure 2. For more advanced watchlist criteria, analysts can use additional filters in the watchlist membership settings tab, shown in Figure 3.
Membership of a watchlist can be specified with:
(a) Import from a refererence set, and/or
(b) Regex filter against any field of LDAP import, and/or
(c) by the absence of data in any field in the LDAP import ex – a Watchlist of Service Accounts that do not have email IDs i.e. the email field is empty in the imported users/accounts data from AD/LDAP
In addition, analysts can scale the risk score of all the users on a watchlist (up or down) by specifying the scaling factor.
Figure 2: Drop menu to create new watchlists
Figure 3: Membership settings