TTechclick ⚡ XP 0% All lessons
IBM · SIEM · UBA & ML AppInteractive · L1 / L2 / L3

IBM QRadar UBA & ML App — Risk Scoring & Anomaly Detection

QRadar's User Behavior Analytics and Machine Learning apps turn raw event logs into ranked insider-threat signals. The UBA app builds risk scores for every user; the ML app adds behavioural models, peer-group clustering, and statistical anomaly detection so analysts spend time on real threats — not false positives.

📅 2026-06-20 · ⏱ 17 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Interactive 2026 guide to IBM QRadar UBA and Machine Learning app: risk scoring, Sense analytics, anomaly detection, peer-group profiling, and insider-threat workflows.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What UBA is

Risk scores, use cases, and the offense link.

 2

ML add-on

Behavioural models, peer groups, Sense analytics.

 3

Log sources

AD, VPN, DLP, Windows feeds that power UBA.

 4

Tuning & ops

Thresholds, weighting, reducing noise.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does QRadar UBA score the whole network or individual users?

Answered in What UBA is.

2. What does the Machine Learning app add on top of UBA?

Answered in ML add-on.

3. What triggers a QRadar offense from UBA?

Answered in What UBA is.

Most engineers think…

Most people treat UBA as 'a SIEM rule that fires when someone logs in at 3 a.m.' That one-alert mental model fails both in interviews and in production.

QRadar UBA is a cumulative risk engine: dozens of weighted use cases add points to a user's score over time — a single late login might score only 5 points, but combine it with a VPN from a new country plus a bulk download and the score climbs past your offense threshold. The Machine Learning app then adds a why: it builds a behavioural baseline per user from weeks of history, clusters each user into a peer group, and measures how many standard deviations today's behaviour sits outside the expected range. That combination — score + statistical deviation + peer context — is what makes QRadar UBA a genuine insider-threat platform, not just another rule set.

① What QRadar UBA actually is — a cumulative risk engine

The QRadar UBA app monitors every user that appears in your incoming log data. It matches activity against a library of built-in use cases — each use case has a risk-point weight — and accumulates those points into a per-user risk score. When that score crosses the offense threshold you configure, QRadar raises an offense in the main SIEM console, linking all the contributing events so analysts can triage immediately.

This cumulative model is the key insight. A single off-hours login might score low. But the same user also accessing a sensitive share, copying files, and connecting from a new VPN endpoint pushes the score high. Each use case adds points; the threshold is your dial between sensitivity and noise. You can also set a score threshold for entities (servers, devices) in addition to users.

Figure 1 — How UBA turns logs into an offense
Events feed use cases, use cases add to the risk score, and crossing the threshold raises a QRadar offense.How UBA turns logs into an offenseLog ingestAD, VPN, Windows, DLPUse-case matchweighted rule firesRisk score +points accumulateThreshold hitscore exceeds limitOffense raisedlinked to QRadar
Events feed use cases, use cases add to the risk score, and crossing the threshold raises a QRadar offense.
Quick check · Q1 of 10 · Understand

A user logs in at 2 a.m. once. Their UBA risk score is 4 points, threshold is 100. What happens?

Correct: a. UBA is cumulative. A single low-scoring event does not breach the offense threshold. The points accumulate over time as more use cases fire; only crossing the threshold triggers an offense.
👉 So far: UBA = cumulative risk score per user. Use-case matches add weighted points; crossing the offense threshold raises a QRadar offense with all contributing events linked.

② The Machine Learning add-on — models, peer groups, and Sense analytics

The Machine Learning (ML) app is an optional add-on that extends UBA with statistical anomaly detection. On installation, it ingests the previous four to six weeks of log data from the QRadar database and uses over a dozen algorithms to build a behavioural model for each user — typically ready within hours to a week depending on data volume. These models capture normal working hours, typical data volumes, usual endpoints, and standard application access patterns.

Peer-group clustering and Sense analytics

The ML app then groups users into peer clusters using Gaussian mixture and Jaccard similarity algorithms. When a user's activity deviates from their peer group, the divergence is measured using Kullback-Leibler divergence. Risk points are scaled by standard deviation: a 1-sigma deviation earns fewer points than a 2-sigma deviation. Sense analytics underlies this layer, providing the time-series profiling and contextual signals that make peer-group comparison possible.

Figure 2 — UBA + ML app layers
The ML app sits above the base UBA app, adding statistical context to every risk score.UBA + ML app layersML anomaly layerSense, peer clusters, sigma deviationUBA risk engineuse cases, cumulative score, offenseQRadar SIEM corelog ingest, flows, correlation rules
The ML app sits above the base UBA app, adding statistical context to every risk score.
📊
Risk Score
tap to flip

A cumulative per-user number built from weighted use-case matches. Crosses the offense threshold? QRadar opens an offense linking all contributing events.

🤖
ML Behavioural Model
tap to flip

Built from 4-6 weeks of historical log data per user. Captures normal hours, volumes, endpoints and apps so deviations are statistically meaningful.

👥
Peer-Group Cluster
tap to flip

Users with similar activity patterns are grouped using Gaussian mixture and Jaccard similarity. Divergence from the group (Kullback-Leibler) drives the sigma score.

🔍
Sense Analytics
tap to flip

The QRadar analytics engine providing time-series profiling, contextual behavioural signals, and statistical alerting that underlie the ML app's anomaly detection.

ML model takes up to a week to mature

On installation, the ML app ingests 4-6 weeks of historical data and can take up to a week to build stable behavioural models. Do not judge anomaly scores in the first few days — wait for the model to stabilise before tuning thresholds based on ML signals.

Quick check · Q2 of 10 · Remember

Which pair of algorithms does the QRadar ML app use to cluster users into peer groups?

Correct: c. The ML app uses Gaussian mixture modelling and Jaccard similarity to group users with similar behaviour patterns into peer clusters, then Kullback-Leibler divergence to detect deviations from the cluster.
👉 So far: ML add-on builds a behavioural model per user from 4-6 weeks of history, clusters peers (Gaussian mixture + Jaccard), and measures deviation in standard deviations via Sense analytics.

③ Log sources — what data feeds UBA

UBA is only as good as the log sources feeding it. The most important are Active Directory / LDAP (user identity, group memberships, account changes), VPN and remote-access logs (login times, source IPs, session durations), Windows Security Event logs (logons, privilege use, object access), and DLP event feeds (data movement and policy violations). Cloud access logs — Office 365, AWS CloudTrail, Google Workspace — extend UBA into hybrid environments.

QRadar automatically discovers user entities from these incoming logs; you do not manually enrol each account. The richer the log coverage, the more use cases can fire. A deployment missing VPN logs, for example, will not detect impossible-travel anomalies. The interview line: map your log sources to UBA use cases before tuning thresholds — a high false-positive rate is almost always a sign of missing or noisy log data rather than a broken rule.

Figure 3 — Log sources feeding UBA
Every supported log source contributes user-activity signals to the UBA risk engine.Log sources feeding UBAUBA Enginerisk scoringActive DirectoryVPN / remoteWindows EventsDLP feedsCloud logsProxy / web
Every supported log source contributes user-activity signals to the UBA risk engine.
Enabling UBA without checking log-source coverage

Enabling every UBA use case before verifying log-source coverage creates use cases that never fire (missing data) or fire constantly on noise (partial data). Map each use case to its required log sources first — AD, VPN, Windows events, DLP — and confirm data is flowing before enabling the rule.

▶ Watch a bulk-download insider threat surface through UBA

Step through how a resigning employee's activity escalates from low score to a QRadar offense. Press Play, then Break it.

① Events arriveWindows Event logs and DLP feeds show the user downloading 500 files from the sensitive share — a pattern the UBA ingest layer picks up.
② Use cases fireThree UBA use cases match: bulk download, off-hours access, and first-time external USB. Each adds weighted risk points to the user's cumulative score.
③ ML flags anomalyThe ML app compares today's file-access volume to the user's 6-week baseline — a 3.2-sigma deviation from the peer group. The Sense engine raises an anomaly alert.
④ Offense raisedThe cumulative score crosses the offense threshold. QRadar raises an offense linking the DLP events, the ML anomaly, and the UBA use-case timeline for the analyst.
Press Play to follow a bulk-download insider threat from first event to offense. Then press Break it.
Quick check · Q3 of 10 · Apply

UBA is not detecting impossible-travel anomalies even though the use case is enabled. The most likely cause is:

Correct: b. Impossible-travel detection depends on source-IP and session data from VPN or remote-access logs. If those log sources are absent, the use case has no data to evaluate — not a threshold or ML issue.
👉 So far: Log-source coverage determines which use cases can fire. AD, VPN, Windows events, and DLP are the core feeds; missing VPN logs means no impossible-travel detection.

④ Tuning UBA — thresholds, weights, and reducing noise

Two controls matter most for tuning. First, the offense threshold: the cumulative risk score at which QRadar promotes a user's activity to a full SIEM offense. Set it too low and every late login becomes an offense; set it too high and real insider threats go unnoticed. Start with the IBM-recommended default, baseline a month of production data, then adjust. Second, use-case weighting: each UBA use case carries a configurable point value. Down-weight common benign events (e.g. after-hours access from executives who travel) and up-weight high-confidence indicators (e.g. mass file download immediately after a resignation event from HR).

Reading ML anomaly context

When the ML app flags a user, the UBA dashboard shows the deviation magnitude (standard deviations from the peer group) alongside the contributing use cases. A user at 3 sigma is more urgent than one at 1.2 sigma even if their raw risk scores are similar. Correlate the ML anomaly signal with the offense timeline in the main QRadar console to confirm whether the deviation maps to a real event — a new project, a business trip, or a genuine insider threat.

Figure 4 — UBA only vs UBA + ML app
The ML app adds statistical context; without it you have scores but no peer benchmark.UBA only vs UBA + ML appUBA aloneCumulative risk scoresConfigurable thresholdsUse-case point weightsOffense linked to eventsUBA + ML appPer-user behavioural modelPeer-group clusteringSigma-based deviation scoreSense analytics time-series
The ML app adds statistical context; without it you have scores but no peer benchmark.

Priya, a SOC analyst at a Mumbai fintech firm, faces this

UBA is raising 40+ offenses per day, almost all involving finance team members accessing shared drives after 6 p.m.

Likely cause

The after-hours access use case is weighted at its default value, but the entire finance team routinely works late during quarter-close.

Diagnosis

Pull the UBA dashboard — every offense is the same use case, same department, same time window. The ML app shows this pattern is normal for this cohort.

QRadar UBA ▸ Dashboard ▸ Use Case Manager ▸ After-Hours Access
Fix

Down-weight the after-hours use case for the finance user group, or create a watchlist exemption for the quarter-close window. Raise the weights on higher-confidence indicators like bulk-download plus new-external-destination.

Verify

After one week, offense volume drops to 2-3 per day — each backed by the ML app showing a genuine 2+ sigma deviation alongside a data-exfiltration use case.

Always check the ML sigma alongside the raw score

A raw risk score tells you a threshold was crossed; the ML sigma score tells you whether the behaviour is actually unusual for this user and their peers. An offense at 1.0 sigma is much lower priority than one at 3.0 sigma. Never close or escalate a UBA offense without checking both dimensions.

Quick check · Q4 of 10 · Analyze

Two users each have a risk score of 80 (threshold 100). User A deviates 1.2 sigma from peers; User B deviates 3.1 sigma. Who is higher priority?

Correct: d. Standard deviation from the peer group is the ML app's contextual signal. A 3.1-sigma deviation means User B's behaviour is far outside what their peer group does, making it a stronger indicator of a genuine anomaly despite the same raw score.
👉 So far: Tune by adjusting the offense threshold and use-case weights. Always read the ML sigma alongside the raw score — high sigma + high score = genuine priority, not just a noisy rule.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What causes QRadar UBA to raise an offense?

Correct: b. UBA is cumulative. An offense is raised only when the user's total risk score — built from multiple use-case matches — crosses the configured threshold. A single event rarely triggers an offense on its own.
Q6 · Understand

Sense analytics is best described as:

Correct: a. Sense analytics is the analytics engine inside QRadar that provides time-series profiling, behavioural clustering, and contextual statistical signals — the foundation the ML app uses to build models and detect deviations.
Q7 · Apply

A user's ML app shows a 3.0-sigma deviation but their risk score is only 60 (threshold 100). What should the analyst do?

Correct: c. A 3-sigma deviation is a strong statistical outlier — far outside normal peer-group behaviour. Even below the offense threshold, this warrants proactive investigation. The two signals (score and sigma) should be read together.
Q8 · Analyze

Why do UBA impossible-travel use cases fail to fire even when enabled?

Correct: c. Impossible-travel detection requires source-IP and session data from VPN or remote-access logs. Without those log sources flowing into QRadar, the use case has no data to evaluate and will never fire regardless of threshold or ML status.
Q9 · Evaluate

Which approach best reduces false positives for a team that always works late?

Correct: b. Down-weighting the after-hours access use case for the known late-working group (or creating a time-window exemption) preserves detection for other users while eliminating benign noise for this cohort — without disabling UBA or losing visibility.
Q10 · Evaluate

An interviewer asks how QRadar UBA differs from a standard SIEM correlation rule. Best answer?

Correct: d. The key distinction: SIEM rules fire on single-event pattern matches (high precision, low recall for multi-stage threats). UBA accumulates weak signals cumulatively into a risk score and, with the ML app, adds statistical peer-group context — catching threats that no single rule would trigger on.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

In one sentence, explain why QRadar UBA is called a cumulative risk engine rather than a rule engine.

Expert version: Because instead of firing on any single matching event, UBA adds weighted risk points from every matching use case to a running per-user score, and only acts when that accumulated score crosses the offense threshold — so a single late login is noise, but late login plus bulk download plus new VPN country together become an offense, capturing multi-stage insider threats that a single correlation rule would miss entirely.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

UBA (User Behavior Analytics)
QRadar app that discovers users from log data, matches activity against use cases, and accumulates a risk score that triggers a SIEM offense when it crosses a configured threshold.
Risk Score
A cumulative per-user number built from weighted use-case matches. When it exceeds the offense threshold, QRadar raises an offense linking all contributing events.
Use Case
A pre-built or custom detection rule in UBA (e.g. bulk file download, off-hours VPN, impossible travel) with a configurable point weight that contributes to the risk score.
ML App (Machine Learning app)
Optional QRadar add-on that builds per-user behavioural models from 4-6 weeks of log history, clusters peers, and scores anomalies in standard deviations via Sense analytics.
Sense Analytics
The IBM QRadar statistical analytics engine that provides time-series profiling, peer-group clustering, and contextual anomaly signals underlying the ML app.
Peer-Group Cluster
A group of users with similar behavioural patterns, identified by Gaussian mixture and Jaccard similarity algorithms, used as the comparison baseline for ML anomaly scoring.
Sigma Deviation
The number of standard deviations a user's behaviour sits outside their peer-group baseline. Higher sigma = more anomalous; used by the ML app to prioritise risk scores.
Offense Threshold
The cumulative risk score level at which QRadar UBA promotes a user's activity to a full SIEM offense visible in the main QRadar console.

📚 Sources

  1. IBM Documentation — QRadar User Entity Behavior Analytics app. ibm.com/docs/en/qradar-common?topic=app-qradar-user-entity-behavior-analytics
  2. IBM Documentation — UBA Dashboard and Machine Learning app. ibm.com/docs/en/qradar-common?topic=app-uba-dashboard-machine-learning
  3. IBM Documentation — Machine Learning Analytics app introduction. ibm.com/docs/SS42VS_SHR/com.ibm.UBAapp.doc/c_Qapps_UBA_ML_intro.html
  4. IBM — QRadar User Entity Behavior Analytics product page. ibm.com/products/qradar-siem/user-entity-behavior-analytics
  5. IBM — QRadar UBA app user guide (PDF). ibm.com/docs/en/SS42VS_SHR/pdf/b_Qapps_UBA.pdf
  6. Gartner Peer Insights — IBM QRadar User Behavior Analytics reviews 2026. gartner.com/reviews/market/insider-risk-management-solutions/vendor/ibm/product/qradar-user-behavior-analytics

What's next?

Got UBA and ML down? Next, explore QRadar Network Threat Analytics (NTA) — flow-based anomaly detection at the network layer — and see how it complements UBA's user-centric view.

Next · All interview lessons → Practice on exam.techclick.in →