Grouping users and objects for outliers detection

Find out how to add groups, for example user or object groups, to the default outlier detection algorithm.

About this task

By default, there are two groups of users and objects that are weighted or scored more heavily by Guardium® machine-learning algorithm: Admin Users and Sensitive Objects. However, you may have already established additional groups that would also be useful for outlier detection. For example, you may have a group of Suspicious Users or you may have several different groups of sensitive objects that are aligned with different applications.

Procedure

  1. This task requires that you know the internal group ID to use with the grdapi command. To get the group ID, you can use the following command: grdapi list_group_by_desc desc=[group name]. For example, if you have a group named BadGuys, you can enter the following command to get its internal group ID:
    grdapi list_group_by_desc desc=”BadGuys”
  2. Once you know the desired ID, add it as privileged user group for a boosted score as follows (note that you must also include the default group 1 if you want to boost scores for that as well). To add a group with the ID 1234: grdapi set_outliers_detection_parameter parameter_name="privUsersGroupIds" parameter_value=1,1234
  3. To add sensitive objects with the IDs 333 and 156: set_outliers_detection_parameter parameter_name="sensitiveObjectGroupIds" parameter_value=5,333,156

Results

The specified groups or sensitive objects are added to the outlier detection and are given additional weight by the algorithm.