Switching DB and OS users
Outlier mining, by default, tracks two types of sources: databases and database users. The behavior baseline and hourly activities are compared for each source. If your system typically has a high number of users per application, then tracking activity by DB user might not be specific enough. In this case, you can switch outliers detection user mode to evaluate by OS user. In this scenario, sources are databases and OS users. User mode is configured on the central manager for the entire system.
About this task
All managed units that report to one central manager use the same mode.
You usually switch user mode only once on your system, preferably before you enable outliers detection. When you switch user mode, all the statistical modeling on the DB users is discarded, and the system starts over again, collecting details on the OS user.
In a cross-CM environment, you need to switch the mode on both central managers (or all central managers that share a collector-aggregator link).
If you have managed units that are running a version earlier than V11.2, they continue to accumulate data for DB users. They are identified in the Active Threat Analytics Setup page by the text User Mode change requires V11.2+.
- The value of each ignored field is maintained when you switch between DB and OS user.
- The ignored field is now the OS user and not the DB user.