Switching DB and OS users

Outlier mining, by default, tracks two types of sources: databases and database users. The behavior baseline and hourly activities are compared for each source. If your system typically has a high number of users per application, then tracking activity by DB user might not be specific enough. In this case, you can switch outliers detection user mode to evaluate by OS user. In this scenario, sources are databases and OS users. User mode is configured on the central manager for the entire system.

About this task

All managed units that report to one central manager use the same mode.

You usually switch user mode only once on your system, preferably before you enable outliers detection. When you switch user mode, all the statistical modeling on the DB users is discarded, and the system starts over again, collecting details on the OS user.

In a cross-CM environment, you need to switch the mode on both central managers (or all central managers that share a collector-aggregator link).

If you have managed units that are running a version earlier than V11.2, they continue to accumulate data for DB users. They are identified in the Active Threat Analytics Setup page by the text User Mode change requires V11.2+.

If you are already running outliers detection, and specific events are excluded from the outliers detection algorithm (the Ignore option in the investigation dashboard), then:
  • The value of each ignored field is maintained when you switch between DB and OS user.
  • The ignored field is now the OS user and not the DB user.
You must evaluate each Ignore statement and decide whether you want to keep it or not. Since DB users and OS users rarely, if ever, have the same names, excluded events are usually deleted, and new ones defined. In the Analytic User Feedback, rows that have a value for DB user now show a value for OS user.


  1. Evaluate each Ignore statement and decide whether it's relevant for an OS user.
    1. Open the Analytic User Feedback report to view ignored events.
    2. To delete an ignored event, double-click the event, and select Invoke > delete_analytic_user_feedback.
  2. On the central manager, switch to OS users by running the API command set_outliers_user_detection_mode mode=OS
    This command disables outlier mining on all units in the system, switches the user mode, and enables outlier mining on all units that were running outliers mining before the switch. The mode is listed in the Active Threat Analytics Setup page.
  3. If a managed unit was unavailable when you switched users, as seen in the Active Threat Analytics Setup page, disable outlier mining on that unit, and then enable outlier mining. The mode switches.