Switching DB and OS users
Outlier mining, by default, tracks two types of sources: databases and database users. The behavior baseline and hourly activities are compared for each source. If your system typically has a high number of users per application, then tracking activity by DB user might not be specific enough. In this case, you can switch outliers detection user mode to evaluate by OS user. In this scenario, sources are databases and OS users. User mode is configured on the central manager for the entire system.
About this task
All managed units that report to one central manager use the same mode.
You usually switch user mode only once on your system, preferably before you enable outliers detection. When you switch user mode, all the statistical modeling on the DB users is discarded, and the system starts over again, collecting details on the OS user.
In a cross-CM environment, you need to switch the mode on both central managers (or all central managers that share a collector-aggregator link).
If you have managed units that are running a version earlier than V11.2, they continue to accumulate data for DB users. They are identified in the Active Threat Analytics Setup page by the text User Mode change requires V11.2+.
- The value of each ignored field is maintained when you switch between DB and OS user.
- The ignored field is now the OS user and not the DB user.
- Evaluate each Ignore statement and decide whether it's relevant for an OS user.
- Open the Analytic User Feedback report to view ignored events.
- To delete an ignored event, double-click the event, and select Invoke > delete_analytic_user_feedback.
On the central manager, switch to OS users by running the API command
set_outliers_user_detection_mode mode=OS This command disables outlier mining on all units in the system, switches the user mode, and enables outlier mining on all units that were running outliers mining before the switch. The mode is listed in the Active Threat Analytics Setup page.
- If a managed unit was unavailable when you switched users, as seen in the Active Threat Analytics Setup page, disable outlier mining on that unit, and then enable outlier mining. The mode switches.