Administrative functions

The QRadar® User Entity Behavior Analytics (UEBA) app includes administrative functions for clearing UEBA data, removing event users, and resetting ML settings from the Help and Support page.

You must have QRadar administrator privileges to complete administrative functions.

You can access the Help and Support page from the following locations:

From the Admin Settings, click Apps > User Entity Analytics > Help and Support.
From the User Entity Analytics tab, click the Help and Support icon.

Clear UEBA Data

Click Clear UBA Data to remove all UEBA user data but maintain all of your current UEBA configuration settings. Clearing UEBA data makes the UEBA app behave as if you just installed and configured the UBA Settings. If the Machine Learning app is installed, the Clear UBA Data button also resets the ML app.

Remove event users

Click Remove event users to remove users that were discovered through events. You can click the number link to go to the search page that shows the list of users that will be deleted. After confirming the user removal, the count on the overview page under Users discovered from events should decrease to zero. Users that were imported are not affected and will not be removed. Tip: You should enable the Monitor imported users only option on the UEBA Settings page before removing event users if you don't want to discover users from events again. Note: If there are no event users, this option will be hidden.

Reset ML Settings

Click Reset ML Settings if the Machine Learning app is installed and you want to reset all of your Machine Learning settings and disable all of the analytics that are enabled.