Process Execution by Peer Group
The Process Execution by Peer Group model determines if a user's process usage is significantly different from the user's defined group.
Enable the Process Execution by Peer Group model to determine if a user's
process usage is significantly different from the user's defined group. If a user's process usage is
significantly different from the user's defined group, it is deemed suspicious and a Sense Event is
generated to increase the user's risk score. Users are grouped and analyzed based on the
Group by field.
Important: You must have a minimum of two defined
groups that each contains 5 or more users. If you change the group selection, a new model needs to
be constructed. A significant amount of time and computer resources are required to complete the
model creation. It is not recommended to change this value frequently.
Event name
UBA : Abnormal process execution for peer group
sensevalue
5
Required configuration
Select a group from the group by field, such as job title, department, or custom group in order to enable the model. Groups are defined in the user import tuning configuration originating from the user import data. For more information, see Tuning user import configurations.
You must define the Process Name property.
Log source types
Looks at events that have the Process Name property defined for it.