Reference sets
The User Entity Behavior Analytics (UEBA) app and the Machine Learning app use reference sets for storing user information. Some reference sets are reserved for app use only and you should not modify them or use them in creating custom rules.
Reference sets you can customize
| Reference set | Description |
|---|---|
| UBA : High Risk Users | The UBA : High Risk Users reference set is built from the Risk threshold to trigger offenses value on the UBA Settings page. The maximum number of users is 10,000 and the reference set is rebuilt every 5 minutes |
| UBA : Trusted Usernames | You can add user names to the UBA : Trusted Usernames reference set but do not use for rules or reports. No offenses are generated for the users in the UBA : Trusted Usernames reference set. |
| UBA : Users Not Tracked | The purpose of the UBA : Users Not Tracked reference set is to store the
list of user's aliases that no longer require tracking because of General Data Protection Regulation
(GDPR) regulations. When you choose to stop tracking users and click Delete and Stop
Tracking User on the user details page, the user name or alias is added to this
reference set. Important: Do not manually add users to or modify the UBA : Users Not
Tracked reference set.
Note: If you need to start tracking a user after the name has been added to the reference set, you
can delete the user's aliases from the reference set.
Use the Reference Set Management page to delete users. For more information, see Deleting elements from a reference set. |
| UBA : ML Always Tracked Watchlist | The UBA : ML Always Tracked Watchlist reference set is built from the users you select to Track with Machine Learning in the Advanced Settings section on the User Details page. You can add user names to the UBA : ML Always Tracked Watchlist reference set but do not use for rules or reports. |
|
UEBA: Entities Not Tracked |
The purpose of the UEBA: Entities Not Tracked reference set is to store the list of asset IDs that no longer require tracking because of GDPR regulations. When you choose to stop tracking users and click Delete and Stop Tracking User on the user details page, the user name or alias is added to this reference set. Important: Do not manually add asset IDs to or modify the UEBA: Entities Not
Tracked reference set.
Note: If you need to start tracking an entity after the name is added to the reference set, you can
delete the asset ID of the entity from the reference set.
To get asset ID of an entity, you can search asset IP or assets MAC address or hostname in Assets module of QRadar. Use the Reference Set Management page to delete entities. For more information, see Deleting elements from a reference set |
Reference sets you cannot customize
- UBA - Current ML Tracked Users
- UBA - Previous ML Tracked Users
- UBA - Current Abridged ML Tracked Users
- UBA - Previous Abridged ML Tracked Users
- UBA - Current Peer Group ML Tracked Users
- UBA - Previous Peer Group ML Tracked Users