Creating watchlists

You can add a user to a new watchlist or an existing watchlist.

About this task

You can add a user to a new watchlist or an existing watchlist from the main UBA Overview (Dashboard) page, the User Details page, or the Search Results page. A single user can be a member of multiple watchlists.

To add the user to a watchlist or create a watchlist, click the Watchlist icon.

Procedure

  1. From the main UBA Overview (Dashboard) page or the User Details page, click the Watchlist icon.
  2. From the menu, select Create new watchlist. To add a user to an existing watchlist, click Add to your watchlist.
  3. On the General Settings tab, enter a watchlist name.
  4. You can artificially increase or decrease the user's risk score by changing the value in the Scale risk by factor field. The default factor of '1' leaves the risk score unchanged.
    Note: If a user is in more than one watchlist, the largest scale factor is applied.
  5. In the Machine Learning tracking priority section, select the priority for how users are tracked by the Machine Learning analytics.
    • High - Users are always tracked up to the maximum users per Machine Learning analytic.
    • Normal - Users are tracked by highest risk after all the high users are included.
    • Never - Users are not tracked by Machine Learning.
  6. Click Next.
    The following example shows 4.0.0 with light theme UI.
    General settings screen
  7. On the Membership settings tab, you can automatically populate the watchlist with users from a reference set, a regular expression, or both.
  8. Optional: In the Import from QRadar® reference set field, search for a reference set or click to select a reference set from the list to import all entries from the reference set. Note: The list might contain reference sets that do not have user names. After you select a reference set, click the link to review.
  9. Optional: In the Add from monitored users with regex filter field, you can select a user property and enter a valid Python regular expression to select users who are already found in the UBA database.
  10. In the Refresh interval field, enter the number of hours for how often you want the user list to be updated.
    For example, if you enter 10, the user list is updated every 10 hours.
    If the Refresh interval is set to a value of 0 (zero), you can manually update the watchlist by clicking Refresh.
  11. Click Save.
    The following example shows 4.0.0 with light theme UI.
    Membership settings screen