Machine Learning user models

To view information in the Machine Learning Analytics app, you must configure Machine Learning settings for User Models.

About this task

You can see the type of model and the number of users in each model. You can also view the list of users in the model by clicking on the count.

On the User Models page, you can take the following actions:
  • Enable up to 17 models
  • Select a model to edit the default settings.
  • Create your own custom models with the included templates.
Attention: After you configure or modify your settings, it takes a minimum of 1 hour to ingest data, build an initial model, and see initial results for users. For more information, see Machine learning analytic requirements.

Active users are monitored continuously. If a user has no activity for 28 days, the user and the user's data are removed from the model. If the user is active again, they will return as a new user.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. Click Apps > User Analytics > Machine Learning Settings.
  3. On the Machine Learning Settings page, click Enabled to turn on the selected model.
  4. Click the model name if you want to edit the default settings.
  5. In the Risk value of sense event field, enter the amount to increase the user's risk score when a sense event is triggered. The default value is 5.
  6. Enable the toggle to scale the risk value. When enabled, the base risk value is multiplied by a factor (range 1 - 10). This factor is determined by how much the user deviates from their expected behavior and not just that they deviated.
  7. In the Confidence interval to trigger anomaly field, enter the percentage for how confident the machine learning algorithm should be before it triggers an anomalous event. The default value is 0.95.
  8. In the Data Retention Period field, set the number of days you want to save the model data. The default value is 30.
  9. The Show graph on User Details page toggle is enabled by default to display the selected graph on the User Details page. If you do not want to display a graph on the User Details page, click the toggle.
  10. For Peer Group and Activity Distribution models, in the Group By field, select the group that you want the selected peer group analytic to use.
  11. Optional: In the AQL Search Filter field, you can add an AQL filter to narrow the data that the analytic queries for in QRadar. By filtering with an AQL query, you can reduce the number of users or the types of data the analytic is analyzing. Before you save your settings, click Validate Query to launch a full AQL query in QRadar so that you can review the query and verify the results.
    Important: If you modify the AQL filter, the existing model is marked invalid and is then rebuilt. The length of time the rebuild takes depends on the amount of data that is returned by the modified filter.
    You can filter on specific log sources, network names, or reference sets that contain specific users. See the following examples:
    • REFERENCESETCONTAINS('Important People', username)
    • LOGSOURCETYPENAME(devicetype) in ('Linux OS', 'Blue Coat SG Appliance', 'Microsoft Windows Security Event Log')
    • INCIDR('172.16.0.0/12', sourceip) or INCIDR('10.0.0.0/8', sourceip) or INCIDR('192.168.0.0/16', sourceip)
    For more information, see Ariel Query Language.
  12. Click Save.

Results

It can take a minimum of 1 hour for the app to ingest data and build an initial model.