Activity Distribution

The Activity Distribution model learns behavior clusters based on LDAP group definition and searches for deviations from the normal distribution of these clusters over time.

Enable the Activity Distribution machine learning model to display dynamic behavior clusters for all users that are monitored by machine learning on the User Details page. Malicious behavior can manifest as changes in the distribution of a user’s behavior cluster; that is, the user’s activities begin to deviate from his customary activities. Similar activities are represented by the same colors for all users. Starting with 4.0.0, users are grouped and analyzed based on the Group by field.

Important: You must have a minimum of two defined groups that each contains 5 or more users. If you change the group selection, a new model needs to be constructed. A significant amount of time and computer resources are required to complete the model creation. It is not recommended to change this value frequently.

Event name

UBA : Deviation from normal activity patterns



Required configuration

Select a group from the group by field, such as job title, department, or custom group in order to enable the model. Groups are defined in the user import tuning configuration originating from the user import data. For more information, see Tuning user import configurations.

Log source types

Any log source with events that provide a username.