The Activity Distribution model learns behavior clusters based on LDAP group definition and searches for deviations from the normal distribution of these clusters over time.
Enable the Activity Distribution machine learning model to display dynamic behavior clusters for all users that are monitored by machine learning on the User Details page. Malicious behavior can manifest as changes in the distribution of a user’s behavior cluster; that is, the user’s activities begin to deviate from his customary activities. Similar activities are represented by the same colors for all users. Starting with 4.0.0, users are grouped and analyzed based on the Group by field.
UBA : Deviation from normal activity patterns
Select a group from the group by field, such as job title, department, or custom group in order to enable the model. Groups are defined in the user import tuning configuration originating from the user import data. For more information, see Tuning user import configurations.
Log source types
Any log source with events that provide a username.