Internal Asset Access by Peer Group
The Internal Asset Access by Peer Group model determines if a user's internal asset access is significantly different from the user's defined group.
Enable the Internal Asset Access by Peer Group model to determine if a user's internal asset access is significantly different from the user's defined group. If the internal asset access is significantly different, it is deemed suspicious and a Sense Event is generated to increase the user's risk score. Users are grouped and analyzed based on the Group by field.
Important: You must have a minimum of two defined groups that each contains 5 or more users. If you change the group selection, a new model needs to be constructed. A significant amount of time and computer resources are required to complete the model creation. It is not recommended to change this value frequently.
UBA : Internal asset access deviation from peer group
Select a group from the group by field, such as job title, department, or custom group in order to enable the model. Groups are defined in the user import tuning configuration originating from the user import data. For more information, see Tuning user import configurations.
Configure the Network Hierarchy to help with the accuracy of determining internal destination addresses.
Log source types
All events that have a defined username and local destination IP.