Learned Peer Group
The Learned Peer Group model identifies users who engage in similar activities and then places them into peer groups.
Enable the Learned Peer Group model to display how much the user deviated from the inferred peer group that they were expected to be in on the User Details page. If a user’s current peer group is significantly different from former groups, then a Sense Event is generated to increase the user’s risk score.
Event name
UBA : Deviation from learned peer group
sensevalue
5
Required configuration
Select a group from the group by field, such as job title, department, or custom group in order to enable the model. Groups are defined in the user import tuning configuration originating from the user import data. For more information, see Tuning user import configurations.
To enable the Learned Peer Group model on QRadar 7.4.3 and later, you must install an App Host. For more information, see App Hosts.
You must have 7 days of event data available for the Learned Peer Group analytic to generate a model.
Log source types
Any log source with events that provide a username.