Machine Learning Analytics app
The Machine Learning Analytics (ML) app extends the capabilities of your QRadar® system and the QRadar User Behavior Analytics (UBA) app by adding use cases for machine learning analytics. With the machine learning analytics models, you can gain additional insight into user behavior with predictive modeling. The ML app helps your system to learn the expected behavior of the users in your network.
Attention: You
must have admin permissions to install the ML app.
Note: For the best experience with Machine Learning, you should consider running the UBA app and the ML app on an App Host. For more
information, see App Host.
You should set up the machine learning container to be as large as possible. After you install the ML app, you cannot increase or decrease the container size.
Important:
- It is best to enable Machine Learning Analytics Settings one day after you initially configure the UBA app. This waiting period ensures that the UBA app has sufficient time to create risk profiles for users.
- The QRadar
Console limits the
amount of memory that can be used by apps. The ML app installation size options
are based on how much memory QRadar currently has for
applications.
- The minimum amount of free memory required to install the ML app is 2 GB. However, 5 GB or higher is recommended.
- The number of users monitored by the ML app depends on the ML app installation size and the specific Machine Learning analytic. Starting at 5 GB, the maximum number of monitored users by non peer groupMachine Learning model is 40,000 per 5 GB up to 220,000 users total. For example, 5 GB would be up to 40,000 users, 15 GB would be up to 120,000 users, and 40 GB would be up to 220,000 users for non peer group models. And Starting at 5 GB, the maximum number of monitored users by peers group Machine Learning model is 2500 per 5 GB up to 12,500 users total for peers group model. For example, 5 GB would be up to 2500 users, 20 GB would be up to 10,000 users, and 25 GB would be up to 12500 users for peers group models.
- The installation might fail due to a lack of available memory. This situation can occur if the amount of memory available for applications is decreased because other applications are installed.