Reference data collections for user information

This topic provides information about how reference data collections store data collected from user information sources.

When IBM QRadar SIEM collects information from a user information source, it automatically creates a reference data collection to store the information. The name of the reference data collection is derived from the user information source group name. For example, a reference data collection that is collected from Microsoft Windows AD might be named Domain Admins.

The reference data collection type is a Map of Maps. In a Reference Map of Maps, data is stored in records that map one key to another key, which is then mapped to a single value.

For example:

• #
• # Domain Admins
• # key1,key2,data
• smith_j,Full Name,John Smith
• smith_j,account_is_disabled,0
• smith_j,account_is_locked,0
• smith_j,account_is_locked,1
• smith_j,password_does_not_expire,1

For more information about reference data collections, see the Reference Data Collections Technical Note.