Updated on October 5, 2023

ML Based Policies

ML Based Policies

To access the Machine Learning Based (ML Based) policy page, go to Policies > Behavior Analytics > ML Based tab. Machine learning models provide detections indicating suspicious insider behavior, suspicious network access, and suspicious device activity indicating a compromised device.

Important

Basic UBA or UBA standard includes UEBA 9 predefined sequential rules. Advanced UBA includes UEBA ML models, UEBA user scoring with user confidence index (UCI), UCI based inline policies, and Custom UBA sequence rules.

Contact Support to enable this feature in your account, additional licensing is required.

UEBA_ML_based_policies.jpg

Once your account is enabled with Advanced UBA, you can turn the ML based policy page on or off. Click (image above #7) to turn ML on or off.

Tip

All grayed out features or tabs means the feature is disabled by your admin or globally it’s disabled because you need additional licensing.

Filtering the Policy View

Use the left side panel to filter your policy view. The default view displays all policies and severity types.

  • Policy Type (image above #1) – select the All, Rule, or Machine tabs to view the particular policy type. For the Rule tab, you can further filter to view All rules, Predefined rules, or Custom rules.
  • Severity (image above #2) – select the severity type.
    • Critical: Score Impact 251 – 350
    • High: Score Impact 151 – 250
    • Medium: Score Impact 101 – 150
    • Low: Score Impact 51 – 100
    • Informational: Score Impact 1 – 50
  • Scenarios (image above #3) – select Malicious Insider, Compromised Device, or Compromised Credential checkboxes to view the specific policy type.
  • Tags (image above #4) – select from the predefined data sources: Machine Learning, Real-time Protection, API-enabled Protection, or IaaS Audit Logs. Each policy listed (image above #8) is tagged with a data source.
  • Reset (image above #5) – at any time you click reset to remove all filters and start with your default view. The default view displays all policies and severity types.
  • Search (image above #6) – type keywords to search for policy names.
  • Policy list view (image above #8) – this section lists the policies that match the filters you apply.
  • By severity (image above #10) – you can view the filtered policies by Ascending or Descending severity. The default view (Descending) displays the most critical policies first.

Editing Policies

To edit the policy, select the tile and click the pencil icon to open the Configure Policy window. Not all rules can be edited, deleted, or cloned.

UEBA_policy_edit.jpg

View Pending Changes

Click “View pending changes” to see what was changed, added, or deleted in the policy before applying the change.

ueba_pending_changes.jpg
Share this Doc

ML Based Policies

Or copy link

In this topic ...