ML Based Policies
ML Based Policies
To access the Machine Learning Based (ML Based) policy page, go to Policies > Behavior Analytics > ML Based tab. Machine learning models provide detections indicating suspicious insider behavior, suspicious network access, and suspicious device activity indicating a compromised device.
Important
Basic UBA or UBA standard includes UEBA 9 predefined sequential rules. Advanced UBA includes UEBA ML models, UEBA user scoring with user confidence index (UCI), UCI based inline policies, and Custom UBA sequence rules.
Contact Support to enable this feature in your account, additional licensing is required.

Once your account is enabled with Advanced UBA, you can turn the ML based policy page on or off. Click (image above #7) to turn ML on or off.
Tip
All grayed out features or tabs means the feature is disabled by your admin or globally it’s disabled because you need additional licensing.
Filtering the Policy View
Use the left side panel to filter your policy view. The default view displays all policies and severity types.
- Policy Type (image above #1) – select the All, Rule, or Machine tabs to view the particular policy type. For the Rule tab, you can further filter to view All rules, Predefined rules, or Custom rules.
- Severity (image above #2) – select the severity type.
- Critical: Score Impact 251 – 350
- High: Score Impact 151 – 250
- Medium: Score Impact 101 – 150
- Low: Score Impact 51 – 100
- Informational: Score Impact 1 – 50
- Scenarios (image above #3) – select Insider Threat, Compromised Device, or Compromised Credential checkboxes to view the specific policy type. This helps admins identify compromised users that need their credentials reset and to find devices that are compromised and need to be remediated. There are four additional default ‘Insider Threat’ policies available for all accounts:
- Attempted from a Malicious IP – A malicious IP attempted to log in to a managed application.
- Attempted login from a Tor node – A Tor node attempted to log in to a managed application.
- Malicious IP match for a source IP – A malicious IP successfully interacted with a managed application.
- Tor node match for a source IP – A Tor node successfully interacted with a managed application.
- Tags (image above #4) – select from the predefined data sources: Machine Learning, Real-time Protection, API-enabled Protection, or IaaS Audit Logs. Each policy listed (image above #8) is tagged with a data source.
- Reset (image above #5) – at any time you click reset to remove all filters and start with your default view. The default view displays all policies and severity types.
- Search (image above #6) – type keywords to search for policy names.
- Policy list view (image above #8) – this section lists the policies that match the filters you apply.
- By severity (image above #10) – you can view the filtered policies by Ascending or Descending severity. The default view (Descending) displays the most critical policies first.
Editing Policies
To edit the policy, select the tile and click the pencil icon to open the Configure Policy window. Not all rules can be edited, deleted, or cloned.

View Pending Changes
Click “View pending changes” to see what was changed, added, or deleted in the policy before applying the change.
