ML Based Policies
To access the Machine Learning Based (ML Based) policy page, go to Policies > Behavior Analytics > ML Based tab. Machine learning models provide detections indicating suspicious insider behavior, suspicious network access, and suspicious device activity indicating a compromised device.
Important
Basic UBA or UBA standard includes UEBA 9 predefined sequential rules. Advanced UBA includes UEBA ML models, UEBA user scoring with user confidence index (UCI), UCI based inline policies, and Custom UBA sequence rules.
Contact Support to enable this feature in your account, additional licensing is required.
Once your account is enabled with Advanced UBA, you can turn the ML based policy page on or off. Click (image above #7) to turn ML on or off.
Tip
All grayed out features or tabs means the feature is disabled by your admin or globally it's disabled because you need additional licensing.
FILTERING THE POLICY VIEW
Use the left side panel to filter your policy view. The default view displays all policies and severity types.
Policy Type (image above #1) - select the All, Rule, or Machine tabs to view the particular policy type. For the Rule tab, you can further filter to view All rules, Predefined rules, or Custom rules.
Severity (image above #2) - select the severity type.
Critical: Score Impact 251 - 350
High: Score Impact 151 - 250
Medium: Score Impact 101 - 150
Low: Score Impact 51 - 100
Informational: Score Impact 1 - 50
Scenarios (image above #3) - select Malicious Insider, Compromised Device, or Compromised Credential checkboxes to view the specific policy type.
Tags (image above #4) - select from the predefined data sources: Machine Learning, Real-time Protection, API-enabled Protection, or IaaS Audit Logs. Each policy listed (image above #8) is tagged with a data source.
Reset (image above #5) - at any time you click reset to remove all filters and start with your default view. The default view displays all policies and severity types.
Search (image above #6) - type keywords to search for policy names.
Policy list view (image above #8) - this section lists the policies that match the filters you apply.
By severity (image above #10) - you can view the filtered policies by Ascending or Descending severity. The default view (Descending) displays the most critical policies first.
EDITING POLICIES
To edit the policy, select the tile and click the pencil icon to open the Configure Policy window. Not all rules can be edited, deleted, or cloned.
VIEW PENDING CHANGES
Click "View pending changes" to see what was changed, added, or deleted in the policy before applying the change.