Creating watchlists

You can add and configure watchlists that include user‑based members, entity‑based members, and hybrid watchlists that combine both user and entity memberships.

1. From the main UEBA Overview (Dashboard) page or the User Details page, click the Watchlist icon.
2. From the menu, select Create new watchlist. To add a user to an existing watchlist, click Add to your watchlist.
3. On the General Settings tab, enter a watchlist name.
   Select one of the Watchlist options:

   • User - Select this option to create a watchlist for users.
   • Entity - Select this option to create a watchlist for entities.
   • Hybrid - Select this option to create a combined watchlist for both users and entities.
4. Set the user's risk score by changing the value in the User Scale risk by factor field. If you select the default factor of '1', the risk score is unchanged.
5. Set the entity's risk score by changing the value in the Entity Scale risk by factor field. If you select the default factor of '1', the risk score is unchanged.
6. In the Machine Learning tracking priority section, select the priority for how users are tracked by the Machine Learning analytics.
   • High - Users are always tracked up to the maximum users per Machine Learning analytic.
   • Normal - Users are tracked by highest risk after all the high users are included.
   • Never - Users are not tracked by Machine Learning.
7. Set the Refresh interval (in hours) to control how often the watchlist membership updates. A value of zero means disable or manual refresh only.
   Note: A hybrid watchlist can simultaneously include users and entities.
   The following example shows Watchlist settings.

   

   
8. On the User Membership settings tab, configure how members are determined:
   1. Optional: In the Import from QRadar® reference set field, search for a reference set or click to select a reference set from the list to import all entries from the reference set. After you select a reference set, click the link to review.
      Note: The list might contain reference sets that do not have usernames.
      
   2. Optional: In the Add from monitored users with regex filter field, you can select a user property and enter a valid POSIX regular expression to select users who are already found in the UEBA database. A count of matching users is displayed next to each regex filter to help administrators see the scope of the filter in real-time.
      
9. On the Entity Membership settings tab, configure how members are determined:
   1. Optional: In the Import from QRadar reference set field, search for a reference set or click to select a reference set from the list to import all entries from the reference set. After you select a reference set, click the link to review.
      Note: The list might contain reference sets that do not have usernames.
   2. Optional: In the Add from monitored users with regex filter field, you can select regex on entity properties (Forex ample:. IP address, hostname, Linked Users) to dynamically populate the watchlist. A count of matching users is displayed next to each regex filter to help administrators see the scope of the filter in real-time. If you select IP Address (CIDR range), you can choose from a list of CIDR ranges that are already available within the system. These predefined IP ranges can be selected as needed.
10. After configuring membership settings, click Save.
11. Go to the UEBA dashboard to view entities that have been added to a watchlist. Review the displayed entities, which are automatically refreshed based on the Refresh interval configured in the watchlist settings.
    Note: The UEBA dashboard displays only a limited number of entities.
12. To view all entities associated with the watchlist, click View all entities on the dashboard. The system navigates to the Watchlist page, where the complete list of entities is displayed.