Reference sets
The User Behavior Analytics (UBA) app and the Machine Learning app use reference sets for storing user information. Some reference sets are reserved for app use only and you should not modify them or use them in creating custom rules.
Reference sets you can customize
| Reference set | Description |
|---|---|
| UBA : High Risk Users | The UBA : High Risk Users reference set is built from the Risk threshold to trigger offenses value on the UBA Settings page. The maximum number of users is 10,000 and the reference set is rebuilt every 5 minutes |
| UBA : Trusted Usernames | You can add user names to the UBA : Trusted Usernames reference set but do not use for rules or reports. No offenses are generated for the users in the UBA : Trusted Usernames reference set. |
| UBA : Users Not Tracked | The purpose of the UBA : Users Not Tracked reference set is to store the
list of user's aliases that no longer require tracking because of GDPR regulations. When you choose
to stop tracking users and click Delete and Stop Tracking User on the user
details page, the user name or alias is added to this reference set. Important: Do not manually add users to or modify the UBA : Users Not Tracked reference set. Note: If you need to start tracking a user after the name has been added to the reference set, you can delete the user's aliases from the reference set. Use the Reference Set Management page to delete users. For more information, see Deleting elements from a reference set. |
| UBA : ML Always Tracked Watchlist | The UBA : ML Always Tracked Watchlist reference set is built from the users you select to Track with Machine Learning in the Advanced Settings section on the User Details page. You can add user names to the UBA : ML Always Tracked Watchlist reference set but do not use for rules or reports. |
Reference sets you cannot customize
Restriction: Do not modify or use the following reference sets for custom rule creation.
- UBA - Current ML Tracked Users
- UBA - Previous ML Tracked Users
- UBA - Current Abridged ML Tracked Users
- UBA - Previous Abridged ML Tracked Users
- UBA - Current Peer Group ML Tracked Users
- UBA - Previous Peer Group ML Tracked Users