UBA Machine Learning Analytics
Hello,
I am trying to perform some analysis on the UBA ML analytics, specfically: Abnormal Outbound Transfer Attempts Abnormal Volume of Data to External Domains
I want to make sure our log source events are contributing to the ML baseline/model, but I cannot find anyway to tell what events are building into the baseline/model. I know about the UBA use case list documentation on the IBM Support page, but those are for the rules, not the ML analytics. Are they one in the same? Or is there a method I can use to see which of my events are contributing to the ML baseline/model? Maybe an AQL query that will filter the events that are building into a specific ML baseline/model?
Thanks, Tim
These two models are basically looking at any traffic that has event direction from local to remote domains ('eventdirection IN ('L2R'), one for counts and the other for sum of bytes sent. These model replaces the ADE rules and the purpose and queries are the same or similar. We are making a slight adjustment on the query for the attempt one in next release, please contact us for more information.