We are running Qradar 7.5.0.12 with latest UBA installed.

If we create some custom ML models seems they are not trained even default  ML models are working fine.

Our target is to create following models.

1.) Overall User Activity

Monitoring all events for users without any filter. If machine learning model detects that there are more events from specific user than usual (for example during work hours it goes for user X from 100 in 1 hour to 5000 in 1 hour), this might be first indicator of potentially malicious activity.
Analytics may analyze composition in the next step and evaluate situation or choose appropriate next steps.

2.) On how much devices is user present

 Monitoring how many devices is user present on using all events without any filter. If machine learning model detects that user is present on more devices than usual (for example user is normally present on 3 devices in 1 hour and it changes to 20 devices in 1 hour), this might be first indicator of potentially malicious activity.
Analytics should than find out why is user connecting and present on more machines, it might be compromised account used by malicious actor in network, ...

BR

Jan