Dataset Management Overview
Datasets are the configured objects that classify your data. Datasets can be added, viewed, edited, duplicated, and deleted from the Object Management > Datasets tab.
Dataset Table Fields and Values
The datasets table displays the following fields:
| Field | Description | Severity Rating Values |
|---|---|---|
| Sensitivity | The dataset sensitivity defined in the dataset. You can sort, filter, and search in this column. | Critical: 8, High: 4, Moderate: 2, Low: 1, Unrestricted: 0 |
| Dataset Name | The dataset name. You can sort, filter, and search in this column. | N/A |
| Policies Applied | The policies applied to the dataset. Hovering over a number in this column will display the remaining policies. You can filter and search in this column. | N/A |
| Last Modified | Date and time the dataset was last modified. You can sort, filter, and search in this column. | N/A |
| Created At | Date and time the dataset was created. You can sort, filter, and search in this column. | N/A |
| Events | The number of events the dataset matched. | N/A |
| Events trend | Shows the changes to the number of event matches over the past 7 days. | N/A |
| Actions | Actions available for the dataset (view and edit, duplicate, delete). | N/A |
Actions
- View and edit: Opens the dataset page to display the current configuration and the performance details, such as the number of event matches, locations, users, and policies.
- Duplicate: Enter a name for the new dataset in the dialog box and click the Duplicate dataset button to create a new dataset using the settings of the selected dataset.
- Delete: Permanently removes the dataset so it no longer applies to new events.
Performance Panel Functionality
The Performance Panel shows the performance metrics for a dataset based on the events from the last 7 days.
In Edit dataset mode, the Performance panel dynamically updates to show how your changes would affect event matching, displaying a preview of which past events would match under the new conditions.
Note This is a preview only; actual application to historical events depends on the "Apply changes to past events" option in the Advanced settings.
The metrics displayed in the Performance Panel include:
- Events: The number of events that match the dataset.
- Locations: The number of locations that match the dataset. In Edit mode, the preview window displays "Added" or "Removed" tags to highlight changes.
- Users: The number of users that match the dataset. In Edit mode, the preview window displays "Added" or "Removed" tags.
- Policies: The policies applied to the dataset that have matching events.
Understanding the Impact of Updating Past Events
When managing datasets, you have the option to apply changes to past events using the Advanced settings. This functionality allows you to retroactively update how past events are classified and handled.
| Advanced Settings Option | Effect on Historical Events | Note |
|---|---|---|
| Enabled | Historical events are reprocessed with the updated dataset definition. | The update is performed during off-peak hours. Past incidents will remain unchanged. |
| Disabled | Historical events remain unchanged. | Only new events are matched against the updated dataset. |
Effects on Policies
If the Advanced settings are enabled on a dataset used in multiple policies:
- Past events that match the updated dataset definition will continue to be associated with the dataset and any policies that reference it.
- Past events that no longer match the updated dataset definition will have their association removed during reprocessing and will no longer be linked to the dataset or any dependent policies.
- Changes are not applied to historical events for policies that use lists or user risk groups.
Dynamic Configuration Update
This setting affects how soon you see the impact of changes in the Console UI.
- Enabled: The Console reflects updated event counts immediately, even if the reprocessing of events is still pending.
- Disabled (default): The Console continues to show the old event counts until the past events are reprocessed and rematched.
The Dynamic Configuration Update setting has no effect if the Advanced settings option ("Apply changes to past events") is disabled.