Threat Protection uses two different thresholds to identify anomalous behavior. These threshold types are normally used in sequence; first using Organizational Thresholds and when enough information about typical behavior has been collected switching to Behavioral Thresholds.
The Organizational threshold applies the same thresholds to all users in your organization. Each activity has its own organizational thresholds which are set with a MVISION Cloud provided baseline determined by observations from other organizations in our customer base such as a number of users, the domain of customer, etc. Organizational Thresholds are used by default while Threat Protection gathers enough information to successfully use Behavioral Thresholds to identify anomalous activity, typically after four weeks of use.
Organizational Thresholds appears in the Anomaly Cloud Card for a selected anomaly as a flat orange line.
Organizational Thresholds can be manually adjusted.
Once Threat Protection has collected enough information about your users' normal activity to identify unusual patterns and flag anomalies, Threat Protection switches to a Behavioral Thresholds model. Behavioral thresholds look at a user’s individual patterns with service to determine what constitutes anomalous behavior. These thresholds change over time to reflect changes in the baseline user behavior. Because people don’t interact with services exactly the same way 24/7, multiple thresholds exist for each user in each service for each activity: what’s normal download behavior at 10 AM on a Tuesday might be suspicious at 8 PM on a Saturday.
Behavioral Thresholds appears in the Anomaly Cloud Card for a selected anomaly as a curved orange line.
Behavioral Thresholds can be manually adjusted.