|Limited Availability: Custom Anomaly is a Limited Availability feature. To enable the Custom Anomaly category, contact Skyhigh Support.|
Anomalies are actions or behaviors that exceed set thresholds in Threat Protection. While anomalies do not always indicate malicious behavior, they should be investigated to determine their cause.
Anomalies come in many types, including Access Anomalies, Administration Anomalies, Custom Anomalies, and Data Anomalies. For more information, see Anomaly Types.
The Anomalies user interface is located at Incidents > Anomalies > Anomalies.
All Services anomalies are consolidated on this page, or you can choose to view the anomalies occurring in just one Service. You can view the anomalies incidents in a Table view or a Chart view. It also provides easy access to filters, Saved Views, and displays anomalies details with a single click.
You can also add the Anomaly card to your Dashboard. For details, see About My Dashboard.
Select a service using the Service Name filter to view and analyze incidents for that service. Only services with active Skyhigh CASB Secure licenses are available.
The default anomalies table displays information about specific clusters of anomalies that strongly suggest your cloud services may have been compromised. Your security response team will use this information to observe and respond to anomalies. The Anomalies page Table view is the default view.
IMPORTANT: The anomaly count as shown in-hero stats and in the table includes resolved, false positive, new, and open states - so you might see a slightly higher count than was shown in the older UI (as it filtered resolved and false +ve states). Suppressed anomalies are filtered by default, though you can search for them explicitly. This is the same behavior as on the Incidents page. You can filter (or create a Saved View) for the desired states if you wish.
The Anomalies table provides the following information and actions:
- Search. Use the search bar to search your anomaly with the terms listed in Threat Protection and Activity Monitoring Search Terms.
- Filters. Select options on the Filters tab to scope down your search.
- Date Picker. Use the Date Picker to specify a date range to display data.
- Views. Select Saved Views created by you or shared with you by another user to reuse specified search parameters from a previous search on current data.
- Executive Summary. The Executive Summary displays an at-a-glance view of the current anomaly count in the Anomaly and Anomaly Status category with a weekly count of anomalies.
- Severity. Each anomaly is ranked based on severity.
- Red. High.
- Orange. Medium.
- Yellow. Low.
- Anomaly Type. The name of the anomaly type is derived from the Anomaly Category.
- Anomaly Category. The name of the anomaly category and the specific anomaly triggered to understand what sort of anomaly you are looking at and why it may represent a risk to your cloud services. The three anomaly categories are Access Anomalies, Administration Anomalies, Data Anomalies, and Custom Anomalies.
- User Name. The user who triggered the anomaly.
- Anomaly Generated Time. The date and time that the anomaly was detected.
- Service Name. The service where the anomaly occurred.
- Instance Name. The instance where the anomaly occurred.
- Actions. Click Actions to:
- Change Owner. To change the owner of multiple incidents.
- Change Status. To change the status of multiple incidents.
- Download CSV. Click CSV to Export Anomalies to a CSV File. The download begins immediately. It is suitable to import CSV into a third-party software security system or to open in a spreadsheet program. The data in the spreadsheet may provide greater detail than the details displayed in the UI.
- Create an Exception
- Adjust Anomaly Thresholds. Administrators may want to manually adjust anomaly detection thresholds to control the generation of new anomalies.
- Create Report.
- Business Report (PDF). Create a PDF report and run it immediately, which then appears in the Report Manager.
- CSV. Create a CSV report and run it immediately, which then appears in the Report Manager.
- XLS. Create an XLS report and run it immediately, which then appears in the Report Manager.
- Schedule. Schedule a report to run later, which then appears in the Report Manager.
- Edit Table Columns. You can edit table columns and save your changes as a Saved View.
Click any anomalies in the table to see the Cloud Card for the specific anomaly. To learn more about the anomalies, click to view the Anomaly Cloud Card.
To display your Anomaly data in a chart, click the Chart icon under the Omnibar.
To display Anomaly data in a chart:
- Show. Select an item from the Show list to determine the X-axis of your chart.
- By. Select an item from the By list to determine the Y-axis of your chart.
- In a. From the In a list, select your chart type, if available:
- Trend. Line or vertical bar chart.
- Breakdown. Donut or horizontal bar chart.
Your data is displayed in the chart.
To edit an existing chart, click Edit.