Device ID Rules
IMPORTANT: Activity Count and Activity Type or Category are mandatory rules to complete your custom anomaly rule statement. The Incomplete Rule message will be displayed if these rules are not added.
The Device ID rule allows you to detect and monitor the device's unique identification number from which users perform activities on the service. You can also define the rule with other parameters such as Activity Type or Category, Activity Count, Source IP, Location, and more. Anomalies are triggered when a user performs activities exceeding the expected activity count on a service from a configured device ID.
The Device ID allows you to add one or more device IDs to your rule and use a comma to separate them.
Use Case: Suppose you want to be notified when a user downloads more than 10 files or folders on Box from a device ID IFX063 and SRUI123456 in a day.
To configure this rule:
- Go to Incidents > Anomalies > Anomaly Settings.
- Click Actions > Create a Custom Anomaly.
- On the Name & Scope page, enter a name, description, services, and users.
- On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Data Downloads: File and Folder.
- Click AND to:
- Enter a value for Activity Count is greater than or equal to. For example, 10.
- Set the Duration for a custom anomaly detection. For example, Daily.
- Click AND to enter Device IDs. For example, IFX063, SRUI123456.
- Click THEN to create an Anomaly and select a Severity. For example, Critical.
- Click Next.
- Review the custom anomaly rule and click Save.