IMPORTANT: Activity Type or Category and Activity Count are mandatory rules to complete your custom anomaly rule statement. The Incomplete Rule message will be displayed if these rules are not added.
The Location rule allows you to detect and monitor the location where the user performs activities on the service. You can also define the rule with other parameters such as Activity Type or Category, Activity Count, Source IP, Device, and more. Anomalies are triggered when a user performs any activities on service from the configured location that exceeds the expected activity count.
The Location rule allows you to search and select the location for your rule. You can either type the location or search from the list. Multiple locations can be added and you can select a country or select all three parameters: country, region, and city (county: region: city).
Use Case: Suppose you want to be notified when a user performs more than one administration activity in a day on ServiceNow from India, Brazil:Sergipe: Indiaroba, and Guinea: Kindia.
To configure this rule:
- Go to Incidents > Anomalies > Anomaly Settings.
- Click Actions > Create a Custom Anomaly.
- On the Name & Scope page, enter a name, description, services, and users.
- On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Administration.
- Click AND to:
- Enter a value for Activity Count is greater than or equal to. For example, 1.
- Set the Duration for a custom anomaly detection. For example, Daily.
- Click AND to add the required location. For example, India, Brazil:Sergipe: Indiaroba, and Guinea: Kindia.
- Click THEN to create an Anomaly and select a Severity. For example, Critical.
- Click Next.
- Review the custom anomaly rule and click Save.