Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Configure Source Rules

IMPORTANT: Activity Count and Activity Type or Category are mandatory rules to complete your custom anomaly rule statement. The Incomplete Rule message will be displayed if these rules are not added.

The Source rule allows you to detect and monitor the trusted and untrusted activities performed by users on the service. You can also define the rule with other parameters such as Activity Type or Category, Activity Count, Trust, Device, and more. Anomalies are triggered when a user performs any activities on a service that exceeds the expected activity count from a configured source type and network.

The Source rule allows you to select the source type for the rule. Source types are Trusted and Untrusted. You can also select or deselect a reason for the selected source type from the list.
clipboard_e9559b07c4de3ab736932422920080209.png

Use Case 1: Suppose you want to be notified when a user performs more than 10 untrusted administration activities on ServiceNow from a Suspicious network in a day. 

To configure this rule:

  1. Go to Incidents > Anomalies > Anomaly Settings.
  2. Click Actions > Create a Custom Anomaly.
  3. On the Name & Scope page, enter a name, description, services, and users. 
  4. On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Administration.
    clipboard_e71de24179bf1d20d1f8be0bbccaa150c.png
  1. Click AND to:
    • Enter a value for Activity Count is greater than or equal to. For example, 10.
    • Set the Duration for a custom anomaly detection. For example, Daily.
  2. Click AND to add the source type. For example, Untrusted, and the reason for the selected source type. For example, Suspicious Network.
  3. Click THEN to create an Anomaly and select a Severity. For example, Critical.
  4. Click Next.
  5. Review the custom anomaly rule and click Save

Use Case 2: Suppose you want to be notified when a user modifies any data on Salesforce from a trusted network such as allowlisted city, or organization in a day.

To configure this rule:

  1. Go to Incidents > Anomalies > Anomaly Settings.
  2. Click Actions > Create a Custom Anomaly.
  3. On the Name & Scope page, enter a name, description, services, and users. 
  4. On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Data Updates : Folder name, file restore, folder restore, etc.
    clipboard_ea53c1a788624f6f98842641a4031c877.png
  5. Click AND to:
    • Enter a value for Activity Count is greater than or equal to. For example, 1.
    • Set the Duration for a custom anomaly detection. For example, Daily.
  6. Click AND to add the source type. For example, Trusted, and the reason for the selected source type. For example, Allowlisted City and Organization.
  7. Click THEN to create an Anomaly and select a Severity. For example, Major.
  8. Click Next.
  9. Review the custom anomaly rule and click Save
  • Was this article helpful?