About the Sanctioned Services Anomaly Workflow
Anomalies are the foundation of the Skyhigh CASB Threat Protection platform. They alert you to potentially threatening behavior by recognizing when activity exceeds established thresholds. Understanding how anomalies are generated and how to respond to them is vital to success with Threat Protection.
- Threat Protection analyzes activity occurring within your sanctioned cloud services.
- This activity is compared to the threshold for that activity. This threshold is either based on the user's specific behavior or leveled out to the normal behavior of your entire organization.
- If the activity does not exceed the threshold, the activity is recorded to the Activities page and no further action is required.
- If the activity exceeds the threshold, an anomaly is generated.
- Your team should investigate each anomaly, determining if the anomaly represents a valid security concern that should be addressed and resolved or if the anomaly was generated incorrectly and should be marked as a false positive. Either way, once an anomaly is marked, it will be removed from the Anomalies page.
- If too many of one kind of anomaly are left unmarked, Threat Protection pauses generation of that anomaly until enough of those anomalies are resolved, marked false positive or suppressed.