Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Configure Superhuman Anomaly Filters

Superhuman Anomalies are a specific type of Access anomalies that are detected when a user registers activity from multiple locations within a time period that would not allow for travel between those locations. This is usually caused by illegitimate use of credentials, hacker activity, or the use of shared credentials.

There are five filters that fine-tune Superhuman Anomalies. If you do not want to customize your workflow, your organization can leave some filters turned off. The goal is to promote zero anomalies by eliminating false anomalous events that are especially mission-critical.

Non-Anomalous Activities

When enabled, this filter identifies uncertain anomalies that are generated from digital information created by the activity of computers, mobile device networks, cloud service providers, and other networked devices.
clipboard_ec84bbfae79ee64ed495ea112de2e87e2.png

To update Non-Anamolous activities:

  1. Select the Machine-Generated Activities, Cloud Service Provider Activities, and Mobile Device Network Activities checkboxes.
    • Machine Generated Activities. If an authenticated user signs on to Office 365 using an ADFS (Active Directory Federation Services) federated token, then an anomaly is detected during machine-generated activity. These anomalies are filtered to tune out the non-anomalous activities.
    • Cloud Service Provider. The malicious activities generated from Cloud Service Providers such as Office 365, Box, and others are filtered.
    • Mobile Device Network Activities. Mobile networks have unpredictable routing behavior, which produces significant false positives. So the suspicious activities are identified and filtered in mobile networks.

Allowed Networks and Locations

When enabled, this filter identifies anomalies that are internally generated from a list of networks and locations to catch switching behavior caused by activities generated from enterprise edge services, proxies, and next-generation firewalls. Activity passing through Allow List IPs does not trigger anomalous events. But if an email is opened from an IP where there is no allowed egress point, an anomaly could be triggered.

The CSV used by Allowed Networks and Locations can be updated at any time, but filtering is not retroactive on changes to this file.
clipboard_eade34aa4bd90324412c96b2cdb1175cb.png

To update the Allow List IPs:

  1. Click Download CSV to get a list of the current IPs.
  2. Make any edits and save the CSV.
  3. Click Upload CSV and then provide the updated CSV file.

Organizations and Locations Trusted for the Enterprise

If you have vast global business, this filter identifies the non-anomalous activities performed by all users in the Skyhigh Security trusted Cloud Service Providers’ organizations and locations to reduce network traffic.

Based on your enterprise’s security posture, you can adjust the percentage of the total activity that is filtered. After each adjustment, downloading a CSV allows you to see exactly how the changes could affect filtering. A higher trust level means that more traffic must be attributed to an ISP before anomalies are triggered. A lower trust level means that less network traffic from an ISP triggers fewer anomalies.
clipboard_e09bf93efe77c916b36583acee5d9d875.png

To adjust the trust level:

  1. Enter a new percentage in the Trusted Organization, Trusted Cities, and Trusted Countries textboxes.
  2. Download the CSV to check which ISPs are affected by the adjustment. Repeat if necessary.

Organizations and Locations Trusted for the User

If you have a widely distributed workforce, this filter detects the individual user performing non-anomalous activities in the Skyhigh Security trusted organizations and locations using User and Entity Behavior Analytics (UEBA). Trust is measured by the percentage of network traffic. Network traffic can create a lot of noise.

Based on your enterprise’s security posture, you can adjust the percentage of the total activity that is filtered. After each adjustment, downloading a CSV allows you to see exactly how the changes could affect filtering. A higher trust level means that more traffic must be attributed to an ISP before anomalies are triggered. A lower trust level means that less network traffic from an ISP triggers fewer anomalies.
clipboard_ecbc12ead5adb57acba5366a9ab58d886.png

To adjust the trust level:

  1. Enter a new percentage in the Trusted Organization, Trusted Cities, and Trusted Countries textboxes.
  2. Download the CSV to check which ISPs are affected by the adjustment. Repeat if necessary.

Trusted VPN IP Addresses

Trusted VPN IP Addresses filters normal user activity while a user is traveling and using a VPN-based network switching pattern.

To filter out successful logins from Threat Protection and Anomalies, enable the Enable Login Success Filter Exception checkbox.
clipboard_e2d84d582799cf515ce9ec222bad02fb3.png

To get the trusted VPN IP Addresses:

  1. Select the required options from the Download CSV.
  2. To download the CSV file of trusted VPN IP addresses, click Trusted VPN IP Addresses.
  3. To download the CSV file of filterable non-anomalous activities, click Filterable Non-anomalous Activities.
  • Was this article helpful?