Threat Protection uses two different threshold types known as Organizational and Behavioral Thresholds to identify anomalous behavior. Initially, Threat Protection uses Organizational Thresholds to detect unusual activity. However, Threat Protection can seamlessly transition from Organizational Thresholds to Behavioral Thresholds once it has gathered sufficient information about typical behavior patterns. To switch from Organizational Thresholds to Behavioral Thresholds on your tenant, contact Skyhigh Support.
The Organizational threshold applies the same thresholds to all users in your organization. Each activity has its own organizational thresholds which are set with a Skyhigh CASB provided baseline determined by observations from other organizations in our customer base such as the number of users, the domain of customer, etc. Organizational Thresholds are used by default while Threat Protection gathers enough information to successfully use Behavioral Thresholds to identify anomalous activity, typically after four weeks of use.
Organizational Thresholds appear in the Anomaly Cloud Card for a selected anomaly as a flat orange line.
Organizational Thresholds can be manually adjusted.
Once Threat Protection has collected enough information about your users' normal activity to identify unusual patterns and flag anomalies, Threat Protection switches to a Behavioral Thresholds model. Behavioral thresholds look at a user’s individual patterns with service to determine what constitutes anomalous behavior. These thresholds change over time to reflect changes in the baseline user behavior. Because people don’t interact with services exactly the same way 24/7, multiple thresholds exist for each user in each service for each activity: what’s normal download behavior at 10 AM on a Tuesday might be suspicious at 8 PM on a Saturday.
Behavioral Thresholds appear in the Anomaly Cloud Card for a selected anomaly as a curved orange line.
NOTE: After activating Behavioral Thresholds with the help of Skyhigh Support, Threat Protection needs four weeks of data to baseline the Behavioral Thresholds.