Focus
Focus
Table of Contents

Behavior Threats

The Behavior Threats feature uses a machine-learning model and user history to detect potential threats based on anomalous user behavior.
The Behavior Threats feature of SaaS Security helps you identify potential threats to your organization from compromised accounts, malicious insiders, and data breaches. Specifically, Behavior Threats examines how your organization’s users are interacting with sanctioned SaaS applications to identify suspicious user activities that might indicate attempts to steal or corrupt data.
Behavior Threats obtains information about user activities from the Data Security component of SaaS Security, and examines the data to identify suspicious user activities. Suspicious user activities include actions such as a user uploading or downloading a large number of files within a short period of time, or a user logging on to a SaaS application outside of their normal working hours.
Because every organization is different, we designed Behavior Threats to tailor itself to your particular organization. Behavior Threats uses machine learning to analyze and model user behavior in your organization. Behavior Threats provides a set of policies for detecting suspicious user actions, but these policies are not based on predefined or manually configured thresholds. Instead, these policies compare new user actions against past actions to detect unusual activities. The policies are enabled by default, so no configuration is necessary. All you require is a tenant with Data Security and the Cloud Identity Engine.
Depending on when you first activated and configured Data Security, up to 90 days of historical user data is available to Behavior Threats. Behavior Threats examines this historical user data to determine a baseline for each user in your organization. This baseline is derived from the user’s past actions and also from the actions of other users in your organization. Using data-driven machine learning models, Behavior Threats assigns a risk score to each user based on anomalous behavior.
Behavior Threats displays the most anomalous user actions as threat incidents, and assigns a Severity level to each threat incident. Behavior Threats is designed to minimize the number of false positives by only reporting a very small percentage of user actions as threat incidents.
Each day, Behavior Threats collects data on the most recent user actions to identify the most risky users and new threats. Behavior Threats also uses this new data to recalculate user baselines.
The Behavior Threats page in the Cloud Management Console displays the threat incidents and risky users. From this page, you can complete the following tasks: