: Policies for Detecting Threats
Focus
Focus

Policies for Detecting Threats

Table of Contents

Policies for Detecting Threats

Learn about the policies in Behavior Threats for identifying potential threats.
Policies instruct Behavior Threats to detect anomalies in specific types of user activities. Behavior Threats separates these policies into the following behavioral situations:
  • Spike in Activity: Compared to historical data, a marked increase in a particular activity within a single hour.
  • Bulk Activity: Compared to historical data, a marked increase in a particular activity over a span of hours.
  • Time-Based Activity: Compared to historical data, an activity performed by a user at an unusual time.
  • Location-Based Activity: Compared to historical data, an activity performed by a user from an unusual location.
  • Sensitive Data-Transfer Activity: Compared to historical data, unusual user access to files containing Data Loss Prevention (DLP) data patterns.
By default, all policies are enabled. However, you can disable a policy if you do not want Behavior Threats to display incidents for that policy.
The historical data that Behavior Threats uses to detect anomalous user behavior is at most 90 days.
Policies to Detect a Spike in Activity
Policy NameDescription
Detect spike in Application Usage
Instructs Behavior Threats to display spikes in usage for an individual application within a single hour.
For this policy, Behavior Threats logs incidents based on the number of distinct actions that a particular user performs in a particular application. Behavior Threats identifies usage spikes based on how the user typically interacts with the application.
Behavior Threats logs a spike in application usage only if the spike is very unlikely compared to app usage across your organization.
Detect spike in Data Downloads or Uploads
Instructs Behavior Threats to show when a user uploads or downloads a large number of distinct files or folders within a single hour.
For this policy, Behavior Threats logs incidents base on the amount of data that the user downloaded or uploaded compared to how much data the user typically downloads or uploads.
Behavior Threats logs a spike in upload or download activity only if the spike is very unlikely compared to other download and upload actions across your organization.
Detect spike in Share, Delete, and Edit actions
Instructs Behavior Threats to show spikes in Share, Delete or Edit actions across all SaaS applications by a single user within a single hour.
For this policy, Behavior Threats logs incidents based on the number of files a user shared, deleted, or edited compared to the number of files the user typically shares, deletes, or edits.
Behavior Threats logs a spike in Share, Delete, or Edit actions only if it is very unlikely compared to actions taken by other users across your organization.
Detect spike in User Activity
Instructs Behavior Threats to show when a user performs excessive interactions with SaaS applications within a single hour.
For this policy, Behavior Threats logs incidents based on the number of user interactions with SaaS applications compared to the user's typical number of interactions.
Behavior Threats logs a spike in user activity only if it is very unlikely compared to user activity across your organization.
Policies to Detect Bulk Activity
Policy NameDescription
Detect bulk Data Downloads or Uploads
Instructs Behavior Threats to show when a user uploads or downloads a large number of files or folders within a span of hours.
For this policy, Behavior Threats logs incidents based on the amount of data that the user downloaded or uploaded compared to how much data the user typically downloads or uploads during the same number of hours.
Behavior Threats logs a bulk download or upload incident only if it is very unlikely compared to user download or upload activity across your organization.
Detect bulk User Activity
Instructs Behavior Threats to show when a user performs excessive interactions with a SaaS application within a span of hours.
For this policy, Behavior Threats logs incidents based on the number of user interactions with SaaS applications compared to the user's typical number of interactions within the same number of hours.
Behavior Threats logs a bulk user activity incident only if it is very unlikely compared to user activity across your organization.
Behavior Threats logs a bulk user activity incident only if it is very unlikely compared to user activity across your organization.
Policy to Detect Time-Based Activity
Policy NameDescription
Detect Abnormal User Activity Hours
Instructs Behavior Threats to show if users are active outside of the hours that they normally access the system
For this policy, Behavior Threats logs incidents by comparing the time a user is active with their typical hours of activity.
Behavior Threats logs an incident only if it estimates the probability of the user being active at a particular time is very low.
Policy to Detect Location-Based Activity
Policy NameDescription
Detect Abnormal Location Access
Instructs Behavior Threats to show if users access SaaS applications from an unusual location.
For this policy, Behavior Threats logs incidents by comparing the location from which a user accesses a SaaS application to typical access locations for the user and their peers.
Behavior Threats logs an incident only if the probability of the user accessing an application from the location is very low.
Policy to Detect Sensitive Data Transfer
Policy NameDescription
Detect Unusual Access to Sensitive Data
Instructs Behavior Threats to show unusual user access to files containing Data Loss Prevention (DLP) data patterns. Behavior Threats logs the following unusual behavior:
  • A user accessed many sensitive files containing DLP data patterns.
  • A user accessed files containing data patterns that are not normally in the files that they access.
For this policy, Behavior Threats logs incidents by comparing the number of files containing DLP data patterns and the data patterns to the user's past behavior.
Behavior Threats logs an incident only if it estimates the probability of the sensitive-data access is very low.