SaaS Security
Dynamic Policies to Detect Threats
Table of Contents
Expand All
|
Collapse All
SaaS Security Docs
Dynamic Policies to Detect Threats
Learn about the dynamic policies in Behavior Threats for identifying potential
threats.
Dynamic policies instruct Behavior Threats to detect anomalies in specific types of user
activities by using historical data and machine learning. Behavior Threats separates
these policies into the following behavioral situations:
- Spike in Activity: Compared to historical data, a marked increase in a particular activity within a single hour.
- Bulk Activity: Compared to historical data, a marked increase in a particular activity over a span of hours.
- Time-Based Activity: Compared to historical data, an activity performed by a user at an unusual time.
- Location-Based Activity: Compared to historical data, an activity performed by a user from an unusual location.
- Sensitive Data-Transfer Activity: Compared to historical data, unusual user access to files containing Enterprise Data Loss Prevention (E-DLP) data patterns.
The historical data that Behavior Threats uses to detect anomalous user behavior is at
most 90 days.
| Policy Name | Description |
|---|---|
|
Detect spike in Application Usage
|
Instructs Behavior Threats to display spikes in usage for an
individual app within a single hour.
For this policy, Behavior Threats logs incidents based on the
number of distinct actions that a particular user performs in a
particular app. Behavior Threats identifies usage spikes based
on how the user typically interacts with the app.
Behavior Threats logs a spike in app usage only if the spike is
very unlikely compared to app usage across your
organization.
|
|
Detect spike in Data Downloads or Uploads
|
Instructs Behavior Threats to show when a user uploads or
downloads a large number of distinct files or folders within a
single hour.
For this policy, Behavior Threats logs incidents based on the
amount of data that the user downloaded or uploaded compared to
how much data the user typically downloads or uploads.
Behavior Threats logs a spike in upload or download activity only
if the spike is very unlikely compared to other download and
upload actions across your organization.
|
|
Detect spike in Share, Delete, and Edit actions
|
Instructs Behavior Threats to show spikes in Share, Delete, or
Edit actions across all SaaS apps by a single user within a
single hour.
For this policy, Behavior Threats logs incidents based on the
number of files a user shared, deleted, or edited compared to
the number of files the user typically shares, deletes, or
edits.
Behavior Threats logs a spike in Share, Delete, or Edit actions
only if it's very unlikely compared to actions taken by other
users across your organization.
|
|
Detect spike in User Activity
|
Instructs Behavior Threats to show when a user performs excessive
interactions with SaaS apps within a single hour.
For this policy, Behavior Threats logs incidents based on the
number of user interactions with SaaS apps compared to the
user's typical number of interactions.
Behavior Threats logs a spike in user activity only if it's very
unlikely compared to user activity across your organization.
|
| Policy Name | Description |
|---|---|
|
Detect bulk Data Downloads or Uploads
|
Instructs Behavior Threats to show when a user uploads or
downloads a large number of files or folders within a span of
hours.
For this policy, Behavior Threats logs incidents based on the
amount of data that the user downloaded or uploaded compared to
how much data the user typically downloads or uploads during the
same number of hours.
Behavior Threats logs a bulk download or upload incident only if
it's very unlikely compared to user download or upload activity
across your organization.
|
|
Detect bulk User Activity
|
Instructs Behavior Threats to show when a user performs excessive
interactions with a SaaS app within a span of hours.
For this policy, Behavior Threats logs incidents based on the
number of user interactions with SaaS apps compared to the
user's typical number of interactions within the same number of
hours.
Behavior Threats logs a bulk user activity incident only if it's
very unlikely compared to user activity across your
organization.
Behavior Threats logs a bulk user activity incident only if it's
very unlikely compared to user activity across your
organization.
|
| Policy Name | Description |
|---|---|
| Detect Abnormal User Activity Hours |
Instructs Behavior Threats to show if users are active outside of
the hours that they normally access the system
For this policy, Behavior Threats logs incidents by comparing the
time a user is active with their typical hours of activity.
Behavior Threats logs an incident only if it estimates the
probability of the user being active at a particular time is
very low.
|
| Policy Name | Description |
|---|---|
| Detect Abnormal Location Access |
Instructs Behavior Threats to show if users access SaaS apps from
an unusual location.
For this policy, Behavior Threats logs incidents by comparing the
location from which a user accesses a SaaS app to typical access
locations for the user and their peers.
Behavior Threats logs an incident only if the probability of the
user accessing an app from the location is very low.
Behavior Threats excludes the Allowed list of IP
addresses from being detected for anomalies.
Historical data or machine learning do not consider these IP
addresses for training or inference. |
| Policy Name | Description |
|---|---|
| Detect Unusual Access to Sensitive Data |
Instructs Behavior Threats to show unusual user access to files
containing Enterprise DLP data patterns. Behavior Threats
logs the following unusual behavior:
For this policy, Behavior Threats logs incidents by comparing the
number of files containing Enterprise DLP data patterns and
the data patterns to the user's past behavior.
Behavior Threats logs an incident only if it estimates the
probability of the sensitive-data access is very low.
|