The legacy UEBA Migration to Behavior Threats combines machine learning-based
behavior threats with optimized rule-based policy rules to strengthen your security
posture.
We are retiring the legacy User Activity Policies (rule-based UEBA) and transitioning
to our new enhanced Behavior Threats capability. User Activity policies,
specifically the
predefined policies in Data Security are
now available as
static policies in Behavior Threats.
Since January 2025, we have enabled Behavior Threats in your account, offering a more
advanced and adaptive approach to detecting security risks. While the rule-based
UEBA system has served well in identifying known patterns of suspicious activity,
Behavior Threats enhances threat detection by using machine learning (ML) to
recognize both known and emerging threats with greater accuracy and efficiency.
As part of this transition, we will be deprecating the following predefined user
activity policies:
- Bulk Deletion
- Bulk Download
- Bulk Sharing
- Bulk Upload
- Impossible Traveler
- Login Failure
- Malware
- Risky IP
- Unsafe Location
- Unsafe VPN
All these policies have been migrated to the new static policies under Behavior
Threats. In addition, the web interface elements related to these policies are also
being removed. This includes the Risk Event Trend, Risky Events, and
Risk Trends charts found under in the detailed view for each individual user.
Behavior Threats builds on the foundation of rule-based policies by introducing
smarter, more adaptive detection capabilities. With this transition, you will
benefit from:
- More accurate threat detection – Identify both known and evolving
security threats with a combination of ML-based and optimized rule-based
detection.
- Unified threat management – View all security incidents in a single pane
of glass for better visibility and management.
- Improved efficiency – Reduce manual rule updates while ensuring policies
remain effective against new attack patterns.
- Enhanced customization – Configure key detections such as Impossible
Traveler and Risky IP.
- Scalability and future-proofing – A system that evolves with emerging
threats and adapts to various data sources.
The predefined policies in Data Security won’t be available for newly provisioned
tenants from May 30, 2025. By transitioning to the new policies, you ensure
continued functionality and access to the latest features. See the
LIVEcommunity blog for a detailed
explanation of this transition.
