Get Started with Behavior Threats
The Behavior Threats feature uses a machine-learning model and user history to detect
potential threats based on anomalous user behavior.
Where Can I Use This? | What Do I Need? |
- NGFW (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Strata Cloud Manager)
|
Or any of the following licenses that include the Data Security license:
- Data Security license
- CASB-X
- CASB-PA
|
The Behavior Threats feature of SaaS Security helps you identify potential threats to
your organization from compromised accounts, malicious insiders, and data breaches.
Specifically, Behavior Threats examines how your organization’s users are interacting
with sanctioned SaaS apps to identify suspicious user activities that might indicate
attempts to steal or corrupt data.
Behavior Threats obtains information about user activities from the Data Security component of SaaS Security, and examines the data to identify suspicious user
activities. Suspicious user activities include actions such as a user uploading or
downloading a large number of files within a short period of time, or a user logging on
to a SaaS app outside of their normal working hours.
Because every organization is different, we designed Behavior Threats to tailor its
dynamic policies to your particular organization. Behavior Threats uses machine learning
to analyze and model user behavior in your organization. Behavior Threats provides a set
of dynamic policies that are not based on predefined or manually configured thresholds.
Instead, these policies compare new user actions against past actions to detect unusual
activities. The policies are enabled by default, so no configuration is necessary. All
you require is a tenant with Data Security and the Cloud Identity Engine. All you
require is a tenant with Data Security and the Cloud Identity Engine.
Depending on when you first activated and configured Data Security, up to 90
days of historical user data is available to Behavior Threats. Behavior Threats examines
this historical user data to determine a baseline for each user in your organization.
This baseline is derived from the user’s past actions and also from the actions of other
users in your organization. Using data-driven machine learning models, Behavior Threats
assigns a risk score to each user based on anomalous behavior.
Behavior Threats displays the most anomalous user actions as threat incidents, and
assigns a Severity level to each threat incident. Behavior Threats is designed to
minimize the number of false positives by only reporting a very small percentage of user
actions as threat incidents.
Each day, Behavior Threats collects data on the most recent user actions to identify the
most risky users and new threats. Behavior Threats also uses this new data to
recalculate user baselines.
The Behavior Threats page on
Strata Cloud Manager displays the threat incidents and
risky users. From this page, you can complete the following tasks: