The Behavior Threats feature of SaaS Security helps you identify potential threats to your organization from compromised accounts, malicious insiders, and data breaches. Specifically, Behavior Threats examines how your organization’s users are interacting with sanctioned SaaS apps to identify suspicious user activities that might indicate attempts to steal or corrupt data.

Behavior Threats obtains information about user activities from the Data Security component of SaaS Security, and examines the data to identify suspicious user activities. Suspicious user activities include actions such as a user uploading or downloading a large number of files within a short period of time, or a user logging on to a SaaS app outside of their normal working hours.

Because every organization is different, we designed Behavior Threats to tailor itself to your particular organization. Behavior Threats uses machine learning to analyze and model user behavior in your organization. Behavior Threats provides a set of policies rules for detecting suspicious user actions, but these policies are not based on predefined or manually configured thresholds. Instead, these policies compare new user actions against past actions to detect unusual activities. The policies are enabled by default, so no configuration is necessary. All you require is a tenant with Data Security and the Cloud Identity Engine.

Depending on when you first activated and configured Data Security, up to 90 days of historical user data is available to Behavior Threats. Behavior Threats examines this historical user data to determine a baseline for each user in your organization. This baseline is derived from the user’s past actions and also from the actions of other users in your organization. Using data-driven machine learning models, Behavior Threats assigns a risk score to each user based on anomalous behavior.

Behavior Threats displays the most anomalous user actions as threat incidents, and assigns a Severity level to each threat incident. Behavior Threats is designed to minimize the number of false positives by only reporting a very small percentage of user actions as threat incidents.

Each day, Behavior Threats collects data on the most recent user actions to identify the most risky users and new threats. Behavior Threats also uses this new data to recalculate user baselines.

The Behavior Threats page on Strata Cloud Manager displays the threat incidents and risky users. From this page, you can complete the following tasks:

• View the top 3 most risky users.
• View a list of all users organized by user risk score, and navigate to details about a particular user, including a list of the threat incidents associated with the user.
• Put users on a watchlist, so you can monitor future user activities. You can filter the list of all users to view only the users who are on the watchlist.
• View a list of the policy rules that Behavior Threats applies to user activities to identify threat incidents. All policies are enabled by default, but you can disable policy rules.
• View a list of all threat incidents. The list includes up to 90 days of incidents.