Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Export Anomalies to a CSV File

You can download a CSV file that includes the details of each anomaly. The data available depends on the type of anomalies present in the report.

Note that simple anomalies won't include as many fields as Superhuman Anomalies, which record the second set of locations and activities. 

NOTE: When you export Superhuman Anomalies to a CSV file, you will only get a sample of filtered anomalies. It will not be a complete list of anomalies, so counts in the user interface and the exported file will not match. This is the expected behavior. 

To download a CSV file that includes details of each anomaly:

  1. Go to Incidents > Anomalies > Anomalies
  2. Select the anomaly from the table you wish to export.
  3. Click Actions > Download CSV.

clipboard_e839e9c641ca96f31056f988e793980c2.png

 

The following information is captured in the CSV file.

Field Name Description
User The user who triggered the anomaly, threat, or activity.
Search Key Skyhigh CASB's internal key to look up the info indices where keys are stored.
Anomaly The specific name of the anomaly.
Anomaly Category The top-level category for the anomaly; the options are Access AnomalyAdministration Anomaly, or Data Anomaly.
Anomaly Created Time The time that the anomaly was detected and processed by Threat Protection.
Activity Name The specific name of more than 100 possible activities performed.
Anomaly Threshold The numeric value of the anomaly threshold at the time of the anomaly.
Threshold Duration The period of time where the threshold evaluated to determine if an anomaly has occurred (Hourly, Daily, Monthly, or Weekly).
Severity The risk posed by the event ranked based on severity (High, Medium, or Low).
Service Name The service where the event occurred.
Sub-Service Name This is used for O365 services, which have the Service Name of O365 and a sub-service of OneDrive or Sharepoint.
Anomaly Updated Time The time the anomaly was updated.
Source IP The IP address where the event occurred.
Source IP Owner The name of the organization associated with the IP address where the event occurred.
Source City City of origin for the activity, based on the IP address.
Source Country Country of origin for the activity, based on the IP address.
Source Action Name Name of the action of the first anomalous event (Superhuman Anomalies only).
Source Timestamp The timestamp of the first anomalous event (Superhuman Anomalies only).
Source IP Next The IP address where the second anomalous event occurred (Superhuman Anomalies only).
Source IP Owner Next The name of the organization associated with the IP address where the second anomalous event occurred (Superhuman Anomalies only).
Source City Next City of origin of the second anomalous event (Superhuman Anomalies only).
Source Country Next  Country of origin for the second activity, based on the IP address (Superhuman Anomalies only).
Source Action Name Next Name of the action of the second anomalous event (Superhuman Anomalies only).
Source Timestamp Next The timestamp of the second anomalous event (Superhuman Anomalies only).
Source Latitude  Map coordinate of the origin of the activity, based on the IP address.
Source Latitude Next  Map coordinate of the origin of the second anomalous activity, based on the IP address.
Source Longitude Map coordinate of the origin of the first anomalous activity, based on the IP address.
Source Longitude Next Map coordinate of the origin of the second anomalous activity, based on the IP address.
Distance in miles Distance between the first and second anomalous events for Superhuman Anomalies.
Time Differential Observed  Time elapsed between the first and second anomalous events for Superhuman Anomalies.
  • Was this article helpful?