Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Frequently Asked Questions About Anomalies

  1. Last updated
  2. Save as PDF

Q1. How is the baselining of a user calculated?
A: User baselines are set after 30 days of data activity. Anomalies will not be generated during this period.

Q2. How is baselining determined for new users and new CSPs?
A: New users require 30 days of activity data for baselining. New CSPs require seven days of data and 1000 activities (Existing baselined users).

Q3. How often are the UEBA thresholds refreshed? How do we determine the start of each two-month cycle? And do we refresh the thresholds at the same time for all tenants?
A: UEBA thresholds are refreshed every two months based on the latest inbound activities. The start and refresh time cycle is tenant-specific.

Q4. What is the impact of "false positive" and "resolved" anomaly statuses on the UEBA engine?
A: Currently, "false positive" and "resolved" anomaly statuses do not impact the UEBA engine. We are working on future enhancements to incorporate learning and auto-remediation from these actions.

Q5. How are non-baselined users calculated (as per the "Anomaly > Anomaly Setting" page)?
A: The non-baselined list includes new users who have joined within the past 30 days.

Q6. During the 30 days, if there are Activities missing for a certain activity type, how do we calculate thresholds for those missing activity types for a given user?
A: No thresholds were created for such activity types. If we start receiving activities, we create the threshold in the next refresh cycle.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.