Frequently Asked Questions about Anomalies
- ► How is the baselining of a user calculated?
-
User baselines are set after 30 days of data activity. Anomalies will not be generated during this period.
- ► How is baselining determined for new users and new CSPs?
-
New users require 30 days of activity data for baselining. New CSPs require seven days of data and 1000 activities (Existing baselined users).
- ► How often are the UEBA thresholds refreshed? How do we determine the start of each two-month cycle? And do we refresh the thresholds at the same time for all tenants?
-
UEBA thresholds are refreshed every two months based on the latest inbound activities. The start and refresh time cycle is tenant-specific.
- ► What is the impact of "false positive" and "resolved" anomaly statuses on the UEBA engine?
-
Currently, "false positive" and "resolved" anomaly statuses do not impact the UEBA engine. We are working on future enhancements to incorporate learning and auto-remediation from these actions.
- ► How are non-baselined users calculated (as per the "Anomaly > Anomaly Setting" page)?
-
The non-baselined list includes new users who have joined within the past 30 days.
- ► During the 30 days, if there are Activities missing for a certain activity type, how do we calculate thresholds for those missing activity types for a given user?
-
No thresholds were created for such activity types. If we start receiving activities, we create the threshold in the next refresh cycle.