Baseline Anomalous Access Locations
Anomalous Access Location anomalies are triggered when outliers from activity baselines are found. Before you can configure Anomalous Access Location filters, you'll need to baseline. This is a one-time automated process where your past network activities are analyzed by Skyhigh CASB.
Once the baseline has been identified, Anomalous Access Location filters use that information to prevent expected, non-anomalous events from creating false positives.
NOTE: If your tenant is not baselined, you will see a message on the Anomaly Settings page with details on how long it will take to baseline the tenant. If you have questions about your tenant, contact Skyhigh Security Support.
It is important to note that until a tenant is baselined, trust activity cannot be updated. Sometimes activities do come in delayed, meaning the processed time of the activity is later than the original time of the activity. When an activity has happened before the tenant is baselined, but gets processed after the baseline is complete, you might see results where some activities are updated as trusted while others are not updated as trusted on the same day. When calculating the trust computation (calculating whether a location or network is trusted or not), Skyhigh CASB excludes events that are not yet trusted.