Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Activity Count Rules

IMPORTANT: Activity Count and Activity Type or Category are mandatory rules to complete your custom anomaly rule statement. The Incomplete Rule message will be displayed if these rules are not added.

The Activity Count rule allows you to detect and monitor the number of user activities performed in the service within the specified duration. You can also define the rule with other parameters such as Activity Type or Category, Device ID, Source IP, Location, and more. Anomalies are triggered when a user performs any activities on services that are exceeding the expected activity counts in the specified duration.

The Activity Count allows you to set a threshold and frequency for the rule.

  • Activity Count is greater than or equal to. Select the required count for the rule.
  • Duration. Set the frequency to evaluate the custom anomaly rule.
    • Daily. Evaluate a custom anomaly rule on a daily basis.
    • Weekly. Evaluate a custom anomaly rule for a calendar week (Sunday to Saturday).
    • Monthly. Evaluate a custom anomaly rule on a monthly basis (Start to end of the month).

NOTES:

 

  • Modifying a custom anomaly rule within duration resets the count of anomalies generated for the rule. The newly generated anomaly count for the modified rule will be considered.
  • The rule starts to detect anomalies from the date of rule creation and not from the start of the rule’s duration.

hu.png

Use Case: Suppose you want to be notified when a user performs a single administration activity in a day on AWS from China. 

To configure this rule:

  1. Go to Incidents > Anomalies > Anomaly Settings.    
  2. Click Actions > Create a Custom Anomaly.
  3. On the Name & Scope page, enter a name, description, services, and users. 
  4. On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Administration.
    clipboard_e5b6b9903f3310e4dd99a2a214fd2f6c5.png
  5. Click AND to:
    • Enter a value for Activity Count is greater than or equal to. For example, 1. 
    • Set the Duration for a custom anomaly detection. For example, Daily.
  6. Click AND to add a location. For example, China.
  7. Click THEN to create an Anomaly and select a Severity. For example, Major
  8. Click Next.
  9. Review the custom anomaly rule and click Save
  • Was this article helpful?