Skip to main content
Skyhigh Security

Configure Device Rules

IMPORTANT: Activity Type or Category and Activity Count are mandatory rules to complete your custom anomaly rule statement. The Incomplete Rule message will be displayed if these rules are not added.

The Device rule allows you to detect and monitor the device type from which users perform activities on the service. You can also define the rule with other parameters such as Activity Type or Category, Activity Count, Source IP, Location, and more. Anomalies are triggered when a user logs in from a configured device and performs any activities on a service that exceeds the expected activity count.

The Device rule allows you to select the device type for the rule. Device types are Managed and Unmanaged.
clipboard_ede8d74b9f1a02b211e297ce35be6c7b3.png

Use Case: Suppose you want to be notified when a user performs more than one admin action in a day on Salesforce from an unmanaged device. 

To configure this rule:

  1. Go to Incidents > Anomalies > Anomaly Settings.
  2. Click Actions > Create a Custom Anomaly.
  3. On the Name & Scope page, enter a name, description, services, and users. 
  4. On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Administration.
    Device.png
  5. Click AND to:
    • Enter a value for Activity Count is greater than or equal to. For example, 1.
    • Set the Duration for a custom anomaly detection. For example, Daily.
  6. Click AND to add the device type. For example, Unmanaged.
  7. Click THEN to create an Anomaly and select a Severity. For example, Warning.
  8. Click Next.
  9. Review the custom anomaly rule and click Save
  • Was this article helpful?