Abnormal Behavior Threat Details
The Threat Details page for abnormal behavior has a different layout and provides different information than the Threat Details page for other threat types. It displays information about user behaviors that deviate from the user's normal behavioral profile. Abnormal behavior detection begins when a user has been active for a minimum of 30 days, with up to 120 days of activity used to establish the baseline behavior for a user.
The top of the page shows the number of each of the following:
- Hosts
- Event Types
- Successful Events
- Failed Events
- Abnormalities
- Tagged Resources
The Abnormality Summary box gives a general description of the abnormal behavior and when it was detected. The Activity Timeline table displays the activity relating to the abnormality, as well as activity detected for the user before and after the abnormality occurred.
- Top 5 Hosts By Activity – Displays the top 5 hosts by activity
- Top 5 Clients By Activity – Displays the top 5 clients by activity
- Event Types – Displays the event types detected for the abnormal behavior