Evidence: Anomaly sidebar
The Evidence sidebar is expanded by clicking an evidence link in the Evidence column of the Threats tab. Click the to close the sidebar.
The evidence type of Anomaly is displayed at the top of the sidebar.
Click the to access the Network event details page and the full details of the associated event.
A brief description of the evidence is provided.
Threat details
- Threat
-
Name of the detected security risk.
- Threat class
-
Name of the detected security risk class.
- First seen Last seen
-
A graph with the timestamp from when the evidence was first and last seen.
The Duration is displayed below the graph.
Detector summary
A summary of the detector is displayed. For more details, click the link to view the Detector pop-up.
- Detector name
-
The name of the detector.
- Goal
-
Short description of the goal of the detector.
- ATT&CK categorization
-
If applicable, a link to the MITRE ATT&CK technique is provided. Otherwise, N/A is displayed.
Anomaly details
Details about the anomaly are provided:
- Description
-
A brief description of the anomaly detailing how it deviates from baseline behavior or why it should be considered suspicious.
- State type
-
The type of anomaly. For example, Outlier.
- Anomaly
-
The anomalous item seen on the host. For example, access to an unusual port.
- Baseline items
-
The items that are typically seen on this host.
- Profile created at
-
Timestamp for the creation of the baseline.
- Profile updated at
-
Timestamp for when the anomaly was detected.
- Outlier diagram
-
The diagram illustrates the normal data upload/download for the host for comparison to the data transfer that was flagged as anomalous. The following data are displayed:
-
The upload/download size that caused the anomaly alert to be triggered.
-
The maximum upload/download size before the anomaly alert was triggered.
-
The average upload/download size for the host.
-