Working with critical activity
The Critical Activity page displays a full list of security-related activity, including anomaly detection for unusual spikes in activity, that may indicate a threat to your organization.
By default, the activity is displayed based on priority from high to low. You can sort and filter the list based on priority, critical activity, and event count and select to hide or remove specific events from the display.
From this page, you can see tailored visualizations and metrics to provide more context about the activity and related search and a high-level overview of the item.
This information helps determine if the activity is expected behavior, an actual issue. Anomaly detection allows you to gain further insight into configuration issues which could impact user experience and service availability and help identify compromised devices or malicious activity.
- Any detected anomalies include an exclamation point in the icon.
As events are analyzed and the baselines are updated, the data in the charts will update accordingly. Because of this, some items may disappear in the critical activity pane if they no longer are included in the activity spike.
Anomaly detection depends on the users' a time zone. As a result, users within the same organization may see a different set of anomalies.
To view critical activity and configure the display:
- Select Critical Activity, and click the activity of interest. When you select an activity, a chart displays information by percentage of user, target, or activity. For unusual spikes in activity, the resulting chart displays the baseline (predicted value), anomalies (unusual increase), and total amounts of activity.
- Click on any section of the chart for specific search details, or select View All Events to see all related searches.
- If required, select Dismiss Activity to remove the reported results until the next activity is detected or just select to hide future occurrences of this event.
- If you have hidden any events and want them added back to the display, select Edit Hidden Items, click the events that you want added back to the view, Remove Selected Items, and Save.
- To filter the list of critical events, select Filter, choose if you want to filter on priority (High, Medium, Low), specific critical activity, or number of events.
Working with searches
Working with private and shared searches
When you create a search, you have the option of selecting whether it will be private or shared.
- Private searches are only visible to the individual who created them.
- Shared searches are visible to all On Demand Audit users and allow for collaboration with multiple users from the same organization.
See Creating a custom search, Creating a search from an existing search, and Modifying a search
Running a search
Once On Demand Audit captures an event, you can view all available event data through searches. You can use custom searches based on your own criteria or built in searches that are configured to meet the most common requests. See Creating a custom search and Using built in searches.
NOTE: Custom user-built searches are identified by the following icon to the left of the search.
To run a previously saved or built in search
- Select the Searches tab.
- Locate the required search in the list of categories.
- To run the search, simply click it or highlight it and click the run (arrow) icon.
From here you can: