What is DIM Normality and how does ICA determine Normailty

Normality scoring is a two phased approach that first uses the available data to build a model of what normal behavior looks like for a user and their peers.  Then after that normality model has been constructed, each DIM event is analyzed to determine how close that event is to the normality model for that user and their peers.  Different parameters of a DIM event such as when during the week, the domain,  protocol, policy, channel and match count are compared with the historical parameters and a normality score is then defined for the DIM event based on the comparison.  The comparison time frame can be configured from the Settings section of the platform and is typically configured to be 90 days from the current date.

How do we influence what Normality (what is normal)?

There are three ways to influence the Normality scoring process.

1. Classifying Events as Acceptable is the only classification that will have a direct impact on Normality scoring.  This will “teach” ICA that any future incidents or events that are similar (i.e. User, Policy, Machine, behavior, etc.) should be considered Normal behavior.

1. For a DIM incident:

        i) Associate a Classification with a Status 

    ii) Associate a Classification with a Status Rule

iii) Use the Classify button when reviewing and actioning incidents

b. For all other Event Types (Endpoint, Authentication, Web Activity), use the Classify button when reviewing

       2. Adjust how far back incidents and events are evaluated when calculating Normality

1. Change the Threshold in Days for Normality setting in the Normality Scoring  section under General Settings.  This setting will specify how far back ICA looks at events and incidents when going through the Normality Scoring process

      3. (DIM Incidents Only) Change the Use In Normality option assigned to Policies

1. Under Settings, go to the “More” settings option button and select Policy Settings

        b. Change the Use In Normality setting for the Policies that should and should not be used when reviewing DIM Incidents for Normality.