What is DIM Normality and how does ICA determine Normailty
Normality scoring is a two phased approach that first uses the available data to build a model of what normal behavior looks like for a user and their peers. Then after that normality model has been constructed, each DIM event is analyzed to determine how close that event is to the normality model for that user and their peers. Different parameters of a DIM event such as when during the week, the domain, protocol, policy, channel and match count are compared with the historical parameters and a normality score is then defined for the DIM event based on the comparison. The comparison time frame can be configured from the Settings section of the platform and is typically configured to be 90 days from the current date.
How do we influence what Normality (what is normal)?
There are three ways to influence the Normality scoring process.
i) Associate a Classification with a Status
ii) Associate a Classification with a Status Rule
iii) Use the Classify button when reviewing and actioning incidents
b. For all other Event Types (Endpoint, Authentication, Web Activity), use the Classify button when reviewing
2. Adjust how far back incidents and events are evaluated when calculating Normality
3. (DIM Incidents Only) Change the Use In Normality option assigned to Policies
b. Change the Use In Normality setting for the Policies that should and should not be used when reviewing DIM Incidents for Normality.