The number of logs directly associated with an anomalous activity incident may not accurately reflect the amount of activity to the IP Address, due to potential log filtering.
To see the comprehensive logging levels associated with an IP Address and the related anomalous Incident. A graphical representation is available by opening either the hyperlinked IP address in the incident or by going to reports tab and then to IP Addresses.
The red line gives the average number of logs over last 30 days.
Anomalous incident will trigger when number of logs in last 24 hours to or from an IP address are greater than 30 day average + 4 Standard deviation of that particular IP address.