Merge pull request #189427 from Yvonne-deQ/patch-5

Update cloudknox-product-statistical-anomalies.md

Author: PMEds28

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-statistical-anomalies.md

@@ -30,22 +30,18 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac
       - **Alert Name**: Lists the name of the alert.
       - **Anomaly Alert Rule**: Displays the name of the rule select when creating the alert. 
       - **# of Occurrences**: Displays how many times the alert trigger has occurred.
-      - **Task**: Displays how many tasks are affected by the alert.
-      - **Resources**: Displays how many resources are affected by the alert.
-      - **Identity**: Displays how many identities are affected by the alert.
       - **Authorization System**: Displays which authorization systems the alert applies to.
-      - **Date/Time**: Lists the date and time of the alert.
-      - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC).
-      -  **Activity** section displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**.
-      - **View Trigger**: Displays the current trigger settings and applicable authorization system details.
-
-1. To filter the alerts, select the appropriate alert name or choose **All** from the **Alert Name** dropdown menu. 
-1. From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and select **Apply**.
-
-    - If you select **Custom Range**, also enter **From** and **To** duration settings.
-1. To view details that match the alert criteria, select the ellipses (...).
-
-    For example, **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities**.
+      - **Date/Time**: Lists the day of the outlier occurring.
+      - **Date/Time (UTC)**: Lists the day of the outlier occurring in Coordinated Universal Time (UTC).
+      
+
+1. To filter the alerts based on name, select the appropriate alert name or choose **All** from the **Alert Name** dropdown menu, and select **Apply**.
+1. To filter the alerts based on alert time, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range** from the **Date** dropdown menu, and select **Apply**.
+1.  If you select the ellipses (**...**) and select:
+      - **Details**, this brings you to an Alert Summary view with **Authorization System**, **Statistical Model** and **Observance Period** displayed along with a table with a row per identity triggering this alert. From here you can click:
+       - **Details**: Displays graph(s) highlighting the anomaly with context, and up to the top 3 actions performed on the day of the anomaly
+       - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+      - **View Trigger**: Displays the current trigger settings and applicable authorization system details 
 
 ## Create a statistical anomaly trigger
 
@@ -55,18 +51,18 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac
 1. Select the **Authorization system**, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**).
 1. Select one of the following conditions:
 
-      - **Identity Performed High Number of Tasks**: The identity performs at a higher volume than usual. The typical performance is 25 tasks per day and they're now performing 100 tasks per day.
-      - **Identity Performed Low Number of Tasks**: The identity performs lower than their daily average. The typical performance is 100 tasks per day and they're now performing 25 tasks per day.
-      - **Identity Performed Tasks with Multiple Unusual Patterns**: The identity does many unusual tasks and at different times. This means that identities can execute actions outside their normally logged hours or performance hours, and at a higher than usual volume of tasks than normal.
+      - **Identity Performed High Number of Tasks**: The identity performs higher than their usual volume of tasks. For example, an identity typically performs 25 tasks per day, and now it is performing 100 tasks per day.
+      - **Identity Performed Low Number of Tasks**: The identity performs lower than their usual volume of tasks. For example, an identity typically performs 100 tasks per day, and now it is performing 25 tasks per day.
       - **Identity Performed Tasks with Unusual Results**: The identity performing an action gets a different result than usual, such as most tasks end in a successful result and are now ending in a failed result or vice versa.
-      - **Identity Performed Tasks with Unusual Timing**: The identity does tasks outside of their normal logged in time or performance hours determined by the UTC actions hours grouped as follows:
+      - **Identity Performed Tasks with Unusual Timing**: The identity does tasks at unusual times as established by their baseline in the observance period. Times are grouped by the following UTC 4 hour windows.
            - 12AM-4AM UTC
            - 4AM-8AM UTC
            - 8AM-12PM UTC
            - 12PM-4PM UTC
            - 4PM-8PM UTC
            - 8PM-12AM UTC
-      - **Identity Performed Tasks with Unusual Types**: The identity does unusual types of tasks from their normal tasking, for example, read, write, or delete tasks they wouldn't ordinarily perform.
+      - **Identity Performed Tasks with Unusual Types**: The identity performs unusual types of tasks as established by their baseline in the observance period. For example, an identity performs read, write, or delete tasks they wouldn't ordinarily perform.
+      - **Identity Performed Tasks with Multiple Unusual Patterns**: The identity has several unusual patterns in the tasks performed by the identity as established by their baseline in the observance period.
 1. Select **Next**.
 
 1. On the **Authorization systems** tab, select the appropriate systems, or, to select all systems, select **All**. 
@@ -93,16 +89,29 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac
       - **Created by**: Displays the email address of the user who created the alert.
       - **Last modified by**: Displays the email address of the user who last modified the alert.
       - **Last modified on**: Displays the date and time the trigger was last modified.
-      - **Subscription**: Toggle the button to **On** or **Off**.
+      - **Subscription**: Subscribes you to receive alert emails. Toggle the button to **On** or **Off**.
 
 1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
 
-1. To view other options available to you, select the ellipses (**...**), and then make a selection from the available options:
-
-      - **Details**: Displays **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities** that matched the alert criteria.
-      - To view the specific matches, select **Resources**, **Tasks**, or **Identities**.
-      - The **Activity** section displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**.
-      - **View Trigger**: Displays the current trigger settings and applicable authorization system details.
+1. To view other options available to you, select the ellipses (**...**), and then select from the available options:
+
+     If the **Subscription** is **On**, the following options are available:
+     - **Edit**: Enables you to modify alert parameters 
+
+        > [!NOTE]
+          > Only the user who created the alert can perform the following actions: edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
+     - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+     - **Rename**: Enter the new name of the query, and then select **Save.**
+     - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
+     - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
+     - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
+     - **Delete**: Delete the alert.
+     
+     If the **Subscription** is **Off**, the following options are available:
+     - **View**: View  details of the alert trigger.
+     - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
+     - **Duplicate**: Create a duplicate copy of the selected alert trigger.
+     
 
 1. Select **Apply**.
 
@@ -113,4 +122,4 @@ Statistical anomalies can detect outliers in an identity's behavior if recent ac
 - For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md).
 - For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md). 
 - For information on rule-based anomalies and anomaly triggers, see [Create and view rule-based anomalies and anomaly triggers](cloudknox-product-rule-based-anomalies.md).
-- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).