Indicators of behavior
Indicators of behavior (IoBs) are composed of one or more of the events detected by Neo that compromise business operations and indicate an anomaly or breach existing policy.
While an individual IoB does not necessarily indicate malicious intent, a combination of IoBs, or IoBs that fall outside normal behavior, indicates high-risk behavior.
The following engines are used to detect IoBs:
- Policy engine
- Based on the supported channels, Dynamic User Protection analyzes user activities against the policy engine, which detects indicators of behavior and triggers alerts.
- Extensibility engine
- The extensibility engine looks for correlations between multiple users' activities. This engine runs every 60 min and updates IoBs accordingly.
- Anomaly detection engine
- Counters are sets of event data that establish an individual’s baseline activities. The events are analyzed with the anomaly detection engine to identify outlier behaviors.
A detailed list of supported IoBs can be found in the following knowledge base article Forcepoint Neo Indicators of behavior. A login to the Forcepoint support portal is required.