We want to inform you of an issue that occurred in Skyhigh Security CASB that affected some customer accounts. The details of the issue and the resolution are provided, but no action is required of you currently.
We continually enrich our UEBA data store to ensure we have the most comprehensive set of parameters to detect anomalous usage. During this process, due to a cache configuration issue, certain trust parameters were temporarily not considered, causing the UEBA engine to generate false positive, superhuman anomalies for certain accounts. These anomalies were generated on February 22, between 7:00 PM and 11:00 PM EST.
We have identified and addressed the incorrectly generated anomalies. Impacted customer tenants may see discrepancies with anomaly counts, where some anomalies in the affected time period display the status as “False Positive”. If you export these events into a SIEM or other third-party devices via APIs, the status of these anomalies should be correctly updated as “False Positive” on the latest sync.
We have already implemented multiple guardrails, including modifying cache configurations and setting additional anomaly count thresholds within the UEBA engine. We are working on updating our alert system to identify this kind of spike in anomalies so we can take corrective action more quickly in the future.