Anomaly Policies

An anomaly policy is a policy that triggers an alert when it detects anomalous behavior in the environment. Unlike say a compliance or vulnerability policy, which triggers when a new CVE or a new misconfiguration is found, an anomaly policy triggers when it discovers behaviors that match known bad data or unusual behavior.

Cloning an anomaly policy works differently from other types of policies. For an anomaly policy, a clone can be considered an extension of the original policy; each clone does not generate its own alert. You use these clones to define exceptions, or suppressions, to the original policy. Therefore, when you create a clone of an anomaly policy, you must leave the original policy enabled for alerts to be generated for that policy. Disabling the original policy disables all alerts for that policy and its clones.