Network Session Anomaly Detection: Simplified EPS Threshold Logic

What Changed

Simplified anomaly detection logic in two Network Session Essentials analytic rules by unifying EPS (events per second) thresholds and removing redundant code blocks.

Detection Logic

Primary data source: _Im_NetworkSession (ASIM Network Session schema) Core logic: Changed from dual EPS thresholds (>1000 and 501-1000) to single unified threshold >500, maintaining anomaly detection while reducing complexity Entity types: Network protocols, destination ports, applications, and device actions

Security Impact

Lowers the threshold for network anomaly detection from 501-1000 EPS range to a single >500 EPS condition, potentially increasing detection sensitivity for moderate-volume network anomalies while simplifying rule maintenance.

Affected Files

Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml (packaging artefacts: mainTemplate.json, ReleaseNotes.md, solution package)

What Changed#

Detection Logic#

Security Impact#

Affected Files#

What Changed

Detection Logic

Security Impact

Affected Files