Configuring adaptive response settings
Adaptive response uses an identity risk engine to continuously monitor a user's network activity and build a usage model for the user. The model is used to detect unusual network events and block connections.
You can set the operating mode that adaptive response runs in to control whether the risk response action is applied.
Adaptive response has two operating modes:
- Passive: A training mode where the identity risk engine monitors data and builds a risk model for each user. In passive mode, alerts are generated for events, but the actions that are configured in adaptive response policies are not executed.
- Active: The identity risk engine monitors data and builds a risk model for each user. When an unusual network event is detected, the actions that are configured in policies are applied.
By default, when adaptive response is running in active mode and an anomalous network event is detected, the adaptive response policy that is assigned to a user or group overrides the network access control policy and connections are blocked. For example, if a user tries to connect to an Internet destination that is not typical for them in their day-to-day behavior, or if they try to connect to resources at a time that is not typical for them, the adaptive response policy overrides the user’s network access control policy and assigns one that blocks connections to your private network or SaaS services. When the user browses to safe locations that are typical for them, the identity risk engine detects the behavior and the policy override is reverted.