Create an adaptive response policy
You create and assign adaptive response policies to specify the risk response actions that are applied to devices. You can specify whether to override the network access control policy when a user's network usage patterns do not match past behavior.
When the first user is added to an adaptive response policy, a training period for the adaptive response risk model is started and lasts until the following conditions are met: 1000 events are collected for the user’s tenant and 14 calendar days pass. Alerts are not generated during the training period.
By default, when adaptive response is running in active mode and an anomalous network event is detected, the assigned adaptive response policy overrides the network access control policy and connections are blocked. For example, if a user tries to connect to an Internet destination that is not typical for them in their day-to-day behavior, or if they try to connect to resources at a time that is not typical for them, the adaptive response policy overrides the user’s network access control policy and assigns one that blocks connections to your private network or SaaS services. When the user browses to safe locations that are typical for them, the identity risk engine detects the behavior and the policy override is reverted.
- On the menu bar, clickGateway > Policies.
- Click theAdaptive Responsetab.
- ClickAdd policy.
- Type a name and description for the policy.
- UnderResponse actions, click .
- ClickOverride network access policyand select a policy from the drop-down list.