Trigger and Pattern detail page

Section – Trigger

Name – assign a unique name for the entry.
Tenant – add tenants to allow tenancy access. See also Multitenancy feature.
Minimal Bit Count – the threshold for the minimal number of anomaly indicators that have to show anomalous behavior to activate the trigger. It can be combined with Patterns.

The Minimal Bit Count setting is a threshold that is evaluated on top of the anomaly indicator patterns. When patterns have been configured, a trigger is only activated if any of the configured indicator patterns match and the bit count threshold is reached.

Section – Patterns

Use the + button to add one or more patterns.
A pattern is formed by 6 different anomaly indicators. Each indicator can be configured by mouse click to be:

	Grey dot – the pattern will match either normal or anomalous behavior of this indicator.
	Red dot – the pattern will match if this indicator shows anomalous behavior.
	Green dot – the pattern will match if this indicator shows normal behavior.

Name of the indicator bit	Short description
Connection Metrics	The number of different front source ports and TLS session IDs per request.
GraphMetricsCluster	The session clustering is based on various metrics on the request path sequence, e.g. how often the same path is repeated or the following path is a child, etc.
IsolationForest	A generic anomaly detection algorithm applied to session metrics from various categories.
MultipleCountries	This indicates whether requests come from different countries, with extra penalties for non-neighboring countries.
StatusCodeMeta	A majority vote on three different status code indicators.
Timing Cluster	The clustering is based on the distribution of the request timing deltas.

Further information and links

Configured triggers appear in the drop-down list of available triggers here: Rule detail page.
Tab – Triggers & Rules as the entry point to this detail page.