The concept of using behaviors is the process of using machine learning to identify specific conditions or changes (such as a new IP address or user) that can indicate undesirable activities. Currently, behaviors can be defined with correlation rules for First Occurrence (the first time a condition is seen) and Aggregation (when a condition reaches a certain threshold). Behaviors themselves can be configured to only show when a correlation is triggered (narrow) or for every behavior match (broad and potentially noisy but informative).

Below are the major categories for behavior rules: