It's clearest to talk about Policy Types. Here's how I've written it up in the manual:
Data Exposure & Access Monitoring Securlet Policies – as above, policy types use the Securlet/API connection to work
Access Enforcement, File Sharing, and Data Exposure via Gatelets – these are the policies are managed by the CloudSOC Gateway
Shadow IT Discovery - Audit Policies are available that allow alerting of the user, admin, or IT team when a cloud service/application is used which violates policy on BRR score – or simply outside the company’s policy. For instance, if you have an HR rule stating no use of Netflix during work hours, you can enforce this with a warning and notifications.
Detector Based Policies – These policies are based on four detector types:
- Threshold-based UBA with customizable thresholds for actions to identify when behavior exceeds normal use and indicates a potential threat. For example, a threshold for number of login attempts within a timeframe and if the number of login attempts exceeds this number, trigger a policy. Another example could be identifying login attempts from different locations in quick succession, which would indicate an attempt to compromise an account.
- Threats-based detectors are triggered when network users upload or download content containing viruses or malware.
- Sequence UBA detects risk based on a sequence of user actions. The sequence detection feature can identify a series of events that in concert signify high risk activity which individually would not be identifiable as a risk. For example, a rogue employee wants to share a sensitive file with an external accomplice. He does not want to be noticed doing any share, upload or download operation on the sensitive file. The following sequence accomplishes the exfiltration. He creates a new file F, then opens and views the sensitive file, selects all of the text from the sensitive file, copies and pastes it in file F, shares the file F with the accomplice, and then deletes the file F after the accomplice has downloaded it. (Advanced)
- Multi-user UBA correlates UBA data across multiple users to detect behavior patterns that are only abnormal when viewed as a multi-user trend. This is a good identifier for low and slow attacks such as when multiple malware infected machines are trying to log in to accounts by guessing common passwords.