Threshold settings

Threshold detection strategy uses granular file modification events to identify processes that constantly perform I/O intensive operations. There are three categories of I/O intensity:

• High - 8 and more writes per second

• Medium - between 3 and 8 writes per second

• Low - between 3 and 1 writes per second

Every 7 seconds (default value for Threshold checks length) the process will analyze file modifications done in the file system. A risk score is assigned to every identified record:

• High - 25 risk points (RPs)

• Medium - 15 RPs

• Low - 5 RPs

This is repeated continuously but after 12 iterations (Threshold checks) the oldest record is replaced with a fresh one. If the process/user collects over 100 Risk Points (Threshold risk level), an Alert/Notification is produced.