You can also view a three-dimensional chart from which you can observe anomalous activity in relation to normal activity. In this view, activities are represented as data points (also called buckets) on three axes:

• X=hour of day
• Y=aggregated activity count or aggregated download size

• Z=day of the week

  The chart uses a clustering mechanism to illustrate activity patterns and reveal anomalies. These activity clusters can give you a better idea of what types of events are occurring most frequently at specific days and times. The clusters also enable anomalies to stand out visually.

  As activities are tracked hour by hour, data points are added to the chart. Clusters are created when relevant activities total at least 15 data points. Each cluster is represented by a different color for its data points. If a cluster has fewer than three data points (buckets), the events represented by those points are considered anomalous, and they appear in red.

  Each data point on the chart represents events that occurred on a specific hour of the day. You can get details about the date, the hour, and event count by clicking on any data point.

  In this example, the cluster at the lower right has 15 data points. It shows that several events took place during late afternoon and evening throughout the week. The access count was similar for all activities. On one day, the access count was much higher, and the point is shown in red, indicating an anomaly.

  The table below the graph lists the events represented in the graph.The list in this example outlines the date and time of the access, the name of the file accessed, the cloud from which the access took place, and the email address of the user who accessed the content.