Prevalence Model & Prevalence Incidents
To enhance security visibility across the organization, the TSFA system leverages a Prevalence Model that identifies rare device events. The Prevalence Model is particularly effective in detecting anomalies such as outlier firmware updates, BIOS password changes, or long-inactive devices—helping you pinpoint potential threats or devices requiring manual verification.
The Prevalence Model runs automatically every night. It analyzes all recorded device events from the previous day, calculates the frequency of each event across your device fleet, and determines which events are considered prevalent based on your organization’s thresholds.
Only low-frequency events (those that occurred on a small number of devices) are flagged and displayed in the Prevalent Incidents tab. Within this tab, you’ll find three sub-tabs:
- Last 24 Hours
- Last 7 Days
- Last 30 Days
Each sub-tab displays incidents that were flagged as low-frequency within the selected timeframe.
Prevalence Incident on Dashboard
For a quick summary, a dashboard widget is now available at the top of the page. This widget includes a dropdown menu that lets you select a time period: Last 24 Hours, Last 7 Days, or Last 30 Days. The default selection is Last 24 Hours.
If prevalence incidents are detected, up to five are displayed in a summary table. These incidents are sorted by key factors such as severity, incident type, and recency. For each incident, the table shows the following details: device name, serial number, device family, label, prevalent issue, and the detection timestamp.
Clicking on the total number of issues redirects you to the Prevalent Incidents tab, with the same time range automatically applied as a filter.
Prevalence Model Settings
Thresholds used in prevalence event calculations can be updated by the Org Admin in Org Settings > Prevalence Model tab to configure thresholds.
Default thresholds:
- 24 hours: 10%
- 7 days: 5%
- 30 days: 2%
Values must be between 0.01% and 99.99%, with no more than two decimal places. If no decimal is entered, the value is treated as a whole number. Trailing zeros after the decimal (e.g., 4.00) are ignored. Values with more than two decimal places are not accepted.
Changes to these settings do not impact previously identified prevalent issues. Updates do not take effect immediately; instead, they are applied the next day around 1:00 AM, when the Prevalence Model is rerun.
Related Articles
Viewing Incidents Report
To access this report, navigate to the Incidents section. Here, you'll find a comprehensive list of all recorded incidents, including any issues or errors identified based on criteria set by the IT Admin. Incidents are a specific type of event that ...About Events and Incidents
This document provides a structured overview of key security-related incidents logged by ThinkShield Firmware Assurance. Events are categorized based on their nature, severity, and potential impact. Each event includes a brief description, its ...Setting Incident Notifications
Incidents This feature allows users to customize their alert preferences based on the severity level of incidents: Low and higher, Moderate and higher, or High only. When an incident matches the selected severity level, users are promptly notified ...Running On-demand Measurements
This feature introduces the ability to perform on-demand measurements on the device, run the measurement (verify firmware integrity) of each component, and display the latest logs on the Cloud UI. It also enables a two-step attestation of ...Error: 0x87D00668 - Software update still detected as actionable after apply
Symptom Software Center or the Deployment has an error code: 0x87D00668 Error message: Software update still detected as actionable after apply Cause Either the device requires a reboot to complete the installation or the IsInstalled Rules are not ...