I currently have several behavioral anomaly searches that report users exhibiting authentication behavior that is X number of standard deviations above their mean or just in the 9Xth percentile based on a baseline period of behavior. After reading George Starcher's blog entries on the subject of Extreme Search I am considering implementing those searches using that app, but I am concerned that I am losing precision because I can't say for certain that "anomalous" means three standard deviations above the mean. I would like to hear about other users' experiences doing the same and whether you think the migration is worth the effort.
