Using the Prevalence Model

Using the Prevalence Model

To enhance security visibility, the TSFA system uses a Prevalence Model to identify rare device events. It effectively detects anomalies such as outlier firmware updates, BIOS password changes, or long-inactive devices—helping identify potential threats or devices requiring manual verification.

The Prevalence Model runs automatically each night, analyzing the previous day’s device events. It calculates event frequency across your device fleet and determines prevalence based on your organization’s thresholds.

Navigate to Device Insights > TSFA Security > Prevalence Incidents tab.

Only low-frequency events (those that occurred on a small number of devices) are flagged and displayed in the Prevalent Incidents tab. Within this tab, you’ll find three sub-tabs:
Last 24 Hours
Last 7 Days
Last 30 Days

Each sub-tab displays incidents that were flagged as low frequency within the selected timeframe.

Prevalence widget on Dashboard

Navigate to the Dashboard. The Prevalence Model Summary widget at the top of the page provides a quick summary of prevalence incidents. It includes a dropdown to select the time range—Last 24 Hours (default), Last 7 Days, or Last 30 Days. For more information go to Using the Dashboard in LDO.

Prevalence Model Settings

Prevalence event thresholds can be updated by the Org Admin under Configuration & Settings > TSFA Settings > Prevalence Model tab.
Default thresholds:
  1. 24 hours: 10%
  2. 7 days: 5%
  3. 30 days: 2% 
Values must be between 0.01% and 99.99%, with up to two decimal places. If no decimal is provided, the value is treated as a whole number. Trailing zeros (e.g., 4.00) are ignored, and values with more than two decimal places are not accepted.

Changes to these settings do not impact previously identified prevalent issues. Updates take effect the next day around 1:00 AM, when the Prevalence Model is rerun.


    • Related Articles

    • Using the Dashboard in LDO

      The Dashboard is the home page of Lenovo Device Orchestration, providing an at-a-glance overview of the devices in your organization and related information. It consists of multiple widgets, each representing a different category of device ...

    • Setting Up Incidents

      This feature lets users customize alert preferences by incident severity: Low and higher, Moderate and higher, or High only. When an incident meets the selected severity, users are notified via a portal message and, optionally, email. Both ...

    • Using Chromebook Management

      Once the connection with the Google Admin Console is established, the Chromebook Management feature automatically appears in the left menu under Device Management. Please note that Chromebook devices also appear in the standard Device Management > ...

    • Using ThinkCentre Customization

      ThinkCentre Customization is designed exclusively for ThinkCentre devices running Windows and requires a Basic license. It offers powerful features that allow Admins to remotely access devices and perform specific operations that require BIOS ...

    • Using System Update

      This feature allows Org Admins, IT Admins and MSP Admins to centrally manage Windows BIOS, drivers and firmware updates on any Lenovo Windows device. Updates are checked in three scenarios: When new devices are claimed and licensed. On-demand from ...