Received "Application analytic has been disabled due to volume" Notification

Issue

User with the Technical Contact or Applications Manager role received an email notification from Red Canary with a message similar to the following.

The analytic for <PUP name> has been disabled due to high event volume. 
On <date>, we detected that the event activity for <PUP name> exceeded our global thresholds.
It is now marked with a “High Volume Product” badge in the Red Canary Portal.
You can re-enable this analytic once the event activity drops back below our threshold

Reviewing the named PUP on the Applications page shows the detector status is set to Not Publishing Threats and flagged with a High Volume Product badge, and the status cannot be modified.

Environment

Red Canary Portal
Customizations > Applications

Resolution

In order to modify the status of a High Volume Product, the overall volume of executions of the affected PUP in your environment must be reduced (e.g. uninstall unapproved instances of PUPs, use an AppLocker-style application to restrict executions, etc.) until Prevalence falls below the 100% threshold.  For more details on Prevalence counts, see How Is Prevalence Calculated for PUP Application Profiles?

Cause

This notification is automatically sent when a software is associated with one of our Potentially Unwanted Program profiles and has been observed executing over the last 7 days at too high a volume for Red Canary to continue creating Events and publishing Threats for that PUP.

See Handling Potentially Unwanted Products for more details.

Tags

PUP, potentially unwanted software, potentially unwanted program, PUA, potentially unwanted application, high volume application, high volume analytic, applications page exclusions, prevalence threshold, global threshold for high volume product