How To Correctly Utilize the Velocity Policy

How to configure and leverage the Velocity feature within the Questionable Location policy of Cisco Cloudlock.

For the Questionable Locations policy, incidents raise if:

the time between the activities is significantly less than the time needed to travel the distance between the two locations by any realistic means.

For example: Velocity at 100mph with Distance at 100 miles sets the timeframe of 1 hour for traveling 100 miles (using the formula Velocity=Distance/Time).

Lowering the Distance threshold will tighten this formula and give a wider allowance for off-site activities without triggering an incident. However, tightening the policy too much may reduce noise, but could also overlook legitimate risks. For this reason, it’s best to find a balance between the policy settings and your need to allow false positive IP’s based on your organization’s specific needs.