Suspicious Activity

What Cisco Cloudlock detects as "Suspicious Activity" and how these potential threats are detected. 

Suspicious Activity, as displayed in the Behavioral Risk dashboard, constitutes potential threats surfaced from various categories focusing on Locations, IPs and Users Login Activity. A single activity, such as a login/platform access, may not be suspicious on its own. However, when other activities are taken into account, a potential Account Compromise threat may be seen in the trends over time.

Locations

Activity is suspicious if the source locations differ over a short period of time. For example, a user could not physically login from Japan and England within an hour of each other. Access from multiple locations in a window of time briefer than the travel time between the two points could therefore represent an attempt to break into the network.

IP's

Suspicious Activity can also be high-frequency access from different IP addresses, ie. exceptionally high counts of different IP addresses associated with one user in a short period of time. Such activity may represent a spamming attempt by a malicious entity.

Users Login Activity

Login attempts, in particular login failures, occurring with an abnormally high frequency may be indicative of an attempt to hack the user account. 

Any perceived threat based on the above Suspicious Activities will be displayed in Cisco Cloudlock's Threat Dashboard, specifically the Behavior Risk tab. Further details on the reported threats can be found within the Activities feature.