Suspected Anomalies
First Time in New Country
This anomaly is triggered when a user log in from a country they have never logged in from.
If the user's title includes the name of a country, logging in from that country will not be flagged.
Auto-forwarding to External Email Address
This anomaly is based on reading the Office 365 management events. It processes specific events triggered when a mailbox auto-forwarding rule is created.
The anomaly does these tasks:
-
Inspects new auto-forwarding rules created in Office 365.
-
Checks if the target email is 'external' to the organization. If the email is external, then an anomaly is triggered.
The anomaly's severity is decided based on the forwarding condition. If there is no condition, the severity is set to high. By default, the severity is set to medium.
Unusual Country Anomaly
This anomaly detects incoming email from countries associated with phishing attempts and various types of cyber attacks.
By default, these countries are Nigeria and China. The Allow-List allows you to ignore events from either of these two countries.
Suspicious Geo Anomaly (Impossible Travel)
This anomaly detects possible credential theft and use from another location. It detects the frequent login and email events from different locations, and alerts the administrator about what is likely to be another person operating from an account of a company employee.
It is possible to create Allow-List rule of accounts (for example, employees that use VPN or similar tools on a frequent basis).
Suspicious MFA Login Failure
This anomaly detects login operations that failed during Multi Factor Authentication (MFA)/Second Factor Authentication (2FA). To reduce the rate of false detection, it correlates the failed MFA with additional events or follow-up successful login.
Event text - A suspicious login failure for <email>, attempting to login from <geo location>, failing at the MFA stage.
The detection is not generated in real time as it correlates and analyzes the past events and successful logins. Alert may be generated a few hours after the failed login.
Client is a vulnerable browser
This anomaly checks the client browser's vulnerability. It checks the browser version used by the end user performing the event (when reported by the SaaS), and compares it to the list of old versions (with known vulnerabilities).
Compromised accounts refer to anomalies (events) with a Critical severity level, while Suspected compromised accounts refer to anomalies with lower severity levels - High, Medium, and Low.