About Access Anomalies
The following Sanctioned Service anomalies (including CNAPP services) indicate potential unauthorized attempts to access a user’s account. They may also represent a user forgetting their password or an authorized user logging in from a new location. Access Anomalies contribute to threats that suggest compromised accounts.
Anomalous Access Location
- Anomalous access locations are indicative of potentially compromised accounts or insider threats.
- This anomaly is detected when a user registers activity from an IP Address, Geographic Location, or an Organization that is suspicious, added to a block list, or a competitor.
- Anomalies are detected using Skyhigh CASB's block lists and UEBA. You can also add competitor names, known bad IP addresses, and geographic locations to the block list to provide supervised learning.
Superhuman
- Login from more than one geographically distant locations (any location where a person would need to fly to reach within a few minutes) within a short time period. This anomaly is triggered even if two different supported cloud services are accessed from geographically distant locations.
- This may indicate that a third party is attempting to gain unauthorized access to your cloud service using an employee’s credentials from a distant location, as it would be physically impossible for the same individual to log in from both places in such a short amount of time.
- Use the Anomaly Exception feature in cases where the use of a VPN changes a user’s IP address and incorrectly triggers this anomaly.
Login Failure
- A user has an abnormally large number of login attempts that have failed in a specified duration (for example, hourly, daily, weekly, or monthly), exceeding the expected threshold for this user.
- This behavior is tracked over multiple services, so if a single user fails to sign into Box and Salesforce for a total number of times exceeding the corresponding threshold, this anomaly will be recorded.
- Login Failure frequently indicates user accounts that are at risk of losing their credentials. In such a case, having a password policy for the CSP is strongly encouraged.
Login Success
- A user has an abnormally large number of login attempts that have succeeded in a specified duration (for example, hourly, daily, weekly, or monthly), exceeding the expected threshold for this user.
- This behavior is tracked over multiple services, so if a single user signs into Box and Salesforce for a total number of times exceeding the corresponding threshold, this anomaly will be recorded.
- Login Success frequently indicates user accounts that are at risk of losing their credentials. In such a case, having a password policy for the CSP is strongly encouraged.