Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Source IP Rules

  1. Last updated
  2. Save as PDF

IMPORTANT: Activity Type or Category and Activity Count are mandatory rules to complete your custom anomaly rule statement. The Incomplete Rule message will be displayed if these rules are not added.

The Source IP rule allows you to detect and monitor the Source IP address of the user performing activities on the service and prevents unauthorized users from gaining access to your service through restricted IP ranges. You can also define the rule with other parameters such as Activity Type or Category, Activity Count, Trust, Device, and more. Anomalies are triggered when a user performs any activities that exceed the expected activity count on a service from a configured Source IP.

NOTE: The Source IP allows you to add the source IP addresses to the rule. You can add a comma-separated list of IP addresses.

Supported Source IP Address Format

New_AllIPAddresses.png  IPv4_CIDR_Block_NewIP1.png

Skyhigh CASB supports various types of source IP address formats. Use the below-listed IP address formats on the Source IP rule while creating the Custom Anomaly. To add the IP addresses to the rule, select the IP address format from the menu, type the IP addresses on the Enter IPs, and then click Done.

IPv4 and IPv6 Address Formats Examples
IPv4 Address

On the Enter IPs, type the list of IPv4 Address in the following format:

  • 192.168.1.1,10.0.0.1,172.16.0.1 
IPv4 CIDR Block

On the Enter IPs, type the IPv4 CIDR Block in the following format:

  • 157.46.180.180/24
IPv4 Range

On the Enter IPs, type the IPv4 Range in the following format:

  • 172.12.100.108 To 172.12.100.110 
IPv6 Address

On the Enter IPs, type the list of IPv6 Address in the following format:

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0:9d38:6abd:4f90:81e5:a6c7:45d2
IPv6 CIDR Block

On the Enter IPs, type the IPv6 CIDR Block in the following format:

  • c22e:32ca:c4d9:4b1a:0000:0000:0000:0000/64

For example, you will be notified when a user logs in to a service from the source IP addresses, 92.168.1.1, 10.0.0.1, and 172.16.0.1 in a day.

Add Exception

You can also bypass the source IP addresses using the ADD EXCEPTION tab. The rule will ignore the specified IP addresses and you will not be notified if a user logs in to a service using the specified source IP addresses. To bypass the IP addresses, click ADD EXCEPTION, select the IP address format from the menu, type the IP addresses on the Enter IPs, and then click Done.

IPv4_Address_Exception.pngIPv4_Address_Exception_WithIP_1.png

To configure this rule:

  1. Go to Incidents > Anomalies > Anomaly Settings.    
  2. Click Actions > Create a Custom Anomaly.
  3. On the Name & Scope page, enter a name, description, services, and users. 
  4. On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Login Success: Login.
    Create_CustomAnomaly_UpdatedImage.png
  5. Click AND to :
    • Enter a value for Activity Count is greater than or equal to. For example, 1.
    • Set the Duration for a custom anomaly detection. For example, Daily.
  6. Click AND to enter the Source IP addresses. For example, 192.158.1.38, and 112.181.2.44
  7. Click THEN to create an Anomaly and select a Severity. For example, Critical.
  8. Click Next.
  9. Review the custom anomaly rule and click Save
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.