Security Engines - Anomaly Detection

The Anomaly Detection engine detects behaviors or actions that seems abnormal when observed in the context of an organization and a user's historical activity. The engine analyzes the behavior using a machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior, and email message patterns. Anomalies are often a sign that an account is compromised.

When an anomaly is detected, a security event is generated providing the context and other information necessary for investigation. Depending on the Severity Level, the anomaly is categorized as Critical or Suspected.

  • Critical anomalies are events indicating a high probability for compromised accounts. These anomalies require investigation and validation from administrators and should be handled immediately.
  • Suspected anomalies are events that might indicate a compromised account and can be reviewed with a lesser sense of urgency.

By default, for critical anomalies, the Anomaly Detection engine sends email alerts to administrators. To configure the Anomaly Detection engine to not send email alerts for anomalies or to receive email alerts for all anomalies, see Configuring Anomaly Detection.

To focus on high probability account takeover, do one of these:

  • On the Events page, filter the events by Type (Anomaly) and Severity Level (Critical).
  • On the Overview page, under Security Events, click on Filter by Type and select Critical Anomalies.
  • On the Overview page, click on the Anomalies card main indicators.
anomaly-detection

Configuring Anomaly Detection

  1. Navigate to Configuration > Security Engines.
  2. Under Anomaly Detection, click Configure.
    Anomaly-Detection-Configuration
  3. To configure email alerts for anomalies, under Alert admin on detected anomalies, select one of these:
    • Critical anomalies only - Administrators receive email alerts only for high probability account takeover events (critical severity anomaly events).
    • All anomalies - Administrators receive email alerts on high probability account takeover and suspected account takeover events (high severity anomaly events and below).
    • Do not alert - Administrators will not receive email alerts on account takeover events.
  4. To stop creating "massive sender" anomaly when an email is sent to an unusually larger number of
    recipients using a distribution list, select the Allow distribution list massive emails checkbox.
  5. To enable geo-suspicious events also within the same country, select the Enable Intra-Country geo-suspicious events checkbox.
  6. Click Save.

Anomaly Exceptions

At times, to handle falsely flagged events, administrators may need to create exceptions for anomaly detections.

To create Anomaly exceptions:

  1. Go to Events screen.
  2. Select the anomaly event for which you want to create an exception.
  3. Click on the vertical ellipses icon (in the right side of the selected anomaly event), and select Add Exception.
    The Create allow-list for anomaly pop-up screen appears.
  4. Under Allow-List type, select the required exception from the drop-down.
    Note - The drop-down shows different options applicable for the anomaly event you selected.
  5. Under Apply for all past events, select Yes or No.
    • Yes - The exception gets applied to all the events in the past and to the future events.
    • No - The exception gets applied only to the event you selected and to all the future events.
  6. If required, enter a Comment for the anomaly exception.
  7. Click OK.

To see all the anomaly exceptions, go to Configuration > Anomaly Exceptions.

Supported Anomalies

Critical Anomalies

New delete-all-emails rule

This anomaly inspects new rules configured to delete all the incoming emails. It detects potential malicious configuration to delete all the incoming emails. This behavior may indicate an account takeover.

This anomaly has the highest impact.

Users Sending Malicious Emails

This anomaly is triggered when an internal user sends a phishing or spam email to internal and/or external recipients.

Note - Using exceptions, administrators can disable this anomaly for a specific user or for all users.

Suspected Anomalies

First Time in New Country

This anomaly is triggered when a user log in from a country they have never logged in from.

Note - If the user's title includes the name of a country, logging in from that country will not be flagged.

Reset Password Anomaly

This anomaly detects successful account takeovers. This anomaly is triggered when a user has received three or more password reset emails (each from a different service) in a short amount of time.

It informs the administrator that a user has attempted to recover their password from three different services.

Example: If someone wants to take over Joe's GitHub account, they may first try to take over his Gmail account. Once they succeed in taking over his Gmail, they can use it to reset his password in the GitHub account - and take it over it as well.

Massive senders

This anomaly is based on a baseline, generated during learning period during which we build a profile of the users. After a baseline is established the engine starts measuring emails send rate, and generates an alert when unusual high amount of emails are sent.

Event text - <user> has sent an unusual number of emails - at a rate of <rate> emails per minute.

Auto-forwarding to external email address

This anomaly is based on reading the Office 365 management events. It processes specific events triggered when a mailbox auto-forwarding rule is created.

The anomaly does these tasks:

  • Inspects new auto-forwarding rules created in Office 365
  • Checks if the target email is 'external' to the organization. If the email is external, then an anomaly
    is triggered.

Note - The anomaly's severity is decided based on the forwarding condition. If there is no condition, the
severity is set to high. By default, the severity is set to medium.

Unusual Country Anomaly

This anomaly detects incoming emails from countries associated with phishing attempts and various types of cyber attacks.

By default, these countries are Nigeria and China. The Allow-List allows you to ignore events from either of these two countries.

Suspicious Geo Location

This anomaly detects possible credential theft and use from another location. It detects the frequent login and email events from different locations, and alerts the administrator about what is likely to be another person operating from an account of a company employee.

It is possible to create Allow-List rule of accounts (for example, employees that use VPN or similar tools on a frequent basis).

Suspicious MFA login failure

This anomaly detects login operations that failed during Multi Factor Authentication (MFA)/Second Factor Authentication (2FA). To reduce the rate of false detection, it correlates the failed MFA with additional events or follow-up successful login.

Event text - A suspicious login failure for <email>, attempting to login from <geo location>, failing at the MFA stage.

Note - The detection is not generated in real time as it correlates and analyzes the past events and successful logins. Alert may be generated a few hours after the failed login.

Client is a vulnerable browser

This anomaly checks the client browser's vulnerability. It checks the browser version used by the end user performing the event (when reported by the SaaS), and compares it to the list of old versions (with known vulnerabilities).