Figure 1. Cloud App Security threat detection new alertsYou also want to have all the information possible, so you can triage the different alerts quickly and decide which ones need to be taken care of first. To do this, you’ll need the context for the alert so you will be able to see the bigger picture and understand whether something malicious is indeed happening. To help with this, we have made improvements to the alert investigation capabilities in the activity log with the newly added “User Insights.” This includes information like number of alerts, activities, and where they have connected from, which is important in an investigation.
Figure 2. Cloud App Security Activity log, User InsightsNow you can easily understand the suspicious activities that the user was performing and gain deeper confidence as to whether the account was compromised. For example, an alert on multiple failed logins may indeed be suspicious and can indicate potential brute force attack, but it can also be an application misconfiguration, causing the alert to be a benign true positive. However, if you see a multiple failed logins alert with additional suspicious activities, then there is a higher probability that the account is compromised. In the example below, you can see that the “Multiple failed login attempts” alert was followed by “Activity from a TOR IP address” and “Impossible travel activity,” both strong indicators of compromise (IOCs) by themselves. If this wasn’t suspicious enough, then we can see that the same user performed a “Mass download” activity, which is often an indicator of the attacker performing exfiltration of data.
Figure 3. Example user alerts
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.