Cloud Threat Analytics: Alert Types

Description

User Login Anomalies

Logins from Unapproved Location

Notification of when an account is logged in from outside an approved location.

Conditional Access Violation

Notification of when an account has been successfully accessed from a region where access is intended to be restricted. The event indicates that the account name and password have been used successfully and possibly by a malicious party.

User Activity Anomalies

Email Forwarding Rules

Monitoring for rules that will forward emails to outside of the domain.

Multiple Login Connections from Different IP Addresses

Notification of when different IPs are logged in to the same account.

User Restriction Events

The default security policy has detected unusual activity on the account and has restricted email sending functionality.

Admin Activity Anomalies

Admin Role Changes

Notified when a user is added to an admin role.

Multi-Factor Authentication Changes

Notification if a user’s MFA is disabled due to a compromise or verification if an admin is abusing their role.

Logged Events

  • Account Logins (Successful, Failed)
  • File Events (Download, Deleted, Emptied from Recycle Bin, Permanent Deletion, Modified, Upload, Opened)
  • File Event Anomalies
  • File Sharing (External, Internal)
  • Password Resets
  • SaaS Integrations
  • User Account Creation & Deletion
  • Policy Events (Security Group Change, Security Policy Change)
  • Unknown Actor Trying to Access the Domain
  • Multiple Password Resets
  • Singular Account Locks

Related Articles

  • MPSS Frequently Asked Questions (FAQs)
    Read More
  • Getting Started with MPSS
    Read More
  • MSS FMM: NSM - Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Cloud Managed Detection and Response
Cloud Threat Analytics
not finding your answers?
Ask the Community