Skip to main content
McAfee Enterprise MVISION Cloud

Access Anomalies

The following Sanctioned Service anomalies indicate potential unauthorized attempts to access a user’s account. They may also represent a user forgetting their password or an authorized user logging in from a new location. Access Anomalies contribute to threats that suggest compromised accounts.  

Anomalous Access Location

  • Anomalous access locations are indicative of potentially compromised accounts or insider threats.
  • This anomaly is detected when a user registers activity from an IP Address, Geographic Location, or an Organization that is suspicious, blacklisted, or a competitor.
  • Anomalies are detected using MVISION Cloud's blacklists and UEBA. You can also add competitor names, known bad IP addresses, and geographic locations to the blacklist to provide supervised learning.

Superhuman

  • Login from more than one geographically distant locations (any location where a person would need to fly to reach within a few minutes) within a short time period. This anomaly is triggered even if two different supported cloud services are accessed from geographically distant locations.
  • This may indicate that a third party is attempting to gain unauthorized access to your cloud service using an employee’s credentials from a distant location, as it would be physically impossible for the same individual to log in from both places in such a short amount of time.
  • Use the Anomaly Exception feature in cases where the use of a VPN changes a user’s IP address and incorrectly triggers this anomaly.

Login Failure

  • A user has an abnormally large number of login attempts that have failed in a specified duration (for example, hourly, daily, weekly, or monthly), exceeding the expected threshold for this user.
  • This behavior is tracked over multiple services, so if a single user fails to sign into Box and Salesforce for a total number of times exceeding the corresponding threshold, this anomaly will be recorded.
  • Login Failure frequently indicates user accounts that are at risk of losing their credentials. In such a case, having a password policy for the CSP is strongly encouraged.

Login Success

  • A user has an abnormally large number of login attempts that have succeeded in a specified duration (for example, hourly, daily, weekly, or monthly), exceeding the expected threshold for this user.
  • This behavior is tracked over multiple services, so if a single user signs into Box and Salesforce for a total number of times exceeding the corresponding threshold, this anomaly will be recorded.
  • Login Success frequently indicates user accounts that are at risk of losing their credentials. In such a case, having a password policy for the CSP is strongly encouraged.