Skip to main content
McAfee Enterprise MVISION Cloud

Administration Anomalies

Users who can add, delete, or modify existing users have unparalleled access to an organization's Sanctioned IT cloud services and often have the greatest opportunity to compromise valuable or sensitive data. Privileged Access anomalies identify when your administrative users engage in activity that exceeds established thresholds for normal behavior in a Sanctioned cloud service. This may indicate a malicious user creating new accounts to conceal unauthorized access or benign activity such as an unusually large hiring spike on an unfortunate period of layoffs. Administration Anomalies are linked to specific threats involving privileged access misuse. These anomalies are based on Activity Thresholds and are mapped to specific service actions.

Administration

This anomaly is triggered when a user's total administration activities are abnormally high in the specified duration, exceeding the specified threshold. This represents an aggregate of administration activities, including account creation and deletion where neither action on its own would trigger an anomaly.

User Account Creation

This anomaly indicates that an administrator has created an abnormally large number of user accounts in the specified duration. Excessive creation and deletion of user accounts may indicate a compromised account is creating dummy accounts for the purpose of unauthorized access, exceeding the expected threshold.

User Account Deletion

If an administrator deletes an abnormally large number of user accounts in the specified duration, exceeding the expected threshold, this anomaly is triggered. Excessive creation and deletion of user accounts may indicate a compromised account is creating dummy accounts for the purpose of unauthorized access.

  • Was this article helpful?