Users who can add, delete, or modify existing users have unparalleled access to an organization's Sanctioned IT cloud services and often have the greatest opportunity to compromise valuable or sensitive data. Administration or Privileged Access anomalies identify when your administrative users engage in activity that exceeds established thresholds for normal behavior in a Sanctioned cloud service. This may indicate a malicious user creating new accounts to conceal unauthorized access or benign activity such as an unusually large hiring spike on an unfortunate period of layoffs.
Administration Anomalies are linked to specific threats involving privileged access misuse. These anomalies are based on Activity Thresholds and are mapped to specific service actions.
This anomaly is triggered when a user's total administration activities are abnormally high in the specified duration, exceeding the specified threshold. This represents an aggregate of administration activities, including account creation and deletion where neither action on its own would trigger an anomaly.
User Account Creation
This anomaly indicates that an administrator has created an abnormally large number of user accounts in the specified duration. Excessive creation and deletion of user accounts may indicate a compromised account is creating dummy accounts for the purpose of unauthorized access, exceeding the expected threshold.
User Account Deletion
If an administrator deletes an abnormally large number of user accounts in the specified duration, exceeding the expected threshold, this anomaly is triggered. Excessive creation and deletion of user accounts may indicate a compromised account is creating dummy accounts for the purpose of unauthorized access.