Configure Source IP Rules
IMPORTANT: Activity Type or Category and Activity Count are mandatory rules to complete your custom anomaly rule statement. The Incomplete Rule message will be displayed if these rules are not added.
The Source IP rule allows you to detect and monitor the Source IP address of the user performing activities on the service and prevents unauthorized users from gaining access to your service through restricted IP ranges. You can also define the rule with other parameters such as Activity Type or Category, Activity Count, Trust, Device, and more. Anomalies are triggered when a user performs any activities that exceed the expected activity count on a service from a configured Source IP.
The Source IP allows you to add the source IP address to the rule. Multiple IP addresses can be added and use a comma to separate IPs.
Use Case: Suppose you want to be notified when a user logs in to Dropbox from the Source IP addresses such as 192.158.1.38, and 112.181.2.44 in a day.
To configure this rule:
- Go to Incidents > Anomalies > Anomaly Settings.
- Click Actions > Create a Custom Anomaly.
- On the Name & Scope page, enter a name, description, services, and users.
- On the Rules & Exceptions page, select Activity Type or Category from the list. For example, Login Success: Signed In.
- Click AND to :
- Enter a value for Activity Count is greater than or equal to. For example, 1.
- Set the Duration for a custom anomaly detection. For example, Daily.
- Click AND to enter the Source IP address. For example, 192.158.1.38, and 112.181.2.44
- Click THEN to create an Anomaly and select a Severity. For example, Critical.
- Click Next.
- Review the custom anomaly rule and click Save.