Risks for Access IPs and Clients

Understand how to identify and analyze risks related to IP addresses and clients.

Oracle CASB Cloud Service monitors for several different types of risk for access IPs and clients.

Suspicious and Normal Access IP Addresses: The Dashboard Access Map

Understand how to interpret the IP address information displayed in the Access Map in the Dashboard.

Threat feeds and Oracle CASB Cloud Service administrators can flag IP addresses as suspicious. The Access Map on the Dashboard shows geographical locations with user activity from both trusted IP addresses and IP addresses that were flagged as suspicious.

Green pins or radial icons on the map indicate geographical locations with activity that appears to be normal.
Red pins on this map indicate geographical locations with events that are a threat or a Oracle CASB Cloud Service administrator has tagged as suspicious. Red radial icons indicate a cluster in which at least one pin is red.

Note:
When Oracle CASB Cloud Service detects a threat, it doesn't automatically change the pin color in the Access Map to red. You can investigate threats and determine whether the IP addresses included in a threat by manually adding them to a blacklist. See Putting IP Addresses on Blacklists or Whitelists.
Radial icons indicate a cluster of access locations. If the icon is red, then this indicates at least one suspicious location is included in the cluster. Click these points to view the individual access points.

To investigate pins on the Access Map

Select Dashboard from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
In the Access Map, click a pin, or click a radial icon to expose its underlying pins.
Click the link for the number of events in the pin location.
A corresponding report appears in the Reports page.
To sort the report, click the column header that you want to use as the sort key.
To filter the report, ensure that the filters widget is exposed, set a filter (for example, select a date range), and then click Search.
To save the report by exporting the data to a CSV file, continue with Exporting a report.

The IP Addresses Analyzed Card

Understand how to interpret the IP information displayed in the IP Addresses Analyzed card.

Oracle CASB Cloud Service ingests information about suspicious IP addresses from several third-party providers and lists normal and suspicious IP addresses in this card. You can also add blacklisted or whitelisted IP addresses to be monitored. To add blacklisted or whitelisted IP addresses for monitoring, see Putting IP Addresses on Blacklists or Whitelists.

To view details of the IP addresses analyzed, click the report icon (the grid).

Any IP addresses that are flagged as suspicious should be investigated. Copy and paste the IP address in the risk event viewer in the Risk Events section of the Oracle CASB Cloud Service console to see if the suspicious IP address is implicated in any policy alerts and threats that Oracle CASB Cloud Service detected.

The Client and Device Access Card

Understand how to interpret the information displayed in the Client and Device Access card.

The Client and Device Access card summarizes the device types and services that accessed your applications. The API Call label identifies access by a program or application. A device type of Other means the client type couldn't be identified.

Click the report icon (the grid) to see a detailed report about client and device access. Click a bar in the chart to see a detailed report about access from that client or device type.