1. Using Oracle CASB Cloud Service
  2. Monitoring Cloud Applications
  3. Managing Behavioral Anomalies and Threats
  4. User Risk Factors

User Risk Factors

Review summaries of each risk factor for users in different application types.

Select Users in the Oracle CASB Cloud Service console, then select the username to display a user profile page for the user's risk score. Depending on the application type, you see different risk factors.

General Risk Factors

Learn about risk factors that apply to all application types.

Login count per day. In the past 24 hours the account for a user had a large number of logins relative to his or her typical behavior.

If this is a legitimate user, determine whether network outages caused the need to log in multiple times. If you can't find an obvious reason for the login count, check whether the user is sharing their login credentials (this should be discouraged).

IP addresses per day. In the past 24 hours the account for a user had logins from a large number of IP addresses relative to past behavior. This can indicate an account hijacking attempt, sharing of account credentials, or other issues related to account access.

Check whether the user is traveling, or is has another legitimate reason for logging in from these locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat.

Geo locations per day. This user account had logins in from a large number of locations in the past 24 hours, relative to past behavior. This can indicate account hijacking attempt, sharing of account credentials, or other suspicious access.

Check whether the user is traveling, or is has another legitimate reason for logging in from these locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat.

Failed logins per day. The account for a user had a large number of failed logins in the past 24 hours, relative to past behavior. This can indicate an account hijacking attempt.

Check whether the user is having login issues and needs help with selecting a strong passphrase that can also be remembered. If the user associated with this account does not recall having issues with login, determine whether this was an attempt to compromise the account.

Failed login IP addresses per day. The account for a user had failed logins from a large number of IP addresses in the past 24 hours, relative to past behavior. This can indicate an account hijacking attempt, sharing of account credentials, or other suspicious access.

Check whether the user is traveling, or is has another legitimate reason for logging in from these locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat. You also can run a report in Oracle CASB Cloud Service to see if the IP address has been flagged as suspicious. If you find suspicious activity, block the IP addresses performing the failed logins.

Geo locations for failed logins per day. The account for a user had failed logins from a large number of geographical locations in the past 24 hours, relative to past behavior. This can indicate an account hijacking attempt, sharing of account credentials, or other suspicious access.

Check whether the user is traveling, or has another legitimate need to log in from varying locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials.

Distance traveled per day. In the past 24 hours, the account for a user had logins that spanned unusually large geographical distances between IP addresses. This can indicate an account hijacking attempt, sharing of account credentials, or other suspicious access.

Check whether the user is traveling, or has another need to log in from different (and distant) locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials.

After-hours access. The account for a user had activity at an unusual time of day relative to his or her normal behavior.

Check whether the user is traveling, working against a deadline, or has other operational or business needs. If more investigation is needed, determine whether the user account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat.

Failed logins after hours. The account for a user had failed logins at an unusual time of day relative to his or her normal behavior.

Check whether the user is traveling or needs assistance with password retrieval. If more investigation is needed, determine whether the user account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat.

Platforms per day. In the past 24 hours the account for a user had logins from a large number of operating systems relative to his or her normal behavior.

Check whether this user has been issued a new device or has brought in a new device of their own, the operating systems were upgraded or changed, and if the devices and upgrades were authorized.

Browsers per day. In the past 24 hours the account for a user had logins from a large number of browsers relative to his or her normal behavior.

Check whether this user has been issued a new device or has brought in a new device of their own, or the operating systems were upgraded or changed, and if the devices and upgrades are authorized.

Suspicious IPs per day. In the past 24 hours the account for a user had logins from one or more IP addresses that a threat feed or a Oracle CASB Cloud Service administrator tagged as suspicious.

Because at least one source has flagged an IP addresses as suspicious, check the Oracle CASB Cloud Service console, Reports section, and search for additional information about the IP address. Also check the Configuration section, Manage IP addresses page to see if a Oracle CASB Cloud Service administrator is responsible for flagging this IP address. If you find suspicious activity, block the IP addresses performing the activity and intiate your incident response plan.

Proxy IP addresses per day. In the past 24 hours the account for a user had logins using a large number of proxy IP addresses relative to his or her normal behavior. A proxy substitutes (disguises) the real IP address being used to access a cloud service with a set of substitute (proxy) IP addresses.

Check whether the user is traveling or has another need to log in from different locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials. .

Access IP addresses per day. In the past 24 hours the account for a user had activity from a large number of IP addresses relative to his or her normal behavior. This includes logins and additional activities.

Check whether the user is traveling, or has another need to log in from different locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials.

Network prefixes per day. In the past 24 hours, there has been a large change in the pattern of networks that this account has connected from.

Check whether the user is traveling, or has another need to log in from different locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials.

Activity and geo locations per day. In the past 24 hours the account for a user had activity from a large number of geographical locations relative to his or her normal behavior.

Check whether the user is traveling, or has another need to log in from different (and distant) locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials.

New access IP addressesper day. In the past 24 hours the account for a user had activity from an IP address that had not been used previously.

Check whether the user is traveling, or has another need to log in from different (and distant) locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials.

New subnet masks per day. In the past 24 hours the account for a user had activity from an IP address with a new subnet mask (the final three octets).

New network prefixes per day. In the past 24 hours the account for a user had activity from an IP address with a new network prefix (the final two octets).

New access countries per day. In the past 24 hours the account for a user had activity from a country that that had not been used previously.

Check whether the user is traveling, or has another need to log in from different (and distant) locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, or the user shared his or her login credentials.

New browsers per day. In the past 24 hours the account for a user had activity using a browser that that had not been used previously.

Check whether this user has been issued a new device or has brought in a new device of their own, the operating systems were upgraded or changed, additional web browsers installed, and if the devices and upgrades were authorized.

New operating systems per day. In the past 24 hours the account for a user had activity using an operating system that that had not been used previously.

Check whether this user has been issued a new device or has brought in a new device of their own, the operating systems were upgraded or changed, and if the devices and upgrades were authorized.

New devices per day. In the past 24 hours, the account for a user had activity using a device that that had not been used previously.

Check whether this user has been issued a new device or has brought in a new device of their own and if the devices and upgrades were authorized.

AWS Risk Factors

Learn about risk factors that are specific to Amazon Web Services (AWS).

EC2 instance starts per day. In the past 24 hours, this administrative account has issued a large number of start or run EC2 instance commands relative to past behavior. EC2 instances are virtual servers that use a defined amount of CPU, memory, and so on as defined in an Amazon Machine Image (AMI). Each time you transition an instance from stopped to started, Amazon EC2 charges a full instance hour, even if transitions happen multiple times within a single hour.

Check whether this administrator is authorized to start these EC2 instances and recalls performing these actions.

Stop EC2 instance monitoring, occurrences per day. In the past 24 hours this administrative account stopped monitoring a large number of EC2 instances relative to past behavior. EC2 instances are virtual servers that use CPU, memory, and so on as defined in an Amazon Machine Image (AMI). They are a part of your critical infrastructure.

Check whether this administrator is authorized to stop monitoring of your EC2 instances and recalls performing these actions.

EC2 instance ACLs, actions per day. In the past 24 hours, this user performed a large number of actions on EC2 network ACLs or ACL entries relative to past behavior. EC2 instances are virtual servers that use CPU, memory, and so on as defined in an Amazon Machine Image (AMI). They are a part of your critical infrastructure. EC2 Access Control Lists (ACLs) determine which users can access and manage EC2 instances.

Check whether this administrator has configured sufficiently restrictive EC2 network ACLs and recalls performing these actions.

EC2 security groups, actions per day. In the past 24 hours this administrative account performed a large number of actions related to EC2 security groups or inbound/outbound traffic rules for these groups relative to past behavior. EC2 instances are virtual servers that use CPU, memory, and so on as defined in an Amazon Machine Image (AMI). They are a part of your critical infrastructure. security groups determine the privileges for users who access and manage EC2 instances.

Check whether this administrator has added a large number of users to the security groups because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

EC2 key pairs, actions per day. In the past 24 hours this administrative account performed a large number of actions related to EC2 key pairs relative to past behavior. These key pairs permit access to an Elastic Compute Cloud (EC2) instance, which is part of your critical infrastructure.

Check whether these are authorized actions, and that these actions support a legitimate business need with an approved change control for your organization. Determine whether the administrative account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat.

IAM policies, actions per day. In the past 24 hours, this user performed a large number of actions related to IAM policies relative to past behavior. Policies grant permissions to IAM users and groups, defining the resources that the user or group can access, and the actions they can perform.

Check whether the administrator updated administrative or highly privileged user policies, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM groups, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) groups or group policies relative to past behavior. IAM groups provides sets of permissions to IAM users. An IAM user is an account for a person or a service that can perform administrative actions in AWS. For a service or application running on an EC2 instance, the IAM user credentials permit the service to access S3 storage buckets and other important resources.

Check whether the administrator updated administrative or highly privileged user groups, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM roles, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) roles or role policies relative to past behavior. Roles provides sets of permissions to IAM users. An IAM user is an account for a person or a service that can perform administrative actions in AWS. For a service or application running on an EC2 instance, the IAM user credentials permit the service to access S3 storage buckets and other important resources.

Check whether the administrator updated administrative or highly privileged user roles, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM users, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) users or user policies relative to past behavior. An IAM user is an account for a person or a service that can perform administrative actions in AWS. For a service or application running on an EC2 instance, the IAM user credentials permit the service to access S3 storage buckets and other important resources.

Check whether the administrator updated administrative or highly privileged users, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM certificates, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) signing certificates or server certificates relative to past behavior. An IAM signing certificate permits the user or agent who has the certificate to use the EC2 command line and AMI tools. Server certificates enable SSL between servers and the clients that access them. AWS uses SSL certificates for various types of servers, including Elastic Load Balancing servers.

Check whether the administrator is authorized to manage IAM user certificates or server certificates, the certificates use valid ciphers (not depreciated) with appropriate key lengths and bit lengths, and that you are tracking expiration dates for timely replacement.

OpenID, actions per day. AWS supports federated authentication based on OpenID Connect (OIDC). This allows users to sign in to AWS using their credentials from another service.

Check whether this administrator is authorized to establish cross-domain trust, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM access keys, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) access keys relative to past behavior. AWS uses cryptographic keys to authenticate Identity and Access Management (IAM) users.

Check whether this administrator issued these IAM access keys to authorized users, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM login profiles, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) login profiles relative to past behavior. Login profiles allow users to access the AWS Management Console.

Check whether this administrator is authorized to update login profiles, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM instance profiles, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) instance profiles relative to past behavior. IAM instance profiles can pass a role (a set of permissions) to an EC2 instance.

Check whether the administrator is authorized actions, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

SAML providers, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management (IAM) SAML providers relative to past behavior. SAML refers to the Security Access Markup Language. It provides federated access to your systems, which means it permits single sign-on across security domains.

Check whether the administrator is authorized actions, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

IAM password changes per day. In the past 24 hours this administrative account performed a large number of Identity and Access Management (IAM) password changes relative to past behavior.

Check whether the administrator is authorized actions, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

Password policy changes per day. In the past 24 hours this administrative account changed a large number of Identity and Access Management (IAM) password policies relative to past behavior.

Check whether the administrator is authorized actions, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

RDS DB snapshots per day. In the past 24 hours this administrative account performed a large number of actions related to Relational Database Service (RDS) DB snapshots in AWS relative to past behavior.

Check whether the administrator is authorized to take RDS databases snapshots. Also check whether the administrator recalls performing these actions.

RDS cluster snapshots per day. In the past 24 hours this administrative account performed a large number of actions related to Relational Database Service (RDS) cluster snapshots in AWS relative to past behavior.

Check whether the administrator is authorized to take RDS cluster snapshots, and recalls performing these actions.

RDS clusters, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Relational Database Service (RDS) clusters in AWS relative to past behavior.

Check whether the administrator is authorized to update RDS cluster snapshots, and recalls performing these actions.

RDS security groups, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Relational Database Service (RDS) security groups in AWS relative to past behavior.

Check whether the administrator is authorized to perform these actions, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

RDS instances, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Relational Database Service (RDS) instances in AWS relative to past behavior.

Check whether the administrator is authorized to update RDS instances, and recalls performing these actions.

EC2 IP addresses, actions per day. In the past 24 hours this administrative account performed a large number of actions related to EC2 IP addresses in AWS relative to past behavior. AWS administrators work with both private (internal network) and public (public Domain Name System, or DNS) IP addresses. The administrators also configure routing among EC2 instances using their private IP addresses.

Check whether the administrator is authorized to manage EC2 IP addresses, and recalls performing these actions.

IAM IP addresses, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Identity and Access Management IP addresses relative to past behavior. These IP addresses identify which IP addresses requests are allowed to come from.

Check whether the administrator is authorized to manage IAM IP addresses, and recalls performing these actions.

RDS IP addresses, actions per day. In the past 24 hours this administrative account performed a large number of actions related to Relational Database Service (RDS) IP addresses relative to past behavior.

Check whether the administrator is authorized to manage RDS IP addresses, and recalls performing these actions.

Office 365 Risk Factors

Learn about risk factors that are specific to Office 365.

Administrative actions per day. In the past 24 hours the account for a user performed a large number of administrative changes in Office 365 relative to past behavior.

Check whether the administrator is authorized to perform these actions, because this can increase your exposure to threats. Also check whether the administrator recalls performing these actions.

Downloads per day. In the past 24 hours the account for a user downloaded a large amount of data from Office 365 relative to past behavior.

Check whether the downloaded files contained sensitive information.

Deletes per day. In the past 24 hours the account for a user deleted a large amount of data from Office 365 relative to past behavior.

Check the quantity of information that the user deleted, whether this information still has value to the organization, and that these actions support a legitimate business need with an approved change control for your organization.

Files modified per day. In the past 24 hours the account for a user modified an unusual number of files in Office 365 relative to past behavior.

Check whether these files contain sensitive content.

Files shared externally per day. In the past 24 hours the account for a user shared a large number of files with users in external domains relative to past behavior.

Check whether this user has shared sensitive files, whether the external users are from sanctioned domains and business partners, and that these actions support a legitimate business need with appropriate approvals to do so.

Email sent externally per day. In the past 24 hours the account for a user sent a large amount of email to users in external domains relative to past behavior.

Check whether this user has sent sensitive files, whether the external users are from sanctioned domains and business partners, and that these actions support a legitimate business need with appropriate approvals to do so.

Emails received from external domains per day. In the past 24 hours the account for a user received a large amount of email from external domains relative to past behavior.

Check whether this activity was supporting a legitimate business need.

IP addresses used to access SharePoint/OneDrive per day. In the past 24 hours the account for a user accessed SharePoint and OneDrive from a large number of IP addresses relative to past behavior.

Check whether the user is traveling, or is has another legitimate reason for logging in from these locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat.

IP addresses used to access Azure AD per day. In the past 24 hours the account for a user accessed Azure AD using a large number of IP addresses relative to past behavior.

Check whether the user is traveling, or is has another legitimate reason for logging in from these locations. If the user associated with this account is not traveling, determine whether the user account or the system was compromised, the user shared his or her login credentials, or the user poses an insider threat.