1. Using Oracle CASB Cloud Service
  2. Monitoring Cloud Applications
  3. Managing Behavioral Anomalies and Threats
  4. Viewing Suspicious Activity Threats

Viewing Suspicious Activity Threats

View summaries of anomalous activity and cross-application activity in the Dashboard, and jump to details in Risk Events.

When you select a Threats link in the Dashboard, Summary tab, you jump to the Risk Events page, with the events filtered to display open threats (either across the system or for a particular cloud service, depending on which link you selected). Oracle CASB Cloud Service detects anomalous or suspicious activity within a particular cloud service instance.

To view details for suspicious activity

  1. Select Risk Events from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click the CATEGORY column header to sort the events by category.

  3. Click in a row where CATEGORY is Anomalous activity or Cross-application activity and you want more information on the threat.

    The row expands to show basic information for the threat.

  4. In the ACTION column, drop down the Action menu and select View threat.

    The threat details pop-up shows either an area chart with the threat triggers (for example, the number of logins, failed logins, and IP addresses for the user) or a map showing the user's access points.

    If the pop-up contains the area chart, you can click items in the key to show or hide them. To view other actions the user has taken during the threat reporting period, click the details icon (the bar chart) in the upper right corner of the pop-up.

    Click the chart switcher tool in the upper right corner to see another view - here you can deselect the Show All checkbox and then check individual items to be displayed.

  5. If the threat contains a map, you can hover over different parts of the map.

    The events related to that point on the map appear below the map (between the map and the table).

  6. If the threat contains activity data, the threat details table contains an Issue Count column. Click any row of this column to view details of each occurrence of the event type. For example, if the Category column shows Failed Logins, and the issue count is 4, clicking this row displays a pop-up with details for all four failed logins.

  7. Click View log data to view any additional information that the cloud service's logs provided about this event.

  8. Diagnosing this threat involves doing additional research (if needed) to determine whether any action is required, and if so, what the action should be, as described in Office 365 Risk Factors.

Related Topics:

Remediating and Dismissing a Suspicious Activity Threat

To complete the processing of a suspicious activity threat, process the associated incident, resolve the threat, and then dismiss it.

Oracle CASB Cloud Service automatically generates an incident ticket for each detected anomaly marked as a threat. You can manually create incident tickets to track a user with a high risk score. See Finding and Analyzing Users at Risk.

  1. After you find a threat in the Risk Events page (see Finding Users at Risk), drop down the Action menu and select View incident.
  2. In the View incident page for this threat, you can manage and resolve the incident.
  3. Once resolved, the threat and its related risk event and incident ticket are dismissed.