Types of Alerts

The following table explains the types of alerts.

Alert Name	Description	Logic
Login on weekend	User login during a weekend	Trigger an alert if a user logs in on Sunday or Saturday. Filter out users who are active on two or more consecutive weekends.
User performed an activity from an abnormal location	User performed an activity from a location where they are not normally found	Based on the session IP, compare the session location to the user's previous locations (at least 10 days of baseline required) and alert if the location is new. Ignores IPs with unknown locations.
Irregular session	The user sessions started before or after the user's usual activity time, determined by the user timeline	Baseline data is collected for at least 14 days of activities. Based on this baseline, determine the user's usual start time and end time, as one standard deviation from start and end time. Each session occurring outside of those thresholds triggers an alert.
Abnormal spike in users activity	The user performed more than five times their normal activities	Determine whether the baseline of at least 14 days of platform usage exists for the user. If the baseline exists, calculate a baseline of activities, excluding some like login/MFA and secret view. Trigger an alert if the user's non-excluded platform actions exceed five times the number of average activities.
Brute force	Attempt was made to brute force an account	Detect any of these events: Login burst: Excessive login attempts from the same account within an hour. You can configure the minimum number of attempts. Low and slow: Authentication attempts are spread over days, weeks, and months. Detects multiple failed attempts to log in; for example, 10 failed attempts over a week. Distributed: Login attempts are sent from multiple IP addresses to remain below the detection threshold. This can involve thousands of IPs, with as few as one or two attempts per IP. This method is detected by analyzing all attempts on each account, grouping them by IP and user agent, and finding a pattern of failed attempts from multiple sources over a short period of time. This indicates a distributed attack where multiple sources are failing at the same time or during a short time, such as a single day.
Account under MFA bombing attack	Detects MFA bombing events and repeated attempts to access an account that requires  MFA authentication	Detect MFA bombing by performing the following: Fetch recent MFA login activities, both accepted and rejected. Group events by the initiator IP address. For each unknown IP, create an incident if: Authentication was denied more than it was approved, or Denial attempts exceed a system-defined threshold.
Inactive user performed an action	Triggered if a dormant account for at least 90 days performed an activity	Per each non enabled account, we search for actions that occurred after a period of 90 days or more of inactivity, meaning in this time period, the system did not record any activity for the user.