Skip to content

Activity Insights

You can use Activity Insights to monitor activity in your cloud environments.

Click Activity Insights and choose from the following:

  • Anomalies.
  • Graphs.
  • Logs.


Sophos Cloud Optix learns about users' cloud activity and builds patterns of normal behavior. Once a day we analyze activity and report anomalies when there's enough evidence of unusual behavior.

Examples of behavior that's different to your usual patterns are as follows:

  • A user does actions they've never done before.
  • A user completes actions outside their normal working hours.
  • A user takes riskier actions than before.

You can see the anomalies we found in Activity Insights.

Click the plus sign next to an anomaly to find out why Sophos Cloud Optix decided the actions were anomalous and might represent risk.

Click See all activity to see the actions that contributed to the decision, in time and date order.

You can click the thumbs up or thumbs down icons next to an anomaly. This helps Sophos Cloud Optix learn about normal and abnormal activity for your organization, making future detections more accurate.


If a user's activities change because their role has changed, anomalies may be reported. Sophos Cloud Optix soon learns the new behavior and the level of anomaly reports reduces.

Anomaly confidence and alerts

We assign a confidence level to each anomaly based on how far it differs from normal behavior. You can use the Anomaly Confidence rating in Activity Insights to filter anomalies by confidence level.

Sophos Cloud Optix raises alerts for high confidence anomalies.

If you have Sophos MDR, we also send alerts for high confidence anomalies to Sophos Central. See Sophos MDR.

User types

In User Type you can see values from the AWS CloudTrail userIdentity element or Azure principalType.

For AWS this includes IAMUser and AssumedRole. For a complete list of values see CloudTrail userIdentity element.

For Azure this includes Service Principal and User.

In User Type, Automation indicates users that Sophos Cloud Optix has decided, from patterns of activity, could be automated users. The users could be, for example, running processes every day or at a very high rate compared to other users.

You can use the userType field to search for potential automated users. See AWS Anomalies for AWS and Azure: Anomalies for Azure.


Click Graphs to see graphs and global maps showing activity in your cloud environments.

You can click High-risk to see user actions that haven't been done before, and are considered high risk.


Click Logs to see a list of events in your cloud environments.

You can click High-risk to see user actions that haven't been done before, and are considered high risk.