Outbound network traffic anomalies
Sophos Cloud Optix detects anomalous outbound network traffic.
This form of detection is a time series-based model. It learns the normal traffic flow in your environment, based on time and location patterns, and then detects unusual outbound traffic.
Use cases
This model helps in detecting suspicious spikes in traffic to find possible attacks that steal data.
Learning period and customizations
This form of detection has a self-training period of 21 days. Thereafter it starts showing alerts.
The current models are trained for each account ID and destination port. They are frequently retrained to capture the latest traffic behavior.
Alerts
Alerts for anomalous traffic include these details:
Field | Description |
---|---|
Account ID | Account ID |
Timeframe | The time period of the deviation (30-minute slots) |
Total Traffic | Total traffic observed in the timeframe |
Expected Traffic | Traffic expected by machine learning models |
Variation | Variation between actual and expected traffic |
Destination port | Destination port |
Destination protocol | Destination protocol |
Top Originating IPs | Top IPs from which traffic flows |
Top Destination IPs | Top IPs to which traffic flows |