Skip to content
Last update: 2022-03-01

Outbound network traffic anomalies

Sophos Cloud Optix detects anomalous outbound network traffic.

This form of detection is a time series-based model. It learns the normal traffic flow in your environment, based on time and location patterns, and then detects unusual outbound traffic.

Use cases

This model helps in detecting suspicious spikes in traffic to find possible attacks that steal data.

Learning period and customizations

This form of detection has a self-training period of 21 days. Thereafter it starts showing alerts.

The current models are trained for each account ID and destination port. They are frequently retrained to capture the latest traffic behavior.


Alerts for anomalous traffic include these details:

Field Description
Account ID Account ID
Timeframe The time period of the deviation (30-minute slots)
Total Traffic Total traffic observed in the timeframe
Expected Traffic Traffic expected by machine learning models
Variation Variation between actual and expected traffic
Destination port Destination port
Destination protocol Destination protocol
Top Originating IPs Top IPs from which traffic flows
Top Destination IPs Top IPs to which traffic flows
Back to top