User login anomalies

Sophos Cloud Optix detects suspicious login events.

This type of detection combines analysis of access time and location and user profiles. It learns what normal user activities in your cloud environment look like and then starts flagging suspicious events.

Use cases

This model detects suspicious console login events, API calls and assumed-role API calls to detect potential attacks based on compromised user credentials.

Learning period and customizations

This form of detection has a learning period of 7 days, after which it starts showing alerts.

It has a low rate of false positives and can be customized for a specific cloud environment via custom IP, role whitelists and alert suppression.