Outbound network traffic anomalies

Sophos Cloud Optix detects anomalous outbound network traffic.

This form of detection is a time series-based model. It learns the normal traffic flow in your environment, based on time and location patterns, and then detects unusual outbound traffic.

Use cases

This model helps in detecting suspicious spikes in traffic to find possible attacks that steal data.

Learning period and customizations

This form of detection has a self-training period of 21 days. Thereafter it starts showing alerts.

The current models are trained for each account ID and destination port. They are frequently retrained to capture the latest traffic behavior.


Alerts for anomalous traffic include these details:



Account ID

Account ID


The time period of the deviation (30-minute slots)

Total Traffic

Total traffic observed in the timeframe

Expected Traffic

Traffic expected by machine learning models


Variation between actual and expected traffic

Destination port

Destination port

Destination protocol

Destination protocol

Top Originating IPs

Top IPs from which traffic flows

Top Destination IPs

Top IPs to which traffic flows