Ex: Prevent Unauthorized Application Access
Goal: Detect when employees attempt to access an application that’s considered high risk or outside of their typical role, and automatically notify security.
Steps:
- Create a Monitor: Give your monitor a unique name, such as
Suspicious Applications Access. - Define Conditions: Use the filter builder or custom CEL expressions to specify what activity you want to detect.
- For example, you could define the following set of conditions:
- Create a list of applications that contain PII or other highly sensitive data (
List = "Applications containing PII") - Include additional actions that suggest suspicious activity
Event Type = MFA_FAILEDandEvent Anomaly Score >= 50
- Create a list of applications that contain PII or other highly sensitive data (
- Configure Automated Actions: Send an email, Slack, or Teams notification to the Security team.
- Result: Trigger Security Alerts for High-Risk Access to Applications: If a user who has failed MFA attempts to access a sensitive application and the event has an anomaly score greater than 50 (where 100 = most anomalous), security is alerted immediately!
Prevent unauthorized application access with this example monitor
Updated 3 days ago