Customizing Suspicious Login Detections
Customers can now control the detection confidence range for Impossible Travel Suspicious Login detections. By controlling the detection confidence, the customer can control the detection sensitivity.
The detection confidence range is set to 76 percent by default, but Admins can adjust the range from 50 to 99 percent. Lowering the confidence range, for instance from 76 to 65, will increase detection sensitivity and increase the number of Suspicious Login detections. Conversely, raising the confidence range, such as from 76 to 85, will decrease detection sensitivity and decrease the number of Suspicious Login detections.
How Does the Impossible Travel Detection Process Work?
Confidence is calculated based on:
Impossible Travel Detections
- The time span between logins.
- The distance between the IP login locations minus the IP accuracy radius of both locations.
- The risk scores of the IP addresses involved.
- If one of the IP addresses is identified as a malicious IP, the detection confidence will always be 100%
Restricted Country
- The IP address location. The detection confidence will always be 100% for any IP detected from a restricted country.
All IP address and risk information is provided by a third-party IP reputation service provider.
If there are multiple logins in a row from a single location, followed by a distant login, only the latest one from the streak will be taken into account even though others would also qualify.
- Example:
Time Login Location
1:00 A <- meets impossible travel criteria with B, but won't be surfaced
1:10 A <- meets impossible travel criteria with B, will be surfaced
1:15 B
Customizing Detection Confidence
- Log into Secure and Govern.
- Go to "Settings"
- Select "Analysis Rules"
- Select "Suspicious Login"
Detection confidence can only be adjusted to a low range of 50 percent and high range of 99 percent. Range values below 50 percent and above 99 percent will be prevented within the Secure & Govern.
- Go to “Detection Confidence Range” and enter a valid number from 50 - 99
- The detection range is automatically updated
When raising the confidence threshold, any existing open issues that fall below the new confidence threshold will remain in “Open” status until a user takes action on the issue. When lowering the existing confidence threshold, only new issues detected at the lower threshold will appear in the issues view. No historical issues will be detected.