Customizing Suspicious Login Detections

Customers can now control the detection confidence range for Impossible Travel Suspicious Login detections. By controlling the detection confidence, the customer can control the detection sensitivity.

The detection confidence range is set to 76 percent by default, but Admins can adjust the range from 50 to 99 percent. Lowering the confidence range, from 76 to 65, will increase detection sensitivity and increase the number of Suspicious Login detections. Raising the confidence range, from 76 to 85, will decrease detection sensitivity and decrease the number of Suspicious Login detections.

How Does the Impossible Travel Detection Process Work?

Confidence is calculated based on:

  • time difference
  • distance minus accuracy radius of both locations (from GeoIP)
  • risk score of the IPs involved (from GeoIP)

If there are multiple logins in a row from a single location, followed by a distant login, only the latest one from the streak will be taken into account even though others would also qualify.

  • Example:
    Time  Login Location
    1:00  A <- meets impossible travel criteria with B, but won't be surfaced
    1:10  A <- meets impossible travel criteria with B, will be surfaced
    1:15  B

Customizing Detection Confidence

  1. Log into Secure and Govern.
  2. Go to the "Settings"
  3. Select "Analysis Rules"
  4. Select "Suspicious Login"

    image2.png

    Detection confidence can only be adjusted to a low range of 50 percent and high range of 99 percent. Range values below 50 percent and above 99 percent will be prevented within the Secure & Govern.

  5. Go to “Detection Confidence Range” and enter a valid number from 50 - 99

    image1.png

  6. The detection range is automatically updated

    When raising the confidence threshold, any existing open issues that fall below the new confidence threshold will remain in “Open” status until a user takes action on the issue. When lowering the existing confidence threshold, only new issues detected at the lower threshold will appear in the issues view. No historical issues will be detected.