Skip to content

Suspected identity compromise

Suspected Identity Compromise records evidence of a user account takeover and any unusual admin activity. It focuses on administrative actions that could have a significant impact on the customer's data.

The ticket displays key details of the Suspected Identity Compromise, including information about the location from where the access was performed, and details about the specific actions that have been detected as suspicious:

Suspected Identity Compromise Ticket

The Full Details section provides references to normative actions taken in close proximity to suspected activities. The suspected activities are highlighted in red, while the presumably normative activities are highlighted in green. In the example below, suspicious Collaboration Invite activity has been identified due to the fact the activity took place from different IP's in close time proximity:

Ticket Full Details

Selecting the ACTION button allows the user to perform a particular set of related actions:

Ticket Actions

Close ticket

Close the ticket as the file was remediated and does not possess further threat.

Suspend user from all cloud apps

Quarantine the specific user account from all cloud services in order to eliminate the option of account takeover.

Suspend user from

[Specific cloud service, for example, Dropbox]:

Quarantine the specific user account from a specific cloud services in order to eliminate the option of account takeover.

Request user to sign-in to all cloud apps

Request the specific user to re-sign into their account on all cloud services in order to eliminate the option of account takeover.

Request user to sign-in to

[Specific cloud service, for example, Dropbox]: Request the specific user to re-sign into their account on a specific cloud service in order to eliminate the option of account takeover.

Contact user

Send a direct message to the user. In this case the original details of the ticket are included in the message.