Fortinet black logo

Online Help

Home FortiCASB 24.1.b Online Help

Suspicious Movement

24.1.b
24.1.b
24.1.a
23.4.a
23.3.a
23.2.b
23.2.a
23.1.0
22.4.0
21.4.0
21.2.0
21.1.0
20.4.1
20.4.0
20.3.0
20.2.0
20.1.0
4.2.0
4.1.0
2.1.0
Copy Link
Copy Doc ID df548089-ec91-11ee-8c42-fa163e15d75b:441261

Suspicious Movement

Description

Suspicious Movement policy monitors changes in users geographical location. When the speed (mph) of traveling between the original and the new location exceeds the maximum threshold, an alert will be generated to inform on the unidentified cloud account intrusion.

The policy also takes in account of the proximity distance of the new location before checking for the speed in which the user traveled.

In exception cases, known users can be excluded from being monitored by placing them on the IP allow list.

Policy Configuration

Follow the steps below to enable and configure the policy

  1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
  2. Click on Policy drop down menu and select Threat Protection.
  3. Locate Suspicious Movement and click on the right arrow key > button to expand the policy.
  4. Click On in Enabled to enable the policy.

  5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
  6. In Velocity Setting (mph), enter the maximum speed in which a user can travel between two locations in any given time before being viewed as suspicious movement. The most commonly used value for this parameter is commercial flight speed, 600 mph.
  7. In Distance Tolerance (mile) field, enter a proximity distance that will not be accounted for in monitoring for suspicious movement.

    8. For example, if you entered 50 miles, any login within 50 miles of the origin will not be taken as suspicious movement.

  8. In IP Allow List, enter sets of IP ranges to be excluded from being monitored for suspicious movements. This is useful when you know the users who travel periodically.
  9. Click Save Changes to update the configuration.

After the policy is enabled and configured, whenever the new user login location exceeded the maximum speed threshold, an alert will be sent on the illegal login, for more details, please refer to Alert.

Previous
Next

Suspicious Movement

Description

Suspicious Movement policy monitors changes in users geographical location. When the speed (mph) of traveling between the original and the new location exceeds the maximum threshold, an alert will be generated to inform on the unidentified cloud account intrusion.

The policy also takes in account of the proximity distance of the new location before checking for the speed in which the user traveled.

In exception cases, known users can be excluded from being monitored by placing them on the IP allow list.

Policy Configuration

Follow the steps below to enable and configure the policy

  1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
  2. Click on Policy drop down menu and select Threat Protection.
  3. Locate Suspicious Movement and click on the right arrow key > button to expand the policy.
  4. Click On in Enabled to enable the policy.

  5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
  6. In Velocity Setting (mph), enter the maximum speed in which a user can travel between two locations in any given time before being viewed as suspicious movement. The most commonly used value for this parameter is commercial flight speed, 600 mph.
  7. In Distance Tolerance (mile) field, enter a proximity distance that will not be accounted for in monitoring for suspicious movement.

    8. For example, if you entered 50 miles, any login within 50 miles of the origin will not be taken as suspicious movement.

  8. In IP Allow List, enter sets of IP ranges to be excluded from being monitored for suspicious movements. This is useful when you know the users who travel periodically.
  9. Click Save Changes to update the configuration.

After the policy is enabled and configured, whenever the new user login location exceeded the maximum speed threshold, an alert will be sent on the illegal login, for more details, please refer to Alert.

Previous
Next