Issue
Red Canary has published a Suspicious Activity (Account) Threat for unusual or anomalous behavior from identity sources, like Okta or Entra ID, that an organization considers normal activity.
Environment
Red Canary Portal
Identity Threats
Resolution
Red Canary establishes baseline activity for each identity (e.g. IP address, VPNs, browsers, etc.). As the data collection of an identity's activity increases over time, recurrent benign true positives are progressively minimized, eventually leading to a well-established activity baseline.
If the detected activity is found to be benign by an organization, they are encouraged to provide feedback on the Threat with a note indicating how it was determined the activity was benign. If the anomalous IP is in a CIDR range assigned to the organization by an ISP, the addresses can also be added to My Network under the Company Profile.
Beyond immediate feedback and documentation of known-good networks, no additional action is required to reduce anomaly detection on benign activity or tune identity threats.
Cause
Malicious activity is typically associated with an unusual login, but unusual logins are often associated with benign activity. For example, an organization's employees might travel around to meet with customers, attend conferences, etc.
Red Canary's goal is to ensure malicious activity is never missed, and therefore will surface and publish threats related to suspicious activity. For more information on what goes into these detections, see Red Canary's blog on establishing user baselines and identifying anomalies.