SUSP_CLI_TRAFF

This alert is triggered when a specific user registered from multiple IP addresses during a single monitoring interval or a defined period of activity.

Characteristics

Name: Multiple IP addresses used by a user

Type: anomalies

Status (default): disabled

Detector: built-in, non-SQL

Message

“Multiple IP addresses used by user *user_name* .”

“The total IP addresses used by the user: *number_of_IPs* in last *number_of_minutes* minutes.”

Important

This alert does not track the activity of clients that use IPv6 addresses.

Detector parameters

  • Activity threshold (number of IP addresses - number)
    The number of IP addresses to trigger the alert. Default: 5.
  • Activity timeout (minutes - number)
    The number of additional minutes over which the condition is measured. The condition is measured over the length of one monitoring interval plus the number of minutes specified here, rounded down to an integer number of monitoring intervals. Default:0 . The default value means that the condition is measured over single monitoring intervals. Entering a value of, for example, 7 and assuming that the monitoring interval is configured to 5 minutes, would cause an additional 5 minutes to be added to the time over which the condition is measured.