Sophos Cloud Optix has several types of anomaly detection. They're turned on automatically.
The detection types are as follows:
- SophosLabs threat intelligence.
- User login anomalies.
- Outbound network traffic anomalies.
- Applications inferred from host behavior.
- High-risk activity.
Each of these detects security-related anomalous events based on account or user activities, API calls, flow log data, and network traffic patterns.
These detection types require different resources or learning periods to determine normal behavior. They can then identify unusual behavior.
You can also use Activity Insights to monitor activity in your cloud environments. See Activity Insights.
About anomaly alerts
Sophos Cloud Optix displays alerts when it detects anomalies in your environment.
On the Alerts page, look for alerts with a head-shaped icon in the Type column.
You can click the Type filter and select Anomaly (AI).
An anomaly shows the severity level of the alert and a brief description.