Abnormal Logins is a feature of the Cloud Directory Posture security control. Guardz scans the primary cloud app activity and, based on a series of telemetry and metadata, builds a benchmark list of “normal” user login locations over 7 days of activity from historical logs. Guardz then identifies any logins outside that norm as “abnormal.” Abnormal Logins is a key protection against potential account compromise or outright account takeover.

In Security Controls > Cloud Directory Posture (single-customer view), you have an overview of the “Approved Locations.” Here, you can turn the feature on and off.

To view and edit the list of Approved Locations, select the edit icon.

The Approved Locations represents the typical logins across an organization and can be viewed on a map as well as a detailed list. Any logins detected outside these Approved Locations will result in the creation of a security issue.

Note that the Approved Locations list is currently based on:

​

You can add or remove locations from the list of Approved Locations, either through the issue remediation or “on-the-fly” in the Cloud Directory Posture security control. When a location is removed, logins from this location will no longer generate an issue, and any existing issues will be closed.

A location can be added with either the IP or the city and country.
​

If you want to take a more general approach, you can add a range of IPs. For example: 1.1.1.1/24 or select a country.

When adding a new location, the reason should be specified to differentiate between the system benchmark and admin approval.