Anomaly Detection
Identify unusual email patterns that may indicate security threats.
What It Detects
The anomaly detection system monitors for unusual patterns:
- Volume Spikes: Sudden increase in emails from a user
- Unusual Hours: Sending outside normal working hours
- New Recipients: Large number of new external recipients
- Geographic Anomaly: Authentication from unusual locations
- Pattern Changes: Deviation from normal sending behavior
How It Works
SecZim builds a behavioral baseline for each user over time. When activity deviates significantly from this baseline, an anomaly is flagged.
- Baselines are calculated over 30-day rolling windows
- Statistical analysis identifies significant deviations
- Machine learning improves accuracy over time
Response Actions
When an anomaly is detected:
- Alert is generated for admin review
- Optionally, temporary rate limit is applied
- User can be flagged for additional monitoring
Important
Anomaly detection requires a learning period of 7-14 days to establish accurate baselines for new users.
Configure Sensitivity
In Settings → Anomaly Detection:
- High Sensitivity: More alerts, may include false positives
- Medium: Balanced detection (recommended)
- Low Sensitivity: Only clear anomalies trigger alerts
View Detected Anomalies
Go to Intelligence → Anomalies to see:
- Recent anomaly detections
- Affected users and details
- Actions taken
Common Use Cases
- Detecting compromised account sending spam
- Identifying unauthorized access from abroad
- Catching script-based automated sending
- Finding credential theft before damage occurs