Any organization that deals with identity and access management or other forms of customer data must ensure that the data security is never compromised. Zoho One enables the organization owner and admins to keep an eye on unusual activities happening in the application. These unusual activities are labeled as anomalies and will be listed under the Anomaly Detection module.

A few terms used across the Anomaly Detection module are elaborated in the following section.

1. Anomaly or anomalous activity: Any kind of unusual activity happening in the application. Logging in from an anomalous device/OS/IP address/location; logging in at an anomalous time; modifying user details from an anomalous location or at an anomalous time are few of the activities that can be marked as anomalous activities.

2. Anomalous device: Sessions and relevant activities performed from an unusual device are labeled as anomalies based on an anomalous device.

3. Anomalous browser: Sessions and relevant activities performed from an unusual browser are marked as anomalies based on an anomalous browser.

4. Anomalous IP address: Sessions and relevant activities performed from an unusual IP address will be labeled as anomalies based on an anomalous IP address.

5. Anomalous location: Sessions and relevant activities performed from an unusual location will be labeled as anomalies based on an anomalous location.

6. Anomalous time: Sessions logged in an unusual time of the day are labeled as anomalies based on anomalous time.

7. Actor: The user who performed the anomalous activity is termed as the actor. Both admin and non-admin users can be actors of an anomaly.

8. Target:   The user affected by the activity is termed as the target. For example, when an admin resets the password of a user, the admin who performed the action is the actor, and the user whose password is reset is the target.

The Anomaly Detection module comprises two tabs: Dashboard and Anomalies.

Dashboard 

The Dashboard provides an overall view of the pattern in which anomalies are detected. This helps you assess the anomalies based on various aspects and modify security practices in your organization if necessary.

The following section describes each widget available in the Dashboard. Each widget contains filters to display data based on a specific timeline, such as today, yesterday, last 7 days, last 30 days, this month, last month, a specific date, or a custom range.

1. Anomalies by count: This widget displays the number of anomalies detected in a day for the selected timeline.

2. Anomalies by type: This widget displays five most detected anomalies for the selected timeline.

3. Anomalies by actor: This widget displays the number of anomalies for the selected timeline against the corresponding actor.

4. Anomalies by impact: This widget displays the anomalies for the selected timeline against the impact they make on the security of the organization.

Anomalies 

In the Anomalies tab, you can view and resolve the anomalies detected in the application. The list view displays anomalies with specific information such as the actor email, login details, activity details, and reasons for marking the activity as anomalous. For security reasons, admin users cannot resolve anomalous activities performed by the super admin or from their respective accounts.

You can choose to resolve an anomaly with one of the following options:

• If the activity marked as anomalous was performed by you and doesn't pose any security threat, you can mark the activity as non-anomalous.

• If you have any suspicion in the activity details or if you have confirmed that the activity is not performed by the intended actor, you can choose to deactivate the actor to restrict access to the application on a temporary basis or reset password of the actor to prevent data breach.