Rare Browser Activity

Detects users logging in from rare and unusual browsers that are on your blocklist, or not on your allow list.

Rare browser activity can be a security issue due to the latency of applying patches to those browsers. It also may indicate that a specific browser differs from what is typically utilized by the actual end user, which could highlight anomalous behavior that should be investigated.

Device prevalence is determined by looking at all successful events over 90 days across all connected integration instances, and automatically excludes any events where the browser, user agent or OS is 'Null' or 'Empty'. The 'Device prevalence threshold' setting uses a percentage of events coming from a particular browser to determine what is or isn't considered rare by the Auto-discovery setting. The Auto-discovery setting, which is enabled by default, will detect rare browsers if the device prevalence is less than 0.5% [default] times in the last 7 days.

Recommended Actions

Please review the activity of users tracked with a rare browser. Evaluate the user alongside other security anomalies like new locations or login failures. You can exclude this user from the check or add the browser to your allowed list.

Check Settings & Defaults

Auto-Discovery of Rare Browsers: true

Device Prevalence Threshold (Past 7 Days): 0.5

Blocklist: 28

Ignore List: empty

Compatibility

AWS

Duo

GitHub

Microsoft Entra ID

Okta

Salesforce

Last updated