Cybersecurity & trust: anomalous login & access explorer
What you can do here
Explore anomalous logins and access events (impossible travel, MFA bypass, risky geos, new devices/IPs)
Tune alert thresholds and allowlists to reduce analyst fatigue while preserving true‑positive capture
Inspect per‑user timelines to triage alerts quickly
Threshold tuning
Caption: Distribution of login and access events across the 24‑hour day; after‑hours spikes may signal risk.
Caption (metrics): Precision rises and recall falls as threshold increases; choose balance that fits your team.
Caption (alerts): Raising the threshold reduces alert volume.
Results summary
Total events: 1260
Malicious ground-truth events (label=1): 86
Chosen threshold: 0.61
Alerts: 79
Precision: 0.89
Recall: 0.81
F1: 0.85
After allowlist:
Alerts: 68 (reduction 13.9%)
Precision: 0.94 · Recall: 0.74 · F1: 0.83
True positives preserved: 91.4%