Monitor for Suspicious Call Activity using Watch List and Triggers

Feature Overview

This feature enables monitoring and alerting of suspicious calls using Watch Lists and Triggers. It allows administrators to define call thresholds for call activity, automatically detect and record suspicious behavior to watch lists for review. Once on the watch lists, Administrators can add comments, block or ignore these numbers.

Feature Requirements

• Call Telemetry Server Appliance 0.8.1 or higher
• Call Telemetry Advanced License or Demo License

• Cisco Callmanager 8.5 with CURRI Integration to Call Telemetry
• [Configured External Call Control Profile Inspection](../configure - A route pattern, translation pattern, or phone extension must be enabled for Call Telemetry Policy inspection.

Watch Lists and Triggers Overview

Watch Lists allw you to group triggered call events for review. Triggers define the conditions under which actions are taken on these numbers. When a trigger condition is met, the calling number is added to the target Watch List.

Create and Manage Watch Lists

1. Navigate to the Watch Lists section in the Call Telemetry Server, under Policies.
2. Click on "Add Watch List" to create a new watch list.
3. Enter the name of your new watch list.

Configure Watch Triggers

Triggers define the conditions for monitoring and acting upon watch list entries. Triggers hresholds will be unique to your environment.

Adding a Watch Trigger

1. Go to the Triggers section in the Call Telemetry Server, under Policies.

2. Click on "Add Trigger" to create a new trigger.

3. Enter the trigger details:

• Name: A short name for the trigger.
• Description: A brief description of the trigger.
• Active: Enabled or Disabled
• Call Count Threshold: The number of calls from a single number within a specified time interval that will activate the trigger.
• Time Interval: The duration within which the call count threshold must be met.
• Scheduled Run Time: The frequency at which the trigger checks for suspicious activity.
• Target Watch List: The watch list to which the triggered numbers will be added.

Understanding Watch Trigger Processing

Triggers operate based on the following logic:

• Call Count Threshold: The number of calls from a single number within a specified time interval that will activate the trigger.
• Time Interval: The duration within which the call count threshold must be met.
• Scheduled Run Time: The frequency at which the trigger checks for suspicious activity.

Example Trigger Configuration

• Name: High Call Volume
• Active: Enabled
• Description: Monitor and block numbers with high call volume.
• Call Count Threshold: 10 calls
• Time Interval: 5 minutes
• Scheduled Run Time: Every 1 minute
• Target Watch List: High Call Volume Watch List

Example Trigger Processing

Let's walk through an example of how a trigger would work based on the above configuration:

1. A number makes 10 calls within 5 minutes.
2. The trigger runs every minute (Scheduled Run Time) and detects the 10 calls at or above the Call Count Threshold, within the Time Tnterval specified.
3. The number is added to the Target Watch List Call Volume Watch List for review.
4. An email alert is sent to all system administrators with details about the trigger and the numbers that triggered the alert.

Monitoring and Blocking Suspicious Calls

Reviewing the Watched Number List

When a trigger is activated, the number is added to the watch list. It will appear in the Watch List Numbers menu of Call Telemetry shown below.

Adding Comments to Watched Numbers

You can add comments to watched numbers to provide additional context or information about the call activity. Just click on the pencil icon next to the number to add a comment.

Taking Actions on Watched Numbers

You can also take the following actions on a watched number:

• Block Number: Add the number to the Global Blocked Call List.
• Ignore Number: Remove the number from the watch list, and add it to the Whitelist to be ignored by future triggers.
• Delete Number: Remove the number from the watch list. It may be added back if the trigger conditions are met again.

Managing Ignored Calling Numbers

Once a number is ignored, it no longer shows on the watch list by default. It remained linked to the watch list that triggered it, but ignored.

Viewing Ignored Numbers

You can see the Ignored Numbers by toggling the switch on the top right of the Watched Numbers page.

Once ignored, you can still take actions on the number, such as unignoring it, or deleting it from the watch list.

Blocking a Watched Number with Automatic Expiration

When blocking watch list number, you can also set auto expire after a number of days if your organization does not want to permanently block a calling number.

1. On the Submit Bloced Number dialog, toggle the slider to enable the expiration.
2. Set the number of days you want the blocked calling number to expire.

Automatic Email Alerts for Watch Trigger Violations

When a trigger threshold is crossed, an email alert is sent to all system administrators configuring under the main Settings page. The email includes details about the trigger, the numbers that triggered the alert, and the call counts.

The email alert includes:

• Trigger Details: Call count threshold, interval, scheduled run time, and last run window.
• New Numbers Above Thresholds: List of newly blocked numbers and their call counts.
• Existing Numbers Above Thresholds: List of already blocked numbers that have triggered again and their call counts.