Skip to content

Monitor for Suspicious Call Activity using Watch List and Triggers

Feature Overview

This feature enables monitoring and alerting of suspicious calls using Watch Lists and Triggers. It allows administrators to define call thresholds for call activity, automatically detect and record suspicious behavior to watch lists for review. Once on the watch lists, Administrators can add comments, block or ignore these numbers.

Feature Requirements

Watch Lists and Triggers Overview

Watch Lists allw you to group triggered call events for review. Triggers define the conditions under which actions are taken on these numbers. When a trigger condition is met, the calling number is added to the target Watch List.

Create and Manage Watch Lists

  1. Navigate to the Watch Lists section in the Call Telemetry Server, under Policies.
  2. Click on "Add Watch List" to create a new watch list.
  3. Enter the name of your new watch list.
Screenshot showing the Watch List creation form

Configure Watch Triggers

Triggers define the conditions for monitoring and acting upon watch list entries. Triggers hresholds will be unique to your environment.

Adding a Watch Trigger

  1. Go to the Triggers section in the Call Telemetry Server, under Policies.

  2. Click on "Add Trigger" to create a new trigger. Screenshot showing the Trigger creation form

  3. Enter the trigger details:

  • Name: A short name for the trigger.
  • Description: A brief description of the trigger.
  • Active: Enabled or Disabled
  • Call Count Threshold: The number of calls from a single number within a specified time interval that will activate the trigger.
  • Time Interval: The duration within which the call count threshold must be met.
  • Scheduled Run Time: The frequency at which the trigger checks for suspicious activity.
  • Target Watch List: The watch list to which the triggered numbers will be added.
  • Expire After X Days: Optionally set a number of days after which the blocked number will be removed from the watch list.
Screenshot showing the Trigger creation form

Understanding Watch Trigger Processing

Triggers operate based on the following logic:

  • Call Count Threshold: The number of calls from a single number within a specified time interval that will activate the trigger.
  • Time Interval: The duration within which the call count threshold must be met.
  • Scheduled Run Time: The frequency at which the trigger checks for suspicious activity.

Example Trigger Configuration

  • Name: High Call Volume
  • Active: Enabled
  • Description: Monitor and block numbers with high call volume.
  • Call Count Threshold: 10 calls
  • Time Interval: 5 minutes
  • Scheduled Run Time: Every 1 minute
  • Target Watch List: High Call Volume Watch List
  • Expire After X Days: 7 days

Example Trigger Processing

Let's walk through an example of how a trigger would work based on the above configuration:

  1. A number makes 10 calls within 5 minutes.
  2. The trigger runs every minute (Scheduled Run Time) and detects the 10 calls at or above the Call Count Threshold, within the Time Tnterval specified.
  3. The number is added to the Target Watch List Call Volume Watch List for review.
  4. An email alert is sent to all system administrators with details about the trigger and the numbers that triggered the alert.

Monitoring and Blocking Suspicious Calls

Once a trigger is activated, the calling number is added to the watch list. You can review the watch list, add comments, block or ignore numbers.

Reviewing the Watched Number List

When a trigger is activated, the number is added to the watch list. It will appear in the Watch List Numbers menu of Call Telemetry shown below.

Screen showing a list of blocked incoming calling numbers

Adding Comments to Watched Numbers

You can add comments to watched numbers to provide additional context or information about the call activity. Just click on the pencil icon next to the number to add a comment.

Screenshot showing the Watched Numbers list with comments

Taking Actions on Watched Numbers

You can also take the following actions on a watched number:

  • Automatic Blocking: Add the number to the Global Blocked Call List (if enabled on the Call Policy).
  • Block Number: Add the number to the Global Blocked Call List.
  • Ignore Number: Remove the number from the watch list, and add it to the Whitelist to be ignored by future triggers.
  • Delete Number: Remove the number from the watch list. It may be added back if the trigger conditions are met again.
Screenshot showing the Watched Numbers list with actions

Automatically Blocking Watched Numbers

You can automatically block numbers that trigger a watch list. This feature allows you to block calls from numbers on the watch list without having to manually block them. They are not added to the Global Blocked Call List, but are blocked by association with the Watch List.

Screenshot showing how to enforce block on watched numbers

Managing Ignored Calling Numbers

Once a number is ignored, it no longer shows on the watch list by default. It remained linked to the watch list that triggered it, but ignored.

Viewing Ignored Numbers

You can see the Ignored Numbers by toggling the switch on the top right of the Watched Numbers page.

Once ignored, you can still take actions on the number, such as unignoring it, or deleting it from the watch list.

Screenshot showing the Watched Numbers list with ignored numbers

Manually Blocking a Watched Number with Automatic Expiration

When blocking watch list number, you can also set auto expire after a number of days if your organization does not want to permanently block a calling number.

  1. On the Submit Bloced Number dialog, toggle the slider to enable the expiration.
  2. Set the number of days you want the blocked calling number to expire.
Screenshot showing the Block dialog with expiration settings

Automatic Email Alerts for Watch Trigger Violations

When a trigger threshold is crossed, an email alert is sent to all system administrators configuring under the main Settings page. The email includes details about the trigger, the numbers that triggered the alert, and the call counts.

The email alert includes:

  • Trigger Details: Call count threshold, interval, scheduled run time, and last run window.
  • New Numbers Above Thresholds: List of newly blocked numbers and their call counts.
  • Existing Numbers Above Thresholds: List of already blocked numbers that have triggered again and their call counts.
Screenshot showing an example email alert