Methods and apparatus are provided for detecting suspicious network activity by new devices. An exemplary method comprises: obtaining network event data for a given entity that comprises a user or a user device; determining a number of distinct other entities associated with the given entity during a predefined short time window, wherein the distinct other entities comprise user devices used by the user if the given entity comprises a user and comprise users of the user device if the given entity comprises a user device; determining a number of distinct other entities associated with the given entity during a predefined longer time window; and assigning a risk score to the given entity based on (i) the number during the predefined short time window relative to the number during the predefined longer time window, and/or (ii) the number during the predefined short time window relative to a predefined number.