A user score is built based on the alert score and the alert severity. Using the user score, you can identify users that require immediate attention, perform deeper investigation, and take required action. You can identify high-risk users from either the Overview tab or the Users tab.
The following figure is an example of top five high-risk users in the Overview tab.
The following figure is an example of all the risky users in your environment in the Users tab.
The following is a high-level process to investigate high-risk users in your environment.
- Identify the high-risk users. You can identify the high-risk users using the following ways:
- The Overview tab shows the top five risky users in your environment. From the listed users identify the users with critical severity or user score more than 100.
- The User tab shows all the risky users in your environment, sorted by risk score. Identify how many users are marked Critical, High and Medium or based on the forensic investigation, identify the malicious user behavior and build use-case driven target user lists using behavioral filters. Additionally, you can also use different types of filters (Risky, Admin, or Watchlist) to identify targeted group of high-risk users.
Hover over the number of alerts associated with the risky users to quickly see what they are and determine if there is a good mix.
For more information, see Identify High-Risk Users topic.
- In the User Profile view, investigate the alerts and indicators of the user.
- Review the list of alerts associated with the user and the alert score for each alert, sorted by severity.
- Expand the alert names to identify a threat narrative. The strongest contributing indicator determines the alert’s name that suggests why this hour is flagged.
- Use the alert flow timeline to understand the abnormal activities.
- Review each indicator associated with the alert to see the details about the indicator, including the timeline in which the anomaly occurred. Also, you can further investigate the incident using external resources such as SIEM, network forensics, directly reaching out to the user or a managing director and so on.
For more information, see Begin an Investigation of High-Risk Users topic.
On completion of the investigation, you can record your observation as follows:
Specify if an alert is not a risk
Save the behavioral profile for the use case found in your environment
- If you want to keep a track of user activity, you can add users to the watchlist, and watch user profile
For more information, see Take Action on High-Risk Users topic.