Skip to main content

User Risk Groups

This page enables you to leverage your existing User Directory Integration to create dynamic user groups or easily add users to manual user groups. You can pin the top user risk groups to the top of this page, allowing you to easily view the user activities within each group. User risk groups help you quickly identify risky users, investigate their activities, and initiate an appropriate response workflow.

NOTE

A yellow dot is displayed in the table against the username if the user is not mapped to your directory service.

Read more: User Risk Group

User investigation

When you select a user from the table, the right panel displays the user's risk summary which includes the following:

A daily risk score trendline graph that shows you the spikes in the user's risky activities over a period of 90 days. You can click on the provided link to see the relevant events.

The list of datasets with matching policies that the user triggered during the 90-day period. You can see the breakdown of the risk score from this section of the panel. Alink is provided so that you can easily navigate to the data flow detail for this user with the provided link.

Apolicy matches chart to help you analyze user behavior. From here you can use the links to directly view a user risk report or investigate specific incidents.

The All user details tab provides all the user information captured by the Endpoint Sensor including the local groups the user is associated with within your directory service.

The History tab provides a log of all the instances when a user's risk score was cleared. You can click on the Chat icon for each entry to view the details such as the user who cleared the risk score, the date and time when the score was cleared, and additional comments that were provided during the action.

User Risk Group

If you have integrated your user directory with Cyberhaven, you can dynamically or manually create User Risk Groups from your user directory.

Read more: User Directory Integration

The user groups are displayed at the top of the Insider Risk page to help you quickly identify the risky groups.

Creating a new User Risk Group

1. On the Insider Risk page, click on User Risk Group.

2. In the New User Risk Group window, enter a name and description for the group.

3. Select a risk multiplier value you want to assign to this group. The risk multiplier increases or decreases the risk score.

Read more about risk score: Risk Level and Risk Score

4. Assign a label color to identify the group.

5. If you want this group to be displayed at the top of the Insider Risk page, then select the Add a quick filter checkbox.

6. Select Dynamically to populate the users in the group based on the selected conditions.

Or, select Manually if you want to manually add or remove users from the group.

7. Click on Condition to add users to this group. The conditional fields in the drop-down list are populated from your user directory.

8. Click Add to finish creating the new risk group.

9. Click on the down arrow next to the User Risk Group button to view all the user risk groups.

Editing a User Risk Group

To edit a user risk group,

1. Click on the down arrow next to the User Risk Group button and click on the edit icon next to a user risk group. The Edit User Risk Group window is displayed.

2. When you have finished editing, click Update to save your changes.

Post-investigation user clearance

When you've finished investigating a user on the Insider Risk page, you can reset their risk score. This lowers their position in the ranking table, allowing you to focus on investigating the next highest-ranked user.

Read more: Resetting the Risk Score