最終更新日:2023-07-25 19:34:53
The risk awareness report displays the high-risk threat trends for enterprise users. IT administrators can quickly understand threat event rankings, high-risk user rankings, high-risk client rankings, and other information from the report in order to quickly grasp the threat activities in the system.
This report is only applicable to customers who has purchased Business licenses.
Go to Console–>Analysis–>Risk Awareness. You will see two tabs: Analysis and Event.
1) In Analysis tab, you will get threat reports based on user behavior analyze, inluding:
Field Name | Explanation |
---|---|
High Risk User Trend |
Display the trend of the number of users with "Poor" trust level in query time |
By Trust Score | Display the top 10 users by their lowest trust score in query time |
Threat Event Trend | Display the trend of the number of threat events in query time |
Threat Event Statistics | Display the number and proportion of threat events in query time |
High Risk User Top10 | Display the top 10 users by the number of threat events or the total threats in query time |
High Risk IP Top10 | Display the top 10 client login IPs by the number of threat events in query time |
High Risk Client Top10 | Display the top 10 clients by the number of threat events in query time |
2) In Event tab, you will see the threat events been detected, including:
Field Name |
Explanation |
---|---|
Check Time |
Threat event's detection time |
Event Time |
Threat event's occurrence time |
Username |
Username associated with the threat event |
Threat Name |
Name of the threat event |
Threat Score |
Threat value of the threat event |
Threat Level |
Threat level of the threat event, categorized as high risk, medium risk, and low risk |
Threat Status | Stauts of threat events. Available status: Revoked and Not Revoked. By default, a threat even will be marked as Not Revoked status, meaning the event has not been decided whether it is a threat event and the it is threat level. It will changed to Revoked when: 1) The threat event has reached auto revoke time (1440 min by default), the system revokes the event automatically 2) Administrator manually revoke the event. Administrators can manually revoke, confirm or ignore the event from list. |
Alert Result | The status of how administrator handle the event, available value includes: Ignored, Not Confirmed and Confirmed. The result will change when you do operation in Action field. |
Action | From the list, you can do operation to the threat event, including: Confirm: after operation, the event will be confirmed as a threat. And the Alert Result will be changed to "Confirmed" Ignore: after operation, the event will be ignored. And the Alert Result will be changed to "Ignored". For threat events detected by the baseline module, the ignore operation add the record to baseline. In the future, the redetection of the record will longer be reported as threat events. Revoke: after operation, the event will be revoked, the trust scores deducted from the user due to this event will be restored. And the Alert Result of the event will be changed to "Revoked". |
By pressing > icon, you will find more details about the event