Risk Awareness

最終更新日:2023-07-25 19:34:53

1. Usage Scenario

The risk awareness report displays the high-risk threat trends for enterprise users. IT administrators can quickly understand threat event rankings, high-risk user rankings, high-risk client rankings, and other information from the report in order to quickly grasp the threat activities in the system.

This report is only applicable to customers who has purchased Business licenses.

2. Operation Steps

Go to Console–>Analysis–>Risk Awareness. You will see two tabs: Analysis and Event.

1) In Analysis tab, you will get threat reports based on user behavior analyze, inluding:

image.png

Field Name Explanation
High Risk User Trend
Display the trend of the number of users with "Poor" trust level in query time
By Trust Score
Display the top 10 users by their lowest trust score in query time
Threat Event Trend Display the trend of the number of threat events in query time
Threat Event Statistics Display the number and proportion of threat events in query time
High Risk User Top10 Display the top 10 users by the number of threat events or the total threats in query time
High Risk IP Top10 Display the top 10 client login IPs by the number of threat events in query time
High Risk Client Top10
Display the top 10 clients by the number of threat events in query time

2) In Event tab, you will see the threat events been detected, including:
image.png

Field Name
Explanation
Check Time
Threat event's detection time
Event Time
Threat event's occurrence time
Username
Username associated with the threat event
Threat Name
Name of the threat event
Threat Score
Threat value of the threat event
Threat Level
Threat level of the threat event, categorized as high risk, medium risk, and low risk
Threat Status
Stauts of threat events. Available status: Revoked and Not Revoked.
By default, a threat even will be marked as Not Revoked status, meaning the event has not been decided whether it is a threat event and the it is threat level. It will changed to Revoked when:
1) The threat event has reached auto revoke time (1440 min by default), the system revokes the event automatically
2) Administrator manually revoke the event. 
Administrators can manually revoke, confirm or ignore the event from list.
Alert Result The status of how administrator handle the event, available value includes: Ignored, Not Confirmed and Confirmed. The result will change when you do operation in Action field. 
Action
From the list, you can do operation to the threat event, including: 
Confirm: after operation, the event will be confirmed as a threat. And the Alert Result will be changed to "Confirmed"
Ignore: after operation, the event will be ignored. And the Alert Result will be changed to "Ignored".  For threat events detected by the baseline module, the ignore operation add the record to baseline. In the future, the redetection of the record will longer be reported as threat events.
Revoke: after operation, the event will be revoked, the trust scores deducted from the user due to this event will be restored. And the Alert Result of the event will be changed to "Revoked". 

By pressing > icon, you will find more details about the event
image.png