Overview
From the User Profile, you can review the file activity of an employee, helping you to:
- Quickly identify suspicious file movement
- Review endpoint and cloud services activity
- See previous file activity
This article describes the information and options in the User Profile.
Considerations
- Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
- To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
- To see a deactivated employee's User Profile, add them to a watchlist first, and then search for their profile from that watchlist.
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.
User Profile
To see a user profile from various places in the Incydr console, do the following:
- Click View profile
- Click a hyperlinked username
| Item | Description | |
|---|---|---|
| a | Risk settings |
To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes. |
| b | Selected time frame | Shows the time frame the file activity occurred in. Click to change the time frame. |
| c | Risk report |
Click to view the Departing employee risk report. The risk report provides a summary of alerts, cases, and critical events associated with the user. The report also highlights common exfiltration scenarios for departing employees Available only for users on the Departing watchlist. |
| d | Actions |
Click the Actions menu and do one of the following:
Visibility of actions
You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example:
|
| e | User information |
Shows details about the user, including name, notes, start and end dates, watchlist membership, and active agents. See User information below for more details. |
| f | Activity overview |
For the selected time frame, displays the number of:
Click View for more details about each item. |
| g | File activity by severity |
Shows file events by risk severity and associated risk indicators. Severity is based on the following scoring ranges:
For more information about risk indicators, see Risk settings reference. |
| h | Export | Click to download any section as an image (png, jpeg, or svg). |
| i | Source risk indicator activity | Shows all of the user's file events where the file came from a source likely to contain company data. |
| j | Destination risk indicator activity |
Shows all of the user's file events by where the file was moved to, shared, or sent (destination risk indicator). |
| k | File risk indicator activity |
Shows all of the user's file events by file risk indicator. |
| l | Filter |
Click to filter the results by event severity or specific risk indicators. |
User information
| Item | Description | |
|---|---|---|
| a | User information |
Displays a summary of the employee's information, including:
If you use Incydr User Directory Sync or SCIM provisioning, additional information appears here, including the user's Department, Title, Location, and Manager.
|
| b | Start date |
Click Add or Edit to add or update a start date for the user. The start date is used with the New hire watchlist.
Start date filtering
The start date can be used to filter and find all employees that have started at your company in the past 30-90 days. Use this filter to determine if new employees are aware of and following your company's data practices. |
| c | Departure date |
Click Add or Edit to add or update a departure date for the user. The departure date is used with the Departing watchlist.
Departure date filtering
The departure date is used to filter and find all employees that are leaving your company soon. This date drives the filters shown on the Departing watchlist summary of the Exfiltration dashboard as well as the Departing employee risk report. |
| d | Notes |
Click Add notes or Edit |
| e | Watchlists |
Lists the user's current watchlist membership, the risk score for each watchlist, which preventative controls are enabled, and any alerts that explicitly include or exclude the watchlist. Click Edit
If the user is not on a watchlist, click Add to watchlist to add one. |
| f |
Agents |
Lists active insider risk agents for the user (backup agents are not included). Details include:
The Agents section displays the message No active agents when an agent has not been deployed, all agents are deactivated, or the user is out-of-scope. |
Source risk indicator activity
| Item | Description | |
|---|---|---|
| a | Selected time frame |
Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page. |
| b | Filter |
Click to filter the graph and events in the table by: |
| c | Filtered by | Shows the filters currently applied to the data shown in the graph as well as the data available in the source indicators. Click the "x" on a filter to remove it. |
| d | Showing |
Lists the source risk indicator you are viewing. |
| e |
Select source risk indicator |
Select a source risk indicator to see where the file was sent and its associated risk. Source risk indicators are applied to file events where the file came from a source likely to contain company data. |
| f | Events | Number of file events associated with the risk indicator for the selected time frame. |
| g | Size | Total size of files involved with the file activity. |
| h | Activity preview | Shows a visual representation of file activity for the selected time frame. |
| i | View event details |
Click to view more information about the file events. |
Destination risk indicator activity
Destination risk indicators are dynamic
The list of destination risk indicators shown is dynamic. Only risk indicators with untrusted file activity are shown.
For example, if there is no Box file activity in the selected timeframe, or if you have not given Incydr access to your Box environment for monitoring, the Box corporate data connector is not listed.
| Item | Description | |
|---|---|---|
| a | Selected time frame |
Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page. |
| b | Filter |
Click to filter the graph and events in the table by: |
| c | Filtered by | Shows the filters currently applied to the data shown in the graph as well as the data available in the destination indicators. Click the "x" on a filter to remove it. |
| d | Showing |
Lists the destination risk indicator you are viewing. |
| e |
Select destination risk indicator |
Select a destination risk indicator to see where the file was sent and its associated risk. Destination risk indicators apply risk scores to file events based on where a file is moved or uploaded. See the list of destination risk indicators for more details on what types of destinations you may have in your Incydr environment. |
| f | Events | Number of file events associated with the destination for the selected time frame. |
| g | Size | Total size of files involved with the file activity. |
| h | Activity preview | Shows a visual representation of file activity for the selected time frame. |
| i | View event details |
Click to view more information about the file events. |
File risk indicator activity
The list of file risk indicators shown is dynamic. Only risk indicators with untrusted file activity are shown.
For example, if there is no untrusted file activity involving source code, that indicator is not listed.
| Item | Description | |
|---|---|---|
| a | Selected time frame | Shows the time frame in which the file activity occurred. Change the time frame in the upper-right corner of the page. |
| b | Filter |
Click to filter the graph and events in the table by: |
| c | Selected file risk indicator | |
| d | File risk indicators | Select a file risk indicator to see its graph. |
| e | Events |
Displays the count of total file events for a file risk indicator and a visual representation of the number of file events. File events include when files are:
*Requires Incydr have access to monitor your cloud storage environment and email services. The default sort order is from the highest number of events to the lowest. |
| f | Size | Displays the total file size of file events for a file risk indicator. |
| g | Activity preview | Shows a visual representation of file activity for the selected time frame. |
| h | View details |
Click to view the details of file events for a file risk indicator. |
Comments
Please sign in to leave a comment.