Departing employee risk report reference

Updated

Overview

The departing employee risk report shows you a summary of risky activity an employee on the Departing watchlist has had in the last 90 days. In the report, you can see a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they've caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees. Use the report to make your offboarding triage tasks more streamlined and consistent.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

Departing employee risk report

To open the report:

  1. Go to User Activity > Watchlists.
  2. Select the Departing watchlist.
  3. Select a user and click Risk report.
    The risk report slides in from the right.

Departing employee risk report

Item Description
a Export

Click to choose to download the risk report as an image (png, jpeg, or svg), or as a CSV file with event details. 

To export an image of the entire report, click the top area of the report after selecting the image file type. To export only a section of the report, mouse over any item and then click. (The highlighted area indicates the items included in the export.)
b User

Displays a summary of the employee's information, including:

  • Name
  • Department* 
  • Title*
  • Watchlists the employee has been added to

*Displays this information if your environment uses provisioning. For more information, see Provision user attributes to Incydr.
c View profile Click to see the employee's User profile.
d Notes

Do one of the following:

  • Click Add Click to add notes to add more details to the user's profile.
  • Click Edit Edit user profile notes to modify existing notes.

Notes are limited to 1000 characters.
e Risk breakdown

Shows the number of alerts, cases, and Instructor lessons sent to the user in the past 90 days. Click View to see more details about each item.

Case and alert counts are only visible if you have the appropriate permissions. Instructor details require a product plan that includes Instructor.
f Risk indicators Shows the user's top risk indicators sorted by the number of the user's critical events
g View critical events Click to see the user's critical events in Forensic Search
h Common risk scenarios in the last 90 days

Shows the top risk scenarios for departing employees and the user's file event counts for each scenario.

  • External devices: Applies to file events on external devices, including file activity on removable media and files sent to other Apple devices via AirDrop.
  • Cloud storage uploads: Applies to files uploaded to cloud services via a web browser, and for some cloud services, via the installed desktop app such as Box, Dropbox, and Google Drive.
  • Email uploads: Applies to files uploaded to web-based email services via a browser such as Gmail, Outlook, and Yahoo! mail. 

The same risk scenarios are always shown, and do not change based on the user's file activity. To see the user's most active file activity by risk indicator, see the Risk indicators section of the report.

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.