Identify file activity with increased risk severity

Updated

Overview

Risk severity is highlighted throughout Incydr to show you the file activity with the greatest exposure and exfiltration risk. Risk severity is determined by Incydr's Proactive Risk Identification and Severity Model (PRISM), which analyzes 250+ risk indicators about data, users, and destinations to provide weighted severity scores.

Locations that display risk severity and PRISM scores include:

For more information about how severity is calculated, see Risk settings reference.

Considerations

Risk severity only applies to untrusted file activity
File events in locations on your list of trusted activity receive a score of 0, even if something that would be considered a risk indicator in a different context is present. For example, uploading a source code file to a trusted location like your corporate domain is not considered an exfiltration or exposure risk.

The Exfiltration dashboard

The Top users by critical activity graph on the Exfiltration dashboard shows a prioritized view for all users of critical and high severity file events.

Top users by critical activity

To view the Exfiltration dashboard, sign in to the Incydr console, then select Dashboards > Exfiltration. For complete details, see Top users by critical activity reference.

The Trends dashboard

The Risk in my environment graph on the Trends dashboard shows how the number of users causing critical and high severity events has fluctuated over time. Use this graph (along with the other graphs on the dashboard) to identify where to focus controls, training, and engagement to improve your organization's risk profile. To access the dashboard, select Dashboards > Trends.

Insider Risk Trends dashboard - Risk in my environment graph

Watchlists

Watchlists highlight user activity by severity. Use the quick filters at the top of the page to filter the list to show a specific severity. To see watchlists, go to User Activity > Watchlists, then select a watchlist to view events with increased severity.

All Users list

The All Users list shows all of the users in your Incydr environment sorted by the highest number of critical-severity file events, then by high-severity file events. On this list, you can see the risk indicators associated with a user's file events and see more details about their most recent file activity. To access the All Users list, go to User Activity > All Users.

All Users list

Forensic Search

Forensic Search provides a Risk severity filter and displays PRISM scores and severity in the search results. To search file activity with the greatest exposure and exfiltration risk:

  1. Sign in to the Incydr console.
  2. Go to Search > Forensic Search.
  3. Choose a date range.
  4. Select the search filter Risk severity and select the severity levels you want to review. To limit the type of risk, select the search filter Risk indicators.
    1. Select the operator includes any.
    2. Select one or more values.
  5. (Optional) Click the plus icon to add more search criteria.
  6. Click Search.

  7. In the search results, review the PRISM score column to identify file events with the greatest risk potential. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:

    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  8. From the search results, click View details > to show all metadata for an event. The Risk section displays the Risk severity, the PRISM score, and lists all applicable Risk indicators.

Search critical and high severity file activity in Forensic search

Cases

Cases displays PRISM scores and severity for each file event in the case. To view risk severity:

  1. Sign in to the Incydr console.
  2. Go to Cases.
  3. From the list of cases, select a case. Optionally, click the filter icon Cases_Filter_Icon-source.png to search by case status, date created, case name, or case subject.
    The case details appear.

  4. In the File activity section, review the PRISM score column to identify file events with the greatest risk potential. Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:

    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  5. From the File activity list, click View details > to show all metadata for an event. The Risk section displays the Risk severity, the PRISM score, and lists all applicable Risk indicators.

Alerts

Add the Risk severity setting to alert rules to be notified when file events with increased risk occur. In turn, notifications and emails generated by rules with this setting identify those file events and their PRISM scores.

Alert rule setting

  1. Sign into the Incydr console.
  2. Go to Alerts > Manage Rules.
  3. From the list of alert rules, select a rule. Or, click Create rule to create a new rule.
  4. Add the Risk severity rule setting.
    • If you're editing an existing rule, click Add setting on the View rule panel, then click Risk severity.
    • If you're creating a new rule, click Risk severity on the Create rule panel.
  5. Select the severity of events that you want to be notified about and click Save.
    Risk_severity_block_2021-06-15.png
  6. Complete the rule.
    • If you're editing an existing rule, make any other changes needed and then close the View rule panel to return to the Manage Rules table.
    • If you're creating a new rule:
      1. Click Next.
      2. Enter the rule name and description, select a severity to use to filter and prioritize this rule and its notifications, and then click Next.
      3. Enter the email addresses to use for alert notifications created from this rule, and then click Save.
        The new rule is added to the Manage Rules table.

Alert notifications and emails

When file activity matching an alert rule that contains the new Risk severity setting is detected, the files associated with increased risk are identified in the alert notification and email.

  • Risk severity in the Review Alerts table and in the Overview of the alert notification or email identifies a file event's overall risk severity, which is based on the following ranges:

    • Critical severity icon 9+: Critical
    • High severity icon 7-8: High
    • Moderate severity icon 4-6: Moderate
    • Low severity icon 1-3: Low
    • no risk indicates icon 0: No risk indicated
  • Risk summary in the Overview of the alert notification or email quickly summarizes the number of file events associated with each severity and the type of activity that generated those events.
  • Filename/Details and PRISM score in the Endpoint events and Cloud sharing events sections of the notification or email identify the filename involved in the event and type of activity that contributed to its PRISM score. Additional details list the date the file event activity was observed, and other information captured about the event (such as the URL a file was uploaded to or the browser tab that was active during the event).

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.