Exfiltration dashboard reference

Overview

The Exfiltration dashboard provides insight into file movement across your environment, enabling you to quickly identify files moving to untrusted destinations.

Considerations

• Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
• To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.
• Visibility of Incydr data is not limited by your Incydr organization hierarchy. Users with roles that allow access to Incydr features can view insider risk data for users in all organizations.

The Exfiltration dashboard

To view the Exfiltration dashboard:

1. Sign in to the Incydr console.
2. Select Dashboards > Exfiltration. 

Click any of the links below for more information about that corresponding area:

• Risk settings: Displays all risk indicators and associated scores. To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.
• Selected time frame: Click to select a date range for data on the dashboard.
• Export: Click the export icon to save an image of any tile.
• Data movement: Displays how data in your environment is moving to untrusted destinations.
• Source risk indicator activity: All events where a file came from a source likely to contain company data.
• Destination risk indicator activity: All events grouped by destination risk indicator.
• File risk indicator activity: All events grouped by file category.

Differences in file event counts
File events may appear in Forensic Search before they appear in dashboards, alerts, watchlists, the All Users list, and User Profiles. As a result, you may see that the file event counts in Forensic Search differ from the event counts elsewhere. For more details, see Expected time ranges for events to appear.

Related topics

• Detect and respond to insider risks
• Risk settings reference
• All Users reference