Manage watchlists

Updated

Overview

This article explains how to use watchlists to mitigate insider risk by more closely monitoring the file activity of higher-risk users. 

For any watchlist, you can build alerts to notify you when a user on the watchlist performs a specific action. Watchlists also enable you to use preventative controls to restrict a user's ability to perform specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

For example, some users may need to use removable media to do their jobs, while others do not. Instead of being alerted when any user in your environment uses a thumb drive, you can add the users you are most concerned about to the Poor security practices watchlist. Then you can define when to be alerted about those users' USB usage, and/or to block those users from being able to mount a USB drive entirely.

Watchlist types

The following types of watchlists are available for you to use, or you can create your own. File events that occur while a user is on a watchlist are given a risk indicator and associated risk score, raising the severity of their file events. Watchlist risk indicators are applied to every event for every user on a watchlist.

Departing

Add employees that are about to leave (or have left) the company to this watchlist. Departing employees often take data with them when they leave and sometimes take data after they have left if their access is not properly revoked.

Contractor

Add any contractors or temporary employees to this watchlist for closer monitoring.

New hire

Add brand new employees that may not be aware of your security practices to this watchlist. Review the file activity of these new employees in their first 30-90 days. This gives you enough data to verify that they understand and are following your company's safe data practices. 

High impact

Place employees on this watchlist that have special roles that require broad access to high-value data (such as intellectual property or other confidential files).

Elevated access

Add employees that have access to highly sensitive data and systems to this watchlist for closer monitoring. 

Flight risk

Sometimes employees reach a point in their tenure when you often see employees leave, or they express job dissatisfaction, get turned down for a promotion, or have teammate conflicts that can lead to touchy situations for all involved. For those tough situations, add the employee to this watchlist to monitor for harmful data activity while they're possibly looking for another job. 

Suspicious system activity

For employees that have tried to access sensitive systems or have raised alerts in other security systems, add them to this watchlist to make sure their behaviors don't continue to be problematic. 

Performance concerns

Sometimes employees have a poor performance review, get a demotion, or are on a performance improvement plan. These employees may not be the most satisfied employees and may be at higher risk of causing data loss to the company. Add these employees to this watchlist to make sure your data remains safe. 

Poor security practices

To make sure their behaviors don't lead to data loss, place employees on this watchlist who use unsanctioned tools or have poor security awareness as shown by consistently falling for phishing tests or failing security training.

Custom watchlists

If none of the above watchlists meet your needs, you can create a custom watchlist. 

  • Creating a custom watchlist automatically creates a corresponding user risk indicator with a customizable risk score.
  • The default risk score for custom watchlists is 0, but you can change the score by editing the risk settings for the watchlist.
  • Like the pre-defined watchlists above, custom watchlists are searchable risk indicators in Forensic Search.

For more information about watchlists, see Watchlists reference.

Considerations

  • To access watchlists, you must have a role with permissions to view and modify watchlist settings. For more information, Permissions for Incydr

Before you begin

Push groups to Incydr

You can add users to watchlists using groups from an external user directory system like Azure Active Directory. For example, you can add users from a Finance directory group to the High impact watchlist, or add users from a Security department to the Elevated access watchlist.

Before you can use groups to add users to watchlists, an Identity Management Administrator must first "push" groups to Incydr from the external user directory system. After the push, the groups are available to add users to watchlists.

The push method the Identity Management Administrator uses differs depending on the type of provisioning provider set up in Identity Management:

  • SCIM provider: Push SCIM groups from SCIM providers to make members of directory groups and departments available to watchlists. For directions, see our articles for Azure and Okta (SCIM groups are not supported for PingOne). To push SCIM groups from other providers, see the provisioning provider's documentation.
  • User Directory Sync: While directory groups are not available to push from a User Directory Sync provisioning provider, you can push departments to make their members available to watchlists. If the ldap.attrib.department property is configured in the config.properties file, departments are pushed to Incydr at synchronization

Deleted or renamed groups

If a directory group or department is deleted or renamed in your identity management provider, adjust the watchlist groups accordingly:

  • Directory group deleted: An error appears in Incydr stating that the group no longer exists. Remove the deleted directory group from the watchlist.
  • Directory group renamed: A warning appears in Incydr stating that a directory group no longer exists. Work with your Identity Management Administrator to identify renamed groups. Add the newly renamed groups and remove the old groups from the watchlist.
  • Department deleted or renamed: Due to the nature of department information, a warning does NOT appear in Incydr for missing or renamed departments. Work with your Identity Management Administrator to identify deleted or renamed departments. Add the newly renamed departments and remove the old departments from the watchlist.

Create a watchlist

  1. Go to User Activity > Watchlists.
  2. Add a watchlist:
    • If this is your first watchlist, select any tile to create that watchlist. 
    • If you have already created at least one watchlist and would like to make another, click Create watchlist.
  3. For custom watchlists only: Enter a unique name for the watchlist, and optionally, add a short description. You can also edit the name, description, and risk score later from the watchlist's Actions Actions menu.png menu.

Add members to a watchlist

Watchlist membership can include any combination of directory groups, departments, and individual users. To add directory groups or departments to a watchlist, your external provisioning provider must be configured to sync with Incydr.

  • Directory group: Adds all users in a directory group. As users are added or removed from the group in your external provisioning provider, they will also be dynamically added or removed from the Incydr watchlist.
  • Department: Adds all users in a department. As users are added or removed from the department in your external provisioning provider, they will also be dynamically added or removed from the Incydr watchlist.
  • Individual user: Adds an individual Incydr user.

To add members:

  1. Go to User Activity > Watchlists.
  2. Select a watchlist.
  3. In the watchlist details, go to Watchlist settings > Users and click the edit Pencil-shaped edit icon icon. (For watchlists with no users defined yet, click Add.)
  4. On the Included tab, click Add for a directory group, department, or individual user.
  5. From the drop down menu, select the item to add. Optionally, begin typing to filter the list of available options.
    • For individual users, if the username you were expecting doesn't appear, verify that the user exists in your Incydr environment.
    • For directory groups and departments, the name and members are managed by your external provisioning provider. You cannot edit them from within Incydr.
  6. To add more members, click the plus icon to select an additional group, department, or user. Repeat as necessary.
  7. Click Save.
Automatically add users to a watchlist
Use integrations to automatically add users to a watchlist based on the user's status in your company's systems. 

Remove members from a watchlist

  1. Go to User Activity > Watchlists.
  2. Select a watchlist.
  3. In the watchlist details, go to Watchlist settings > Users and click the edit Pencil-shaped edit icon icon.
  4. On the Included tab, click the delete icon Click to delete next to any item to remove the group, department or user. To remove multiple items at once, select the checkboxes next to each item, then click Remove above the list of selected items.

When you remove a directory group or department, all the users in that group or department are removed from the watchlist, unless the user is also in another group or department that is still included in the watchlist, or the user was added individually. 

Automatically remove users from a watchlist
Use integrations to automatically remove users from a watchlist based on the user's status in your company's systems. 
I removed an individual, but they're still on the watchlist
If you remove an individual user but they are still on the watchlist, it usually means that user is also a member of a directory group or department included in the watchlist. 

Directory group and department membership cannot be managed within Incydr. Instead, work with your Identity Management Administrator to change their group or department membership.

If you cannot change the group or department membership, you can also add the user to the list of Excluded users.

Exclude members from a watchlist

Watchlist exclusions enable flexible and granular control over watchlist membership. Just like included members of a watchlist, exclusions can use any combination of directory groups, departments, and individual users.

Exclusions can be especially useful for managing the enforcement of preventative controls. For example, if you want to prevent everyone in your engineering department from using removable media except a group of QA users whose work involves legitimate use of removable media, you can:

  • Enable the Block removable media mounting preventative control for a watchlist.
  • Include the entire engineering department on the watchlist.
  • Exclude the QA group from the watchlist.
    Excluding a group is a simpler and more scalable option than excluding individual users.

Apply includes and excludes to a watchlist

Exclusions always take priority
If a user, group, or department is both included and excluded in a watchlist, the exclusion overrides the inclusion. This ensures that excluded users are not monitored by the watchlist and preventative controls are not applied.

To exclude users:

  1. Go to User Activity > Watchlists.
  2. Select a watchlist.
  3. In the watchlist details, go to Watchlist settings > Users and click the edit Pencil-shaped edit icon icon.
  4. Select the Excluded tab.
  5. Click Add for a directory group, department, or individual user.
  6. From the drop down menu, select the item to add. Optionally, begin typing to filter the list of available options.
  7. To add more exclusions, click the plus icon to select an additional group, department, or user. Repeat as necessary.
  8. Click Save.

Add and edit preventative controls for a watchlist

Preventative controls enable you to restrict a user's ability to perform specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

To configure preventative controls:

  1. Go to User Activity > Watchlists.
  2. Select a watchlist.
  3. In the Watchlist settings section, go to Preventative controls and click the edit Pencil-shaped edit icon icon or Add (if no preventative controls are enabled yet).
  4. Choose to toggle On or Off each preventative control. Settings apply to all users on the selected watchlist. See Manage Incydr prevntative controls for details about each setting.
  5. Click Save.

Modify alerts for a watchlist

  1. Go to User Activity > Watchlists.
  2. Select the watchlist for which you would like to adjust alerts. 
    The watchlist opens.
  3. In the watchlist settings next to Alerts, click Edit, or click Edit alerts in the upper-right, and then do one of the following:
    The Edit alerts panel slides in from the right.  
    1. For assigned alerts: Click Edit.
      A new tab with the alert open appears. 
    2.  To add a new recommended alert: Click View.
      A new tab with the panel to create the recommended alert appears.
    3. To create a new alert: Click Create new alert
      A new tab with the panel to create a new alert appears.
  4. Adjust the alert rule settings as necessary and click Save.

Delete a watchlist

  1. Go to User Activity > Watchlists.
  2. Find the watchlist you want to delete and click Actions Click the Actions menu.
  3. Click Delete watchlist.
    A confirmation message slides in from the right. 
  4. Click Delete watchlist
    • All users are removed from that watchlist. Their User profiles are still available.
    • Cases remain intact for any users on the watchlist. 
    • Associated alerts are removed from the watchlist. If those alerts are not being used elsewhere in Incydr, the alert rule is deleted from Alerts
    • The watchlist is removed from your current list of watchlists and can be recreated at another time.

Manage watchlists with integrations

You can use Incydr integrations to automatically manage user information in watchlists using data from other systems, such as identity access management (IAM), privileged access management (PAM), or human capital management (HCM) systems. Following are Incydr integrations available to automate watchlists management. 

Incydr Flows 

Incydr Flows connect other systems to Incydr allowing you to use information in those systems to update your Incydr environment. For example, ingest user attributes, such as employment milestones, departure date, or elevated access credentials for use in watchlists. 

Incydr Flows requires assistance and setup from Incydr Professional Services. Contact your Customer Success Manager (CSM) to engage the Incydr Professional Services team. For a general overview of how to start configuring Incydr Flows, see Configure Incydr Flows.

For more information about Incydr Flows, see Introduction to Incydr Flows.

CLI

The Incydr command-line interface (CLI) tool is a command-driven framework to interact with your Incydr environment. To use the CLI to manage watchlists, see Watchlist Commands in the CLI documentation in the Developer Portal.

For more information about the CLI, see Introduction to the Incydr command-line interface.

Incydr SDK

The Incydr SDK is a Python SDK wrapper around the Incydr API that lets you develop your own tools for working with Incydr data. To use the Incydr SDK to manage watchlists, see Watchlists in the SDK documentation in the Developer Portal.

For more information about the Incydr SDK, see Introduction to the Incydr SDK.

APIs

Incydr's API can be used to interact with your environment using RESTful tools and standards. To use the API to manage watchlists, integrate the following APIs with external systems:

For more information about the API, see Incydr API resources.

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.