Mimecast: Human Risk Command Center - Watchlist Rules Manager

This article contains information on using Mimecast's Watchlist Rules Manager within the Human Risk Command Center to create and manage dynamic employee Watchlists for proactive risk management, targeted interventions, and adaptive security controls.

Overview

The Watchlist Manager is a powerful feature within Mimecast’s Human Risk Command Center (HRCC) that empowers organizations to proactively manage human risk. It enables administrators to create and manage continuously updated dynamic Watchlists of users based on risk-related behaviors and user attributes. These Watchlists are automatically populated and updated using configurable rules, ensuring that security policies and interventions are always relevant and targeted.

• Proactive Risk Segmentation: Dynamically group users with similar risk profiles for targeted interventions and adaptive security controls.
• Automated, Continuous Response: Watchlists are evaluated and updated hourly, so controls always reflect the latest risk landscape.
• Efficient Policy Enforcement: Automatically apply controls (e.g., training, email filtering, nudges, access restrictions) across Mimecast and integrated third-party products.
• Customization: Define your own criteria by combining risk scores, behavioral events, and demographic filters for maximum flexibility.

What Is the Watchlist Rules Manager?

The Watchlist Manager allows you to define and manage Watchlists—groups of employees who share specific risk characteristics. These Watchlists are used to apply targeted policies and interventions, such as additional training, adaptive security controls, or increased monitoring, across Mimecast and third-party products.

• Rule-Based Grouping: Admins define Watchlist using behavior scores (risk, phishing, malware, training, etc.), security events (e.g., phishing test failures), and user attributes (department, group, region, etc.).
• Continuous Evaluation: Rules are evaluated hourly, ensuring Watchlist membership is always current.
• Profile Group Integration: Each Watchlist is mapped to a dynamic Profile Group, making it easy to apply policies in Mimecast products or trigger actions in third-party tools via API.
• Manual Inclusion/Exclusion: Admins can include or exclude specific users or groups using user information criteria.
• Multiple Watchlists: Users can belong to multiple Watchlists simultaneously, enabling granular policy targeting.

Creating and Managing Watchlists

1. Accessing the Watchlist Rules Manager:
   • Log in to the Mimecast Administration Console.
   • Navigate to Human Risk Command Center | Watchlist Rules Manager.
2. Creating a Watchlist:
   • Log in to the Mimecast Administration Console.
   • Navigate to Human Risk Command Center | Watchlists Rules Manager
   • Click Create New Watchlist.
   • Fill in the Watchlist Details, name, and description.
   • Define Watchlist Rules for Users' Criteria and Events Criteria using behavior scores, behavioral events, timeframes, and user information.
   • Click Save, and a message will appear confirming that a new watchlist has been created.
3. Rule Criteria Examples:
   • Behavior Scores: Include users with a risk score above a certain threshold.
   • Behavioral Events: Add users who failed simulated phishing tests more than once in the last 60 days.
   • User Information: Target users in a specific department or region.
   • Combined Criteria: For example, “Include users in India with high sensitive data handling risk and high attack factor.”
4. Automated Membership Management:
   • Rules are evaluated hourly.
   • Users are automatically added or removed as their risk or attributes change.
   • Membership changes are reflected in the associated profile group.
5. Policy Enforcement:

Use Watchlists to apply targeted controls (via the associated profile group), such as:

• Assigning additional training
• Users can manage nudge exclusions only through profile groups.
• Increasing phishing test frequency
• Applying stricter email or access policies

Use Cases

Frequently Asked Questions

What is the Watchlist Rules Manager?

A feature in HRCC that lets admins create, manage, and update dynamic employee Watchlists using customizable, continuously evaluated rules.

What criteria can be used in Watchlist Rules?

• Behavior scores (risk, phishing, malware, training, etc.)
• Behavioral events (e.g., phishing test failures, malware downloads)
• Timeframes (e.g., failed tests in the last 30 days)
• User/demographic information (department, group, region, email)

How are Watchlists populated and updated?

Automatically, hourly, as users’ risk or attributes change.

What actions can be triggered by Watchlist membership?

• Targeted security training or nudges
• Adaptive security controls in Mimecast
• Controls via integrated third-party tools (e.g., email filtering, access restrictions)

Can users be included or excluded manually?

Yes, using user information criteria (email, group, department, region).

Are users limited to one Watchlist?

No, users can belong to multiple Watchlists.

How do Watchlists integrate with other products?

Watchlists generate Profile Groups, which can be used by Mimecast Engage, Email Security, Incydr, and third-party tools via API.

Can admins directly edit Profile Groups created from Watchlists?

No, these are managed automatically by HRCC.

How can group membership be accessed via API?

Use the Profile Group API to access users segmented by HRCC Watchlists.

Will admins need special permissions?

Yes, administrators must be members of a role with the Human Risk: Edit Permissions to manage Watchlists. Out of the box, this includes Basic Administrators and above.