Chatee ahora con Soporte
Chat con el soporte

Change Auditor Threat Detection 7.0.1 - User Guide

Overview tab

The Overview tab provides an initial view of the recent and most important user activities in your environment. Each pane shows either prioritized incidents for investigation or consolidated metrics reflecting potential risks to the enterprise.
High Risk Users
SMART Alerts
All Users
Alerts Status
Alerts Severity

High Risk Users

User risk scores are a primary tool for incident prioritization. Using the score, the system highlights specific user accounts that require immediate attention.

The user risk score is based on a simple additive calculation of the user's SMART alerts. The only factors in the risk score calculation are the SMART alerts and analyst notes, with the impact on the scores determined by their levels of severity.

* 
NOTE: The Analyst Notes section of the dashboard allows analysts to mark an alert as an Actual Risk or Not a Risk.

Score calculation formula:

User Score = ∑ [Unreviewed (no analyst notes provided) & "Actual Risk"] - ∑ ["Not A Risk"]

A unified color code is used for all scores and alerts severities:

Table 2. Scoring color code
Color
Severity
Score

Red

Critical

+20

Yellow

High

+15

Blue

Medium

+10

Green

Low

+1

The High Risk Users pane lists the five users with the highest risk scores, and the following information related to each of those alerts:
Username: Name of the user.
User Risk Score: The risk score of the user, with the color indicating the severity of the score.

To investigate a user, click anywhere in the user frame to investigate the user’s alerts. See How to perform an alert investigation for more information.

Retired alerts

Alerts and their associated indicators are retired after 90 days and the alert score drops to 0. Once an alert is retired, the risky user is also removed from the dashboard. The retired alerts and indicators remain accessible in the dashboard for an additional 6 months. They will not affect the user score, and they will be grayed-out in the user profile page.

SMART Alerts

The SMART Alerts pane displays a list of alerts, severity level, alert creation date, and number of indicators. The list is comprised of the top ranked SMART alerts in the last 2 months.

Clicking on a SMART Alert displays the corresponding alert on the Alert Overview page, allowing for further investigation (see How to perform an alert investigation).

Alert name

There is a direct relation between an indicator and the alert it is associated with (for example, the “Abnormal Active Directory Object Change” indicator is associated with the “Abnormal AD Changes” alert). But an alert can contain a number of different indicators, and each indicator could have its own, separate parent alert.

The final alert name is a reflection of the indicator that contributed the highest percentage to the alert. The percentage that each indicator contributed to the alert is displayed to provide you with even more details.

All Users

The All Users pane displays the number of users in each of the Threat Detection predefined groups. The groups are:
Risky: All users with a risk score greater than 0.
Watched: All users who are currently flagged as “Watched”. See Add a user to the watch profile.
Admin: All users who have been identifies as an administrator through Change Auditor.
To investigate alerts affiliated with a specific group
Click the group icon.
This opens the USERS tab with the Tags filter set to the group that you selected. For more information on using the USERS tab, see Users tab.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación