Chat now with support
Chat with Support

Change Auditor Threat Detection 7.0.4 - User Guide

Accessing the dashboard

Once you have deployed the Threat Detection server, configured Change Auditor for Threat Detection, and the system has analyzed 30 days of historical data to create a baseline of user behavior, you can access the Threat Detection dashboard.

To allow access to the Threat Detection dashboard in the Change Auditor client or through Chrome using single-sign on, the Threat Detection server is joined to the coordinator’s domain during the initial Threat Detection configuration or manually during an upgrade. See the Change Auditor Threat Detection Deployment Guide for details on creating a configuration or updating the Threat Detection server.

Select View | Threat Detection Dashboard.
Trusted Sites with the User Authentication | Logon | Automatic logon with current username and password option enabled.

Overview tab

The Overview tab provides an initial view of the recent and most important user activities in your environment. At a glance you can see details on the high risk user such as their photo, display or logon name, job title, department, and their address.

Each pane shows either prioritized incidents for investigation or consolidated metrics reflecting potential risks to the enterprise.

High Risk Users

User risk scores are a primary tool for incident prioritization. Using the score, the system highlights specific user accounts that require immediate attention.

The user risk score is the addition of the "contribution to user score" assigned to each alert that is associated with the user and the analysts notes.

Score calculation formula:

User Risk Score = ∑ [Unreviewed (no analyst notes provided) & "Actual Risk"] - ∑ ["Not A Risk"]

The contribution to the user score value for the alert is dependent on the alert severity. The severities are color coded to help identify the severity quickly.

Critical

Red

+20

High

Yellow

+15

Medium

Blue

+10

Low

Green

+1

The High Risk Users pane lists users with the highest user risk scores, and the following information related to each of those alerts:

To investigate a user, click anywhere in the user frame to investigate the user’s alerts. See How to perform an alert investigation for more information.

Alerts and their associated indicators are retired after 90 days and the alert score drops to 0. Once an alert is retired, the risky user is also removed from the dashboard. The retired alerts and indicators remain accessible in the dashboard for an additional 6 months. They will not affect the user score, and they will be grayed-out in the user profile page.

SMART Alerts

The SMART Alerts pane displays a list of alerts, severity level, alert creation date, and number of indicators. The list is comprised of the top ranked SMART alerts in the last 2 months.

Clicking on a SMART Alert displays the corresponding alert on the Alert Overview page, allowing for further investigation (see How to perform an alert investigation).

Related Documents