Use watchlists to monitor the activity of specific users for potential threats. For example, you can monitor users who are not full-time employees within your organization by adding those users to the watchlist, or you can monitor users who trigger a specific risk indicator frequently.
How to add a user to the watchlist
You can either add a user to the watchlist manually, or you can define policies that when triggered adds a user to the watchlist.
To add a user to the watchlist manually, navigate to the user’s profile on the Risk Timeline. Then, from the Actions menu, select Add to watchlist. Click Apply and follow the prompts to enforce the action.
To add a user to the watchlist using policies, create a policy with a set of conditions that must be met for the Add to watchlist action to be executed. For example, you might want to add a user to the watchlist if the user’s risk score change is greater than 70 in 30 minutes. (Learn more about creating policies: Configure policies and actions)
How to monitor users in a watchlist
On the Security > Users dashboard, view the following:
Summary of the number of users in the watchlist. Click the box to view the list of all users in the watchlist on the Watchlist page.
Top five users in the watchlist listed based on the risk score. In the Users in Watchlist pane, view the risk score, risk score change, and change trend data along with the name of the user. Click See More to view the list of all users in the watchlist on the Watchlist page.
Top risky users who are in the watchlist. In the Risky Users pane, the “eye” icon next to a user indicates that the user is in the watchlist.
On the Watchlist page, view the list of all users in the watchlist. You can monitor all users added to the watchlist in the last one hour, 12 hours, one day, one week, and one month.
View details such as the risk score, risk score change, number of risk indicators (access, data, and application) triggered for a user, trend of risk score change, the user account name, and the latest risk indicator triggered for that user.
Filter the list and get a customized view either based on user risk score or type of risk indicator. You can also filter and view watchlist users based on a range of risk scores or risk score change.