Watchlist
Use watchlists to monitor the activity of specific users for potential threats. For example, you can monitor users who are not full-time employees in your organization or users who trigger a specific risk indicator frequently.
How to add a user to the watchlist
You can either add a user to the watchlist manually, or you can define policies that when triggered adds a user to the watchlist.
To add a user to the watchlist manually, navigate to the user’s profile on the risk timeline. Then, from the Actions menu, select Add to watchlist. Click Apply and follow the prompts to enforce the action.
To add a user to the watchlist using policies, create a policy with a set of conditions that must be met. Select the Add to watchlist action. When the conditions are met, the user is added to the watchlist. For example, you might want to add a user to the watchlist if the user’s risk score change is greater than 70 in 30 minutes.
For more information about creating policies, see Configure policies and actions.
How to remove a user from the watchlist
You can either remove a user from the watchlist manually, or you can define policies that when triggered removes a user from the watchlist.
To remove a user from the watchlist manually, navigate to the user’s profile on the risk timeline. Then, from the Actions menu, select Remove from watchlist. Click Apply and follow the prompts to enforce the action.
Note
When a user is on the watchlist, and you want to remove them, you see the Remove from watchlist option in the Actions menu.
To remove a user to the watchlist using policies, create a policy with a set of conditions that must be met. Select the Remove from watchlist action. When the conditions are met, the user is removed from the watchlist. For example, you might want to remove a user from the watchlist if the user’s risk score change is lesser than 70 in 60 minutes. To learn more about creating policies, see Configure policies and actions.
How to monitor users in a watchlist
On the Security > Users dashboard, view the following:
-
Summary of the number of users in the watchlist for the last 13 months. Click the box to view the list of all users in the watchlist on the Users in Watchlist pane.
-
Top five users in the watchlist listed based on the risk score. In the Users in Watchlist pane, view the risk score, and risk indicator occurrences along with the name of the user. Click See More to view the list of all users in the watchlist on the Users page.
-
Top risky users who are in the watchlist. In the Risky Users pane, the “eye” icon next to a user indicates that the user is in the watchlist.
On the Users page, view the list of all users in the watchlist. View details such as the risk score, number of risk indicators triggered, and associated data sources for a user.
Use the search box to find users and their event details. Select the time period to view the risk indicator occurrences for the specific period.
