The User Risk Summary report breaks down incidents based on User and covers email and endpoint incidents From the help file: “The user risk summary gives you insight into the behavior of specific individuals in your organization by associating users with email and endpoint incidents. This information helps you focus your data loss prevention efforts on those users posing the highest risk to the security of your data.”
There are 3 steps to take in order for the user risk summary report is displayed:
- Create custom user attributes
- Import user data
- View the reports
Create Custom User Attributes
One item to keep clear is the attributes defined here are different then the custom attributes populated by Active Directory as a part of an Incident These attributes need to be created outside This has lead to a lot of confusion on my part but needs to be setup
To setup the custom attributes for User Risk Reporting navigate to System -> Users -> Attributes By default there are now attributes in the system
To add new attribute, select “Add” and then type in the Attribute Name (example: First Name or Department) These attributes will be populated by the data source (either Active Directory or a CSV file)
The screenshots shows the attributes that are populated in my demo system
Import User Data
Once again this is different than populating the data for incident and needs to be configured separately We can leverage the existing directory connection that is already being used, or create a new data source
This is found under System -> Users -> Data Sources
Selecting Add presents you with this screenshot
As you can seem I’m using the existing Directory Connection already created, but after I provide a name the data source is ready
Check the box next to the data source and select “Import” to run the import After the import is complete information will be presented on the User Risk Summary report (if you have incidents)
View the reports
User risk reports will group the Network Incidents and the Endpoint Discover incidents together These reports will break the incidents down based on severity
If the user is selected then it will present further detail about the types of generated
