Customizing User Risk Dashboard Parameters

This topic describes how to change specific parameters in the User Risk Dashboard for your own customization requirements.

Use a text editor to edit the parameters file.

The parameters can be found in the ObserveIT.UserAnalytics.Service.exe.config file which is located in the following directory:

C:\Program Files (x86)\ObserveIT\UserAnalytics\bin\

You can customize the following parameters:

  • User Data Time Period - The user data time period is the period of time that the ObserveIT_Analytics databasecollects data on risky users and actions. You can set this time period to your required length of time. The unit of measure is in days, and the default user data time period is 31 days.

  • ITM On-Prem (ObserveIT) Database Synchronization Time - The database refresh rate is the frequency that data from the ITM On-Prem (ObserveIT) Database is synchronized to the Insider Threat Intelligence database. The unit of measure is in seconds, and the default database refresh rate time period is three seconds.

  • User Score Frequency Calculation - You can adjust the frequency that you calculate the user score. The unit of measure is calculated in seconds, and the default user score period is three seconds.

  • Active Directory Refresh Rate - You can set the refresh rate for refreshing the users Active Directory details to the Insider Threat Intelligence database. The unit of measure is in hours, and the default refresh rate of the database time period is three seconds.

  • Database Records - You can determine how many database records are transferred to the Insider Threat Intelligence database and to the ITM On-Prem (ObserveIT) Database. The default number of database records fetched is 50,000.

  • Database Cleanup Frequency - You can set how often the Insider Threat Intelligence database cleanup cycle occurs. The unit of measure is in days. The database cleanup value must be twice that as the value set for the User Data Time Period.

  • Alert Risk Scores - Calculating alert risk score values is a vital Insider Threat Intelligence component. You can set and determine your own alert risk score values. When assigning score values, rank them logically. The high level should have higher score values than the values of the lower scores.

  • User Risk Scores - Calculating user risk scores is a vital Insider Threat Intelligence component. You can set and determine your own user risk score values. When assigning score values, rank them logically. The high level should have higher score values than the values of the lower scores.

To customize User Risk Dashboard parameters:

  1. Locate the ObserveIT.UserAnalytics.Service.exe.config file located under:

    C:\Program Files (x86)\ObserveIT\UserAnalytics\bin\

  2. In the ObserveIT.UserAnalytics.Service.exe.configfile, locate the relevant line under the <appSettings> section, depending on the parameter you want to change, as follows:
    • User data time period:

    <add key="CalculationPeriodInDays" value="30"/>

    • ITM On-Prem (ObserveIT) Database synchronization time:

    <add key="ETLFrequencyInSec" value="3"/>

    • Adjusting the user score frequency calculation:

    <add key="ScoreCalculationIntervalInSec"value="3"/>

    • Setting the Active Directory refresh rate:

    <addkey="ActiveDirectoryRefreshIntervalInHours"value="0.5"/>

    • Fetching database records:

    <addkey="MaxRowsPerFetch"value="50000"/>

    • Setting the database clean-up frequency:

    <add key="DatabaseCleanupFrequencyInDays" value="1"/>

  3. Replace the default value with the desired value.
  4. Save the ObserveIT.UserAnalytics.Service.exe.config file.
  5. Restart the Insider Threat Intelligence service.

To customize alert and user risk score values in the User Risk Dashboard:

  1. Locate the ObserveIT.UserAnalytics.Service.exe.config file located under:

    C:\Program Files (x86)\ObserveIT\UserAnalytics\bin\

  2. In the ObserveIT.UserAnalytics.Service.exe.config file, locate the relevant line under the <riskConfigurationSection> section as follows:
    • Setting alert risk score values:

    <alertRiskScores>

    <add name ="Low" desc="AlertSeverity" levelId="1" score="1" />

    <add name ="Medium" desc="AlertSeverity" levelId="3" score="5" />

    <add name ="High" desc="AlertSeverity" levelId="5" score="30" />

    <add name ="Critical" desc="AlertSeverity" levelId="7 " score="90" />

    • Setting user risk score values:

    <userRiskScores>

    <add name="Low" desc="ScoreSeverity" levelId="1" score="1" />

    <add name="Medium" desc="ScoreSeverity" levelId="3" score="30" />

    <add name="High" desc="ScoreSeverity" levelId="5" score="60" />

    <add name="Critical" desc="ScoreSeverity" levelId="7 " score="90" />

  3. Replace the default value with the desired value for each of the alert or user severities (Critical, High, Medium, Low).

  4. Save the ObserveIT.UserAnalytics.Service.exe.config file.

  5. Restart the Insider Threat Intelligence service.