Dashboard Terms and Concepts

The following terms and concepts are used in the User Risk Dashboard:

Term

Definition

Application

The desktop application name as it appears in the Insider Threat Intelligence dashboard. This can be:

  • A Web application, displayed by its URL
  • A Unix application, displayed by the upper level command (under shell)

For example, Notepad, Regedit, etc.

New Users at Risk

Users whose score increased to a higher risk level during the last day.

Risk level grades are defined and graded as follows:

  • Critical: 90
  • High: 60
  • Medium: 30
  • Low: 1

The Risk level color map is displayed in the dashboard:

User

System users can be of the following types:

  • User who logs in – For example, a user who signs in as ObserveIT-SYS\UserA.
  • Secondary Authentication user – An ITM On-Prem (ObserveIT) Shared account that uses ITM On-Prem (ObserveIT) secondary authentication. For example, the user signs in as ObserveIT-SYS\Admin, and is then forced to sign in again as a secondary user ObserveIT-SYS\UserA.
  • Qualified domain user – A fully qualified domain user, regardless of how the user logs in in to the system. For example, ObserveIT-SYS.LOCAL\UserA.
    Note: By default, users are not aggregated across domains. For example: ObserveIT-SYS.LOCAL\UserA, ObserveIT2-SYS2\UserA.
  • Local users - Local users are listed by computer name and user; they are not aggregated with the same users on different computers. For example: c57-32-1\usera.
  • Unix Users:

Local Unix users: For local Unix users defined on the host, the Unix Agent will use the computer name as the domain name (as in Windows). For example: mylocalhost\myusername.

Common Unix users (NIS): For NIS users, the Unix Agent will use the NIS domain name. For example, observeit.com\usera.

User Risk Score

An indicator that relates to user activity over a measured period of time. The score measures user activity, according to the severity level of user actions. For details, see Calculating User Risk Score.

User Risk Level

Severity level assigned to users based on their user risk score.

For details, see Identifying Risk Severity Levels.