Viewing Out-of-Policy Behavior
The ITM On-Prem (ObserveIT) User Risk Dashboard enables security analysts and investigators to track users who violated company policy or security rules and to quickly identify the users with the highest number of policy violations and those whose behavior did not improve over a period of time.
In the Risky Users section of the dashboard, next to each risky user's photo is a red tag showing the total number of out-of-policy notifications that were displayed to the user during the last 31 days. Hovering on the red tag opens a tooltip that helps you to quickly learn about changes in the user's behavior. A trend arrow to the right of the red tag indicates whether or not the user behavior has improved over time.
In the following example, there were 17 out-of-policy messages displayed to this user; the trend icon 
shows an overall increase in the number, which means that this user's behavior is not improving and so the user is becoming more risky.
The detailed information inside the tooltip provides the following data:
-
Total: Breakdown notification counts according to the type of out-of-policy messages; these include Warning Notifications, Blocking Messages, and Deny Access.
- 7-Days Trend: Compares the number of notifications during the last 7 days with the number of notifications during the previous 7 days.
In the above example, you can see:
- Although only 3 blocking messages were displayed to this user during the last 31 days, the number is going up. During the last 7 days, the number went up from 2 (in the previous 7 days) to 3 (in the last 7 days); hence the trend is +1. The arrow icon
also indicates the upward trend. - A total of 14 warning notifications were displayed to this user during the last 31 days, and the number is going up. During the last 7 days, the number went up from 4 (in the previous 7 days) to 7 (in the last 7 days); hence the trend is +3. The arrow icon
also indicates the direction of the trend.
- Although only 3 blocking messages were displayed to this user during the last 31 days, the number is going up. During the last 7 days, the number went up from 2 (in the previous 7 days) to 3 (in the last 7 days); hence the trend is +1. The arrow icon
- New since Yesterday: Shows the total number of notifications that occurred since yesterday for each type. In the above example, there was 1 new blocking message and 3 new warning notifications since yesterday.
