Viewing the Effect in the Dashboard of an Alert Status Change

This topic provides a scenario to show the changes that occur in the User Risk Dashboard when the status of alerts is changed. See also Changing the Status of Alerts and Resolving Risky User Activity Alerts.

In the following example, we have a risky user with a high user score, risky applications, and multiple alert instances from high to low severity:

The user's risk score is 99/+2. This means that the current risk score for the last 31 days is 99, and the risk change since the previous day was 2.

This user has high, medium, and low risk severity levels. The details in the tooltip show a breakdown of the risk percentage contribution (with color-coded severity) to the overall risk score:

  • 45% high risk contribution
  • 43% medium risk contribution
  • 12% low risk contribution

The red tag next to the user's photo shows that a total of 249 out-of-policy notifications were displayed to the user. Note that the trend icon shows that this user's behavior is improving and so the user is actually becoming less risky. Hovering on the red tag opens a tooltip showing that there were 223 blocking messages and 26 warning notifications displayed to this user during the last 31 days.

For purposes of this example, we will change the status of some of the new alerts associated with the high risky application Windows Explorer, as follows:

  1. In the Risky Applications list, click the Windows Explorer application.

    The Web Management Console opens in a new browser tab displaying the Alerts page.

  2. In the list of alerts configured for the selected risky user, select the alerts for which you want to change their status.
  3. Click the Change status link, and change the status from New to Non-Issue (reset score).

    To view the result of this action, return to the User Risk Dashboard (click Insider Threat Intelligence).

    Note the following in the User Risk Dashboard:

    The risky application Windows Explorer is no longer displayed.

    In the Risky Users area, the user's score has gone down to 97/+2 (previously 99/+2).

    The high risk contribution percentage to the overall score has gone down from 45% to 38%.

    The red tag next to the user's photo shows that the number of out-of-policy notifications displayed to the user during the last 31 days has gone down from 249 to 245. The Out of Policy Behavior tooltip now shows that there were 221 blocking messages (previously 223) and 24 warning notifications (previously 26) displayed to this user.