All users in your organization can be analyzed for abnormal user activities and assigned a user risk score. Users with high scores either have multiple alerts associated with them or they have high-level severity alerts associated with them. These scores and alerts enable you to quickly identify high-risk users so that you can investigate their abnormal activities in your environment.
The top risky users are users with the highest risk scores. A lot of alerts and high-severity alerts contribute to the score.
Look at the Top Risky Users, which are the top ten users with the highest risk scores.
a. Look for high user scores marked with critical or high severity.
b. Check if any user scores increased since yesterday. If you see +0, there was no increase since yesterday.
c. Look for users with critical (red band) alerts.
In this example, Levi has a high user score of 112, and 2 critical alerts. Levi also has 2 high, 3 medium, and 12 low severity alerts. Charlie has a user score of 80 lower than Levi, but there are also 4 critical alerts. Looking at this information, it would be a good idea to further investigate the activities of both of these risky users.
The user profile enables you to access detailed information on the anomalous behavior of the user, including the alerts associated with them and the indicators that generated those alerts.