Risk View

Risk view displays the Entities (Devices and Users) ordered by Risk. Risk is calculated based on the triggering incidents using a proprietary algorithm that incorporates asset criticality, incident severity, frequency of incident occurrence, and vulnerabilities found. Risk is only computed for devices in CMDB, private IP addresses, and users found in logs or discovered via LDAP.

Go to INCIDENTS > Risk to see this view. Risk can set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and Risk from the Incident Home drop-down list.

Devices and Users are categorized by Risk as follows:

  • Devices - number of devices with Risk
  • Users - number of users with Risk
  • High Risk - number of devices and users with high risk
  • Medium Risk - number of devices and users with medium risk
  • Low Risk - number of devices and users with low risk

To see only the above categories of devices and users in the Risk View, click any of the five categories above.

The Risk View displays the following:

  • Entity (Device or User name)
  • Entity Detail Options (For devices, drop-down actions available)
  • Current Risk - Current value, up or down versus the same period
  • 24 Hour Risk Trend (1 day trend)
  • Incidents in Last 24 hours (1 day)

To drill down, click one row and the incidents that led to this risk are shown in a time line format. You can select an incident, and select any action from the Actions menu. The actions are similar to those described for the List View.

An Entity (Device or User) can be selected. When selected, the Risk View page expands to three panes that provide more information on the selected object. To go back to the main Risk View, click on < in the left pane.

Pane Information

Left Pane for Device

If a device is selected, in the left pane, the following tabs are available:

  • General - The name of the device, its access IP, device type, version, importance, and additional description are displayed if available.
  • Discovery Status - Discovery information for the device is displayed, which includes its creation date, last discovered date, and last update.
  • Collection Status - Information collected from the device is displayed, which includes uptime.
  • Member of # Group - Any groups that the device is a member of is displayed.
  • Properties - Any custom defined properties are listed here.
  • Software - Installed Software, Running Applications, Windows Services, Installed Patches. Click on a specific property for more information.
  • Hardware - Interfaces, Processors, Storage, Components. Click on a specific property for more information.

Left Pane for User

If a user is selected, in the left pane, the following tabs are available:

  • General - User information, such as user name, full name, job title, company, domain, and last domain where the user was logged on is displayed.
  • Advanced - Information such as when the domain password was last set, the age of the domain password, system role, and user lockout time is displayed.
    Note: The information that appears here is also provided under CMDB > Users > Summary > Advanced.
  • Contact - User contact information is displayed, which can include work phone number, mobile phone number, email address, and physical address.
  • Member of # Groups - Any groups that the user is a member of is displayed.

Middle Pane For Device and User

In the middle pane, information on incidents and activities is displayed for the device or user.

A Time Range drop-down selector is available to adjust the time range. Additionally, a Refresh button is available to update information from the middle pane.

  • Current Risk Score
  • Risk Score and Incident Trend graph - The color of a circle represents its event severity (Red: High Severity, Yellow: Medium Severity, Green: Low Severity). The size of the circle represents the incident count.
    Note: In the case of incident overlap, the color will blend, i.e. a high severity and medium severity incident that occurred at the same time would appear as dark orange.
  • Incident Timeline
  • Overview by Incident Category - Information from triggered incidents are shown by category and severity. Categories are Security, Performance, Availability, Change, and Other.

    Note: This information is the same as that provided by the incident trend report.
  • Incidents and Activity Timeline - Incidents are shown by timeline by default. Click the Show Activities checkbox to load activities. Once the data is loaded, this section will show a combination of occurred incidents and activities ordered by the occurred time. Incidents are color coded, and also have a notification (bell) icon next to them.

    Timeline

    Description

    Incident

    In the timeline, incident status, its name, and number of occurrences including date and time are shown. Click on Details for a slide-in panel that provides Details (default), Triggering Events, Rule Summary, Comments, (Incident) Context and Action History information available by clicking on the respective icon. Click Actions to act on the incident (for more information on Actions, see Acting on Incidents).

    ActivityIn the timeline, the activity name, occurrences, and the user who did the activity are displayed. An Event Details link provides the raw messages related to the activity when clicked.

Right Pane for Device

The right pane contains a few pre-defined report widgets to provide an overview for the device.

Device Dashboards

  • Successful and Failed Logins - Displays the number of successful and failed logins as a graph.
  • Top Users by Failed Login - Displays the most frequent users with failed logins as a graph.
  • Top Users by Successful Login Type and Count - Displays the most frequent users with successful logins as a graph.
  • Top Security Event Types - Displays the most frequent security event types as a graph.
  • System CPU and Memory - Displays the system CPU and memory usage as a graph.
  • Top Processes by CPU - Displays the most used processes used by the CPU as a graph.
  • Top Processes by Memory - Displays the most used processes using memory as a graph.

Right Pane for User

The right pane contains a few pre-defined report widgets to provide an overview for the user.

User Dashboards

  • Top User Actions - Displays the top user's actions taken for the time range configured as a graph.
  • Top Actions on User Account - Displays the top actions for the user account as a graph.
  • Host Logon Activity - Displays the user's logon activities as a graph.
  • Successful and Failed Logins - Displays the user's number of successful and failed logins as a graph.