All Users reference – Z3n Tests (86657d d8eb80/1754608591)

Overview

The All Users list shows all of the users in your Incydr environment sorted by the highest number of critical-severity file events, then by high-severity file events. On this list, you can see the risk indicators associated with a user's file events and see more details about their most recent file activity.

Considerations

Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

All Users list

To access the All Users list:

Sign in to the Incydr console.
Select User Activity > All Users.
The All Users list appears.

Item		Description
a	Trust settings	Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings. Incydr excludes trusted file activity from appearing on dashboards, watchlists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.
b	Search	Enter an Incydr username to find a specific employee's file activity. Note: If a user's Incydr username is not the same as their username in a cloud service monitored by a Incydr data connection, a search for the cloud username might return search results for the Incydr username.
c	Risk settings	Click to open Risk settings, from which you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information about Risk settings, see Risk settings reference. To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.
d	Selected time frame	Shows the time frame in which the file activity occurred. Click to change the time frame.
e	Quick filters	Click View users on any of the filters to only see employees in the list with file events of that severity.
f	List of users	Shows all of the users in your Incydr environment sorted by the highest number of critical-severity file events, then by high-severity file events.

List of users

Item		Description
a	User	Shows the name of the employee that initiated the file activity, their department, and title. *Department and title are only shown if your Incydr environment uses provisioning.
b	Event severity	Displays the count of file events for each severity level (Critical, High, Moderate, and Low). Severity is determined by the sum of the scores for all risk indicators associated with an event. Higher scores denote higher risk severity. To learn more, see Risk settings reference.
c	Destination indicators	Risk indicator based on where a file is moved or uploaded.
d	Source indicators	Risk indicator based on files that were acquired from a source likely to contain company data.
e	File indicators	Risk indicator based on the type of file, as determined by the file extension and file contents.
f	User indicators	Risk indicator based on user behavior automatically detected by Incydr and inclusion in high risk user groups, such as departing employees.
-	Departure date / Start date (Not shown)	Lists the dates added when the user was placed on a watchlist. Departure date: Date the employee is leaving the company (Departing watchlist only) Start date: Date the employee started working at the company (New hire watchlist only)
g	Notes	Displays any notes added to the User Profile.
h	Filter	Click to filter the list by: Event severity Departure date or start date (Departing and New hire watchlists only) Risk indicators Username Department (requires provisioning) Watchlists such as contract employees or flight risks.
i	View details	Click to see more details about the user's file activity such as the filename and PRISM score of their critical and high file events.
j	Action menu	Click to select: View profile: Opens the employee's User Profile where you can view their past file events. View events in search: Opens the employee's file events in Forensic Search where you can see greater detail about the file events.

View details

From the list of users, click View event details to see more information about a user's file activity.

User File Activity Details

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the screen.
b	Actions	Click the Actions menu and do one of the following: Select Add to watchlists to add the user to one or more watchlists for closer monitoring. If the user is already on a watchlist, select Edit watchlists to change the user's current watchlist memberships. In Alerts, select Send email to email the user requesting more information about their activity. Customize the message as needed before you send it. Select Send user an Instructor lesson to send a lesson to the user. Select a custom action. Incydr Flows connect other systems or workflows to Incydr. These integrations can add contextual information about users and orchestrate response controls. Custom actions are only available if your organization has worked with Incydr Professional Services to set up Incydr Flows and if you have the correct role. Visibility of actions You are only shown actions that you are allowed to access based on your Incydr role and your organization's product plan. For example: To add users to watchlists, you must have the Insider Risk Admin role, the Departing Employee Manager role (for the Departing watchlist), or the High Risk Manager role (for all other watchlists). For more information about adding users to watchlists see Manage watchlists. To send Instructor lessons to users, you must have a product plan that includes Instructor and one of these roles: Insider Risk Admin, Insider Risk Analyst, Insider Risk Read Only, or Insider Risk Respond. To access Incydr Flows you must have the Insider Risk Respond role. For more information about Flows, see Introduction to Incydr Flows.
c	View profile	Opens the User Profile for the employee.
d	User	Displays a summary of the employee's information, including: Name Department* Title* Watchlists the employee has been added to *Displays this information if your Incydr environment uses provisioning. For more information, see Provision user attributes to Incydr.
e	Open alerts	Shows the number of alerts the user has triggered during the selected time frame that are in the Open, In progress, or Pending response status. Click to see the user's alerts.
f	Open cases	Shows the number of cases with the Open status for which the user has been added as the subject of the case. Click to see the user's cases.
g	Notes	Do one of the following: Click Add to add more details to the user's profile. Click Edit to modify existing notes. Notes are limited to 1000 characters.
h	Event with risk indicators	Displays counts of each file event severity with associated risk indicators. For more information about risk indicators, see Risk settings reference.
i	Investigate in Forensic Search	Click to see more details about the file events in Forensic Search. Learn more about using Forensic Search.
j	Filter	Click to show filters that allow you to see events based on risk indicator or watchlist. To remove a selected filter, click it again.
k	By PRISM score	Click to show file events by PRISM score in descending order.
l	By date observed	Click to show file events by the date the event occurred with latest events on top.
m	View details	Click to view details about the file event. For detailed descriptions of each field, see File event metadata.
n	Filename/Details	Shows filename, risk indicators, PRISM score, and other details about the file event. If the filename is shown as a blue hyperlink, you can download the file from this location. If the filename is not a blue hyperlink, you may be able to download the file in Forensic Search. To view all file events with more detail, click Investigate in Forensic Search .