Watchlist and Risky Users
Copy link

Frequently, certain users in the environment will pose a higher risk to your organization than others. This may be due to an impending termination, a history of security incidents, or the prominence of a particular individual, thereby increasing the likelihood of the user falling victim to attack.

To mitigate this risk, SIEM (InsightIDR) offers a Watchlist to track such users. Placing a user on the Watchlist is similar to tagging Restricted Assets — it will enable some detection rules and lower the threshold for others for that particular user.

Risky Users
Copy link

On your SIEM (InsightIDR) homepage, and also on the Users and Accounts page, SIEM (InsightIDR) displays a count of all your “Risky Users” in the last 28 days.

SIEM (InsightIDR) ranks risky users by count of notable events and alerts associated with a user in the last 28 days.

Screen Shot 2018-08-31 at 4.34.18 PM.png

View Watchlist
Copy link

When on the Users & Accounts page, you will see a card that displays a Watchlist metric.

users and accounts.png

Click on the Watchlist metric to see a complete list of all of the users on the Watchlist. This page displays information about the user such as their name, department, title, and the last time they accessed the account.

The Eye icon indicates that SIEM (InsightIDR) is “watching” the user account. You can toggle the Eye icon to remove the user from the Watchlist.

Screen Shot 2018-10-08 at 4.46.27 PM.png

Add a User to the Watchlist
Copy link

To add a user to the Watchlist:

  1. Go to the individual User Details page. You can do this by searching for their name in the search bar at the top of the page, or by clicking their name anywhere in the SIEM (InsightIDR) interface.
  2. In the top right corner, select Add to Watchlist.
Screen Shot 2018-08-31 at 4.52.50 PM.png
  1. A tag will appear next to the user’s name at the top of the page.
Screen Shot 2018-08-31 at 4.53.04 PM.png

Add Users to Allowlist
Copy link

Once a user is on the Watchlist, you will receive detections whenever that user does something, such as authenticating to a new asset. Because these may be indications of lateral movement, SIEM (InsightIDR) automatically opens an investigation.

When you close an investigation involving a risky user from the watchlist, some investigations allow you to add that specific user to an allowlist, which will prevent it from triggering future detections.