Watchlist and Risky Users
Frequently, certain users in the environment will pose a higher risk to your organization than others. This may be due to an impending termination, a history of security incidents, or the prominence of a particular individual, thereby increasing the likelihood of the user falling victim to attack.
To mitigate this risk, InsightIDR offers a Watchlist to track such users. Placing a user on the Watchlist is similar to tagging Restricted Assets — it will enable some alerts and lower the threshold for others for that particular user.
On your InsightIDR homepage, and also on the Users and Accounts page, InsightIDR displays a count of all your "Risky Users" in the last 28 days.
InsightIDR ranks risky users by count of Notable Behaviors and Alerts associated with a user in the last 28 days.
When on the Users & Accounts page, you will see a card that displays a Watchlist metric.
Click on the Watchlist metric to see a complete list of all of the users on the Watchlist. This page displays information about the user such as their name, department, title, and the last time they accessed the account.
The Eye icon indicates that InsightIDR is "watching" the user account. You can toggle the Eye icon to remove the user from the Watchlist.
Add a User to the Watchlist
To add a user to the Watchlist:
- Go to the individual User Details page. You can do this by searching for their name in the search bar at the top of the page, or by clicking their name anywhere in the InsightIDR interface.
- In the top right corner, select Add to Watchlist.
- A tag will appear next to the user's name at the top of the page.
Add Users to Allowlist
Once a user is on the Watchlist, you will receive alerts whenever that user does something, such as authenticating to a new asset. Because these may be indications of lateral movement, InsightIDR automatically opens an investigation.
When you close an investigation involving a risky user from the watchlist, some investigations allow you to add that specific user to an allowlist, which will prevent it from triggering future alerts.