Resolving Risky User Activity Alerts
When reviewing alerts, you can set a workflow status to each alert indicating whether it is being reviewed, identified as an issue, or ended up being a non-issue. For ‘non-issue’ or deleted alerts, the risk score of the impacted user is recalculated automatically to reflect the reduced user risk.
This topic demonstrates how to resolve an activity alert by changing its status. After changing the alert's status, you can view its effect in the User Risk Dashboard.
You can resolve user alerts in the Alerts page of the Web Management Console. From the User risk Dashboard, you can open the Alerts page in a number of ways:
-
Click Investigate under a risky user name in the list of risky users.
-
In the Risky Applications list alongside the relevant risky user, click a specific application.
-
In the Alerts list alongside the relevant risky user, click a specific activity alert that you want to resolve.
The Web Management Console opens in a new browser tab displaying the Alerts page. From this page, you can view and change the current status of each generated alert. See also Changing the Status of Alerts.
Alerts can have the following statuses:
-
New: Newly-configured alerts that have not yet been assigned any other status.
-
Reviewing: Alerts that are currently being reviewed by the administrator for follow-up action.
-
Issue: High risk alerts that require attention by the administrator and contribute to the user risk score during user risk analysis. User risk score is a value attributed to user actions, which depend on risk severity levels.
-
Non-Issue: Alerts that have been reviewed by the administrator and are considered low risk. These alerts will not contribute to the user risk score during user risk analysis.
You can change the status of a selected alert(s) by clicking the Change status link. A popup enables you to select the required status. You can select multiple alerts for changing their status at the same time.
For a description of the full effects to the User Risk Dashboard of changing the status of alerts, see Viewing the Effect in the Dashboard of an Alert Status Change.