User Watchlist

The User Watchlist feature in Secure & Govern enables organizations to define and proactively monitor high-risk users. The following are some examples of high-risk users:

• Departing Employees: Monitor users who have submitted their resignation or are in their final notice period. Research shows that these users are most likely to take data with them when they leave the organization.
• Flight Risk Employees: Add users who exhibit at-risk behaviors, have been placed on a performance improvement plan,  or are part of a department undergoing restructuring. These users will often exhibit signs of data exfiltration or sabotage.  
• Highly Privileged Employees: Many employees have broad access to the organization’s most sensitive data. These users can include administrators and executives. It is important to monitor their activity to identify deviations from expected activity or permission misuse.

Access User Watchlist 

1. Navigate to Secure & Govern -> User Watchlist to access. 
    
   
2. Search for specific users using the search functionality. Click on the Export icon to export the user watchlist as a CSV file on the system. There are also filters available to view specific records. 
   
   The following filters are available in the user watchlist:
   • Added on: By default, the filter is selected to Any time. The other options available are Today, Last 7 days, Last 30 days, Last 90 days, and Custom range. 
      
   • Added by: The list can be filtered by specific user(s) who added the records to the watchlist.
      
   • Monitor until: The default selection is Any time. The other options available are Never, Today, Next 7 days, Next 30 days, Next 90 days, and Custom range. 
      
   • Source: Select the available source(s) and click on Apply
      

Add Users to the Watchlist

Add a Single User to the Watchlist

1. Click on Add User option at the top-right.
   

2. Depending on the content source, a user may have alternative names or email addresses. Enter all known names and/or email variations for one user to find their profiles across all the connected sources and click on Lookup. 
   

   Users can enter up to ten entries using a comma separator for Name and Email.

3. Select the user profile(s) and click on Next.
   

   The selected user profile(s) will be treated as a single user that is added to the watchlist.

4. Review the details and make changes, if necessary. Select the date until when the user shall be monitored (optional) and click Add User. 
   
   The user will be added to the watchlist. 
   

Import Multiple Users to the Watchlist

1. Click on Import Users to import multiple users to the watchlist.
   
2. A template is available to view and add the users’ details to the import file. 
   
    
   The template includes three columns:
   • User: The name of the user. The field can contain multiple user names to add multiple profiles of one user
   • Email: Email addresses(s) of the user profile(s)
   • Monitor Until: This is an optional field and it includes the date up until when the user shall be monitored

3. Click on Select file and select the file to import users. Click on Import. To make changes to the file selected, click on edit or cancel icons. 
   

   Import file size can be a maximum of 10 MB.

Manage Watchlist Users

Export File List

1. Select the specific user in the user watchlist. The side panel will open with the options to manage the user. 
   
   Alternatively, use the icon at the top-right to view or hide the member details. 
   
2. The overview section displays the user name, email, and source for the linked user profiles. It also displays the details of open issues, such as Total issues, Threat category count, Exposure category count, and Access Hygiene category count. 
   
3. Switch to the Activity tab to view the user activity as total files accessed and total volume. Users can click on Export to export the files list. 
   
   Users can also filter the activity based on:
   • Date: By default, the activity is filtered by Date accessed. The other filters available are Date downloaded and Date deleted. 
     
   • Timeframe: Default selection is Last 30 days. The other options include Last 60 days and Last 90 days
     
   • Source: Select the available source(s) and click on Apply. 
     

 

Update User Info

1. Select the specific user in the user watchlist. The side panel will open with the options to manage the user. 
   
2. Click on Update user info to update the user details. Follow the steps mentioned here to make the necessary changes. 
   
   Alternatively, hover over the user’s record and click on the edit icon. 
   

Remove User

1. Select the specific user in the user watchlist. The side panel will open with the options to manage the user. 
   
2. Click on Remove user to remove the user from the watchlist. Click on Remove to confirm. 
   
   
   Alternatively, hover over the user’s record and click on the x icon to remove the user. 
   

Configure Unusual Access Threshold for Watchlist Users

1. Navigate to Settings -> Analysis Rules.
   
2. Click on Unusual Access.
   
3. Modify the settings under Control Threshold -> For users on Watchlist.
   

Additional Information and Resources

Unusual Access - Multivariate Anomaly Detection